DOJ Says HIPAA Criminal Liability Limited to Covered Entities
Client Alert | 2 min read | 06.10.05
By Ben Butler
The U.S. Department of Justice (“DOJ”) has indicated criminal prosecution under the privacy-related provisions of the Health Insurance Portability and Accountability Act, P.L. 104-191 (“HIPAA”) will be limited to “covered entities”. In light of this narrowing scope, hospitals, health plans, and other covered entities must be particularly vigilant about maintaining compliance with HIPAA privacy, security, and transactions requirements so that they are not themselves prosecuted under remaining theories of liability, such as agency theory or conspiracy. Also, despite the impression that could be given by DOJ's determination, DOJ still says that senior corporate officials could still be criminally liable for a “covered entity's” misconduct in an egregious case.
In a June 1, 2005 memorandum issued by DOJ's Office of Legal Counsel, DOJ concludes that non-covered entities cannot violate the administrative simplification provisions of HIPAA (specifically, the United States Code, Title 42, Chapter 7, Subchapter XI, Part C) because these provisions “simply do[] not apply to them.” Under HIPAA, “covered entities” include health plans, health care clearinghouses, health care providers who transmit health information in electronic form in connection with a HIPAA-covered transaction, and Medicare prescription drug card sponsors.
The position taken by the DOJ appears to contradict the theory underlying the only criminal conviction to date; of Richard Gibson, a Seattle cancer center employee, who pled guilty to violating HIPAA and was later sentenced to 16 months in prison. As indicated in the summary, at the time of the conviction, the theory of the case appeared questionable given the language of the HIPAA statute. DOJ's Office of Legal Counsel now appears to have reached the same conclusion.
By narrowing the focus of possible criminal prosecution under HIPAA, DOJ has arguably “raised the stakes” for covered entities, who now may be the only remaining targets in some situations. If, as in the Gibson case, an individual employee engages in wrongful conduct involving protected health information, it will be critically important for a covered entity to be able to demonstrate that the employee was not acting in the scope of his or her employment. To this end, covered entities should be sure to take sufficient HIPAA compliance measures, such as an ongoing training and awareness, active enforcement of internal sanctions where appropriate, and maintenance of up-to-date policies and procedures.
Failure to take these measures may open the covered entity up to possible investigation under a theory of agency ( i.e., the employee was acting on behalf of the covered entity or with its knowledge) or conspiracy. Moreover, DOJ states that the criminal liability of a covered entity may even extend, in limited circumstances, “to individuals in managerial roles, including, at times, to individuals with no direct involvement in the offense . . . . [I]t may be that such individuals in particular cases may be prosecuted directly” under HIPAA.
Although federal enforcement of HIPAA to date has been limited, in the event of a high-profile misuse of patient information – as occurred in the Gibson case – prosecutors will want to ensure that someone is held responsible. Health plans, hospitals, and other covered entities must take the necessary measures to minimize exposure.
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1