[Med-privacy] Justice Department Limits Prosecution Under HIPAA

[Jeff Williams]

All,

Press Release: Justice Department Limits Prosecution Under HIPAA

By David V. Marshall (with assistance from Rebecca L. Williams)

SEATTLE, WA USA -- HEALTHCARE UPDATE NEWS SERVICE(TM) -- JULY 1, 2005:
The U.S. Department of Justice (DOJ) recently issued an internal opinion
limiting DOJ criminal prosecutions under the federal health privacy law,
the Health Insurance Portability and Accountability Act (HIPAA). The DOJ
Opinion was leaked to the Internet, see
http://www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf.

In sum, the DOJ Opinion limits prosecutions to:

  -- "covered entities," that is, health care providers, health plans
(e.g., insurers), health care clearinghouses, and sponsors of Medicare
prescription drug cards;
  -- certain directors, officers, and employees of such covered entities
who may be criminally liable "directly" "in accordance with general
principles of corporate criminal liability" (little explained in the DOJ
opinion); and
  -- those third parties who cause, aid or abet, counsel, command,
induce, procure, or conspire with, a covered entity to act (through
employee conduct imputed to the entity in certain circumstances) in
violation of HIPAA, liable under "principles of aiding and abetting
liability and of conspiracy . . . ."

The DOJ Opinion leaves much unsaid. Although federal prosecutors likely
will act with caution in applying its guidance, prosecutors retain the
ability to prosecute parties outside of covered entities, depending on
the applicable facts.

BACKGROUND
HIPAA's privacy regulations, in part, require "covered entities" to
safeguard protected health information (PHI) and restrict uses and
disclosures of PHI. PHI generally is individually identifiable health
information, including "demographic information," such as a patient's
name, date of birth, and social security number or a provider's patient
list. Under HIPAA, a "person who knowingly and in violation" of the
"Administrative Simplification" provisions of HIPAA, "uses or causes to
be used a unique health identifier," "obtains individually identifiable
health information relating to an individual," or "discloses
individually identifiable health information to another person" may:

      (1) be fined not more than $50,000, imprisoned not more than one
year, or both;
      (2) if the offense is committed under false pretenses, be fined
not more than $100,000, imprisoned not more than five years, or both;
and
      (3) if the offense is committed with intent to sell, transfer, or
use individually identifiable health information for commercial
advantage, personal gain, or malicious harm, be fined not more than
$250,000, imprisoned not more than 10 years, or both.

HIPAA thus created three new health care privacy related crimes:

  -- a federal misdemeanor for "knowing" violations of the
administrative simplification provisions; the DOJ Opinion says this
crime "requires only proof of knowledge of the facts that constitute the
offense" not "proof of knowledge that the conduct was contrary" to law;
  -- a five year felony if a knowing violation involved false pretenses
(such as misrepresentation of identity); and
  -- a 10 year felony if a knowing violation involved intent to transfer
or use PHI for gain or to cause harm.

United States v. Gibson, resolved by plea agreement in Seattle,
Washington in late 2004, has been the only HIPAA privacy prosecution so
far. Mr. Gibson was employed at a Seattle cancer center, and he obtained
"demographic" health information for a cancer patient treated at his
employer's facility. Thereafter, Gibson obtained credit cards in the
patient's name, used for cash advances and items worth more than $9,000.
He was sentenced to 16 months in jail.

DOJ JUNE 1, 2005 OPINION
According to the DOJ Opinion, DOJ was asked by the HHS General Counsel:

whether the only persons who may be directly liable under section
1320d-6 [the "HIPAA privacy crimes"] are those persons to whom the
substantive requirements of [HIPAA apply, i.e., covered entities] or
whether this provision may also render directly liable other persons,
particularly those who obtain protected health information in a manner
that causes a person to whom the substantive requirements of the
subtitle apply to release the information in violation of that law.

