[Med-privacy] Ruling Limits Prosecutions of People Who Violate Law on Privacy of Medical records

[Peter Marshall]

The New York Times
June 7, 2005
Ruling Limits Prosecutions of People Who Violate Law on Privacy of 
Medical
Records
By ROBERT PEAR

WASHINGTON, June 6 - An authoritative new ruling by the Justice 
Department
sharply limits the government's ability to prosecute people for criminal
violations of the law that protects the privacy of medical records.

The criminal penalties, the department said, apply to insurers, doctors,
hospitals and other providers - but not necessarily their employees or
outsiders who steal personal health data.

In short, the department said, people who work for an entity covered by
the federal privacy law are not automatically covered by that law and 
may
not be subject to its criminal penalties, which include a $250,000 fine
and 10 years in prison for the most serious violations.

The reasoning is that federal regulations establish the standards for
medical privacy. The regulations apply just to "covered entities,"
including insurers and health care providers. Thus, only covered 
entities
can be prosecuted for criminal violations of the law.

This interpretation is set forth in an opinion written by the office of
legal counsel at the Justice Department. The opinion, dated June 1, is
binding on the executive branch of the federal government, but not on
judges. It was prepared over the last 16 months to answer questions from
the criminal division of the Justice Department and the Health and Human
Services Department.

The ruling was a surprise to many lawyers. Robert M. Gellman, an expert 
on
privacy and information policy, said, "Under this decision, a tremendous
amount of conduct that is clearly wrong will fall outside the criminal
penalties of the statute," the Health Insurance Portability and
Accountability Act of 1996.

If a hospital sells a list of patients' names to a firm for marketing
purposes, the hospital can be held criminally liable, Mr. Gellman said.
But if a hospital clerk does the same thing, in defiance of hospital
policy, the clerk cannot be prosecuted under the 1996 law, because the
clerk is not a "covered entity."

In December 2000, President Bill Clinton issued sweeping privacy 
standards
that affected virtually every part of the health care system. President
Bush allowed the rules to take effect with some changes.

The government has received more than 13,000 complaints of violations of
the privacy standards in the last two years. The government has not
imposed any civil fines, but it has secured one criminal conviction. A
Seattle man pleaded guilty last August to wrongful disclosure of 
personal
health information.

The man, Richard W. Gibson, admitted that he had improperly obtained a
patient's name, birth date and Social Security account number while
working for a consortium of cancer hospitals. Mr. Gibson used the
information to obtain four credit cards in the patient's name. Using the
cards, Mr. Gibson bought more than $9,000 worth of video games, jewelry,
porcelain figurines, groceries, gasoline and other items for his use.

He was sentenced to 16 months in prison.

The new Justice Department opinion appears to contradict the legal 
theory
under which Mr. Gibson was prosecuted.

When informed of the new opinion, Gregory L. Ursich, a lawyer for the
patient whose rights were violated, said Monday, "This is a very bizarre
interpretation of the statute."

The patient, Eric R. Drew, 37, who has gone through two years of
chemotherapy and radiation treatments for leukemia, said: "I worry that
Gibson might use the Justice Department opinion to overturn his
conviction. If he succeeds, that would set a terrible precedent."

Emily Langlie, a spokeswoman for the United States attorney in Seattle,
said, "We are waiting to see if there will be any further court action."

Peter P. Swire, a law professor at Ohio State University in Columbus, 
who
was chief counselor for privacy in Mr. Clinton's White House, said, "The
Justice Department's interpretation is different from what lawyers have
been telling their clients, and different from what the government 
itself
said in the first criminal prosecution last year."

A spokesman for the Justice Department, Eric W. Holland, refused to 
answer
questions about the opinion, which was signed by Steven G. Bradbury,
principal deputy assistant attorney general in charge of the office of
legal counsel.

Richard M. Campanelli, director of the civil rights office at the
Department of Health and Human Services, is responsible for enforcing 
the
privacy rules. Asked whether he had read the legal opinion, Mr. 
Campanelli
said, "I don't want to comment on that because the opinion has not been
officially released."

The Justice Department said people who could not be prosecuted under the
1996 privacy law might be penalized under state laws or other federal
laws, including those that deal with identity theft and the fraudulent 
use
of computers. In addition, the department said, patients may file civil
suits to recover damages from people who improperly use or disclose 
their
medical records.

Mr. Bush has repeatedly advocated greater use of health information
technology, with a "goal of assuring that most Americans have electronic
health records within 10 years." But, Mr. Gellman said, the Justice
Department opinion "makes it more difficult for the government to 
protect
patients against misuse of their records."

Under "general principles of corporate criminal liability," the Justice
Department said, a company can sometimes be held responsible for the
conduct of its employees if they are acting "within the scope of their
employment" and on behalf of the company.

But virtually all hospitals, nursing homes, pharmacies and doctors'
offices have adopted privacy policies. So they can argue that employees
who misuse confidential health data are violating those policies.

     * Copyright 2005 The New York Times Company