In response, DOJ opined that the parties "directly" liable included the
"covered entities" and, "depending on the facts of a given case," in
addition:

certain directors, officers, and employees of these entities may be
liable directly..., in accordance with general principles of corporate
criminal liability, as these principles are developed in the course of
particular prosecutions. Other persons may not be liable directly under
this provision. The liability of persons for conduct that may not be
prosecuted directly...will be determined by principles of aiding and
abetting liability and of conspiracy liability.

The DOJ Opinion stressed that:

an analysis of liability under section 1320d-6 must begin with covered
entities, the only persons to whom the standards apply. If the covered
entity is not an individual, general principles of corporate criminal
liability will determine the entity's liability and that of individuals
within the entity, including directors, officers and employees. Finally,
certain conduct of these individuals and that of other persons outside
the covered entity, including of recipients of protected information,
may be prosecuted in accordance with principles of aiding and abetting
liability and of conspiracy liability. (Emphasis added.)

The DOJ Opinion concluded:

When the covered entity is not an individual, principles of corporate
criminal liability will determine the entity's liability and the
potential liability of particular individuals who act for the entity. .
. . [T]he conduct of an entity's agents may be imputed to the entity
when the agents act within the scope of their employment, and the
criminal intent of agents may be imputed to the entity when the agents
act on its behalf. See Kathleen F. Brickley [sic, Brickey], Corporate
Criminal Liability §§ 3-4 (2d ed. 1992) [hereafter, "Brickey"]. In
addition, we recognize that, at least in limited circumstances, the
criminal liability of the entity has been attributed to individuals in
managerial roles . . .

The DOJ Opinion declined to discuss further these general corporate and
aiding and abetting liability principles, noting the law varies in
different jurisdictions and will be applied on a case by case basis.

PRINCIPLES OF CORPORATE CRIMINAL LIABILITY
Professor Brickey's analysis of these general corporate liability issues
provides some guidance. She notes that:

in the context of corporate criminal prosecutions, "within the scope of
employment" is a term of art signifying little more than that the
employee's crime must be committed in connection with his performance of
some job-related activity . . .

Professor Brickey also has observed that the "clear weight of federal
authority" holds a corporation bound by the acts of its agent even
though the agent acts contrary to actual instructions or policy.

According to Professor Brickey, it is accepted doctrine that an agent
"must intend to benefit the corporation if the entity is to share
responsibility," with the agent intending to produce "some benefit to
[the] corporation or some benefit to himself and secondarily to [the]
corporation." Following this analysis, for obvious reasons, it's easier
to find intent to benefit an entity if the individual involved is the
entity's owner.

Where a "rogue" employee acts with no intent to benefit a covered
entity, and solely for personal gain, it will be harder for prosecutors
to show a covered entity was "in violation of HIPAA," an element of the
crime according to the DOJ Opinion.

The DOJ Opinion states "certain directors, officers, and employees of
these [covered] entities may be liable directly under" HIPAA "depending
on the facts of a given case." Again, the DOJ Opinion contains little
explanation, but references Brickey. Professor Brickey's treatise says
there is liability for corporate entity managers and employees for
offenses committed by the corporate entity, including:

      (1) liability for "direct" participants, whose conduct results in
entity liability;
      (2) liability for managers with duties to control illegal conduct
based on responsibilities within the organization (now called
"responsible corporate officers" under the Supreme Court cases); and
      (3) liability under the federal aiding, abetting and causation
statute

The aiding and abetting statute provides:

      (a) Whoever commits an offense against the United States or aids,
abets, counsels, commands, induces or procures its commission, is
punishable as a principal.
      (b) Whoever willfully causes an act to be done which if directly
performed by him or another would be an offense against the United
States, is punishable as a principal. (Emphasis added.)

Professor Brickey's treatise has observed, now particularly relevant to
this recent DOJ Opinion and its interpretation of HIPAA, that:

the legislative history [of the aiding and abetting statute] . . .
contains an explicit statement of congressional purpose "to clarify and
make certain the intent to punish aiders and abettors regardless of the
fact that they may be incapable of committing the specific violation
which they are charged to have aided and abetted."

The court in U.S. v. Scannapieco (a 5th Circuit case) reached the same
conclusion. Scannapieco upheld the conviction of a firearms dealer's
salesman under the aiding and abetting statute for causing a violation
of a statute that prohibits a dealer from selling and delivering
firearms to a buyer while knowing the buyer does not reside in the state
of the sale, despite the fact the dealer was not present at the time of
the illegal sales and not convicted of the sales. In Scannapieco, the
court held the aiding and abetting statute permits conviction as a
"causer" even though the accused was himself not capable of committing
the act forbidden by federal statute (he was not a dealer and the
statute prohibited only acts by a dealer).

Professor Brickey's treatise noted that "an aider and abettor may be
held accountable as a principal even though the perpetrator has not
first been tried and convicted or even identified, so long as the
government proves the crime was actually committed." In other words, DOJ
prosecutors may charge that an employee caused an entity to act "in
violation of" HIPAA and that the employee is therefore liable, without
charging the entity.

Finally, the DOJ Opinion states that the "conspiracy statute prescribes
punishment "if two or more persons conspire . . .to commit any offense
against the United States . . . and one or more of such persons do any
act to effect the object of the conspiracy." Federal conspiracy
liability is broad, and poses risk to third parties who affiliate with
covered entity employees who "cause" an entity to violate HIPAA.

CONCLUSION
Analysis of the risk of criminal prosecution under HIPAA has become very
fact specific. Federal prosecutors may conclude there is no employee or
third-party liability without a nexus between the particular individual
and a covered entity acting "in violation of" HIPAA's privacy standards.
Where there is a nexus with a covered entity, where protected records
came from a provider and the third party dealt directly with a health
care provider through one of its employees, then there is greater risk a
prosecutor might bring a case. Arguably, based on the corporate
liability doctrines referenced in the DOJ Opinion, such a prosecution
should fail absent proof the employee acted with some intent to benefit
the employer entity.

Because the DOJ Opinion left to the DOJ Criminal Division and local U.S.
Attorneys application of the DOJ Opinion to real world cases, we will
have to await those cases to know for certain how line-level prosecutors
will follow the DOJ guidance.

CONTACTS
David V. Marshall
Bellevue, WA
(425) 646-6100
DavidMarshall@dwt.com

Rebecca L. Williams, RN, JD
Seattle, Washington
(206) 628-7769
BeckyWilliams@dwt.com

Bellevue - David V. Marshall, davidmarshall@dwt.com
San Francisco - Paul Smith, paulsmith@dwt.com
Seattle - Rebecca L. Williams, RN, JD, beckywilliams@dwt.com
Los Angeles - Thomas Jeffry, thomasjeffry@dwt.com

FOR E-MAIL ADDRESS CHANGE, ADD OR DELETE REQUESTS:
For changes or additions, please email your request to:
listmgr@HealthcareUpdateNewsService.com.

Davis Wright Tremaine | 2600 Century Square | 1501 Fourth Avenue |
Seattle | WA | 98101

This email was sent to jwkckid1@ix.netcom.com,
by Healthcare Update News Service.

Update your profile
http://ui.constantcontact.com/roving/d.jsp?p=oo&t=1100972992287&m=1011106855444&ea=jwkckid1%40ix.netcom.com

Instant removal with SafeUnsubscribe(TM)
http://ui.constantcontact.com/roving/d.jsp?p=un&t=1100972992287&m=1011106855444&ea=jwkckid1%40ix.netcom.com

Privacy Policy:
http://ui.constantcontact.com/roving/CCPrivacyPolicy.jsp


--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
E-Mail jwkckid1@ix.netcom.com
 Registered Email addr with the USPS
Contact Number: 214-244-4827