HIPAA Advisory Bulletin
Justice Department Limits Prosecution
Under HIPAA
By David
V. Marshall (with assistance from Rebecca
L. Williams)
[June 2005]
The U.S. Department of Justice (DOJ) recently issued
an internal opinion limiting DOJ criminal prosecutions under the
federal health privacy law, the Health Insurance Portability and
Accountability Act (HIPAA). The DOJ Opinion was leaked to the Internet,
see http://www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf.
In sum, the DOJ Opinion limits prosecutions to:
- “covered entities,” that is, health care providers,
health plans (insurers), health care clearinghouses, and sponsors
of Medicare prescription drug cards;
- certain directors, officers, and employees of such covered entities
who may be criminally liable “directly” “in
accordance with general principles of corporate criminal liability”
(little explained in the DOJ opinion); and
- those third parties who cause, aid or abet, counsel, command,
induce, procure, or conspire with, a covered entity to act (through
employee conduct imputed to the entity in certain circumstances)
in violation of HIPAA, liable under “principles of aiding
and abetting liability and of conspiracy . . . .”
The DOJ Opinion leaves much unsaid. Although federal
prosecutors likely will act with caution in applying its guidance,
prosecutors retain the ability to prosecute parties outside of covered
entities, depending on the applicable facts.
Background
HIPAA’s privacy regulations, in part, require
“covered entities” to safeguard protected health information
(PHI) and restrict uses and disclosures of PHI. PHI generally is
individually identifiable health information, including “demographic
information,” such as a patient’s name, date of birth,
and social security number or a provider's patient list. Under HIPAA,
a “person who knowingly and in violation” of the “Administrative
Simplification” provisions of HIPAA, “uses or causes
to be used a unique health identifier,” “obtains individually
identifiable health information relating to an individual,”
or “discloses individually identifiable health information
to another person” may:
(1) be fined not more than $50,000, imprisoned not
more than one year, or both;
(2) if the offense is committed under false pretenses, be fined
not more than $100,000, imprisoned not more than five years, or
both; and
(3) if the offense is committed with intent to sell, transfer,
or use individually identifiable health information for commercial
advantage, personal gain, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both.
HIPAA thus created three new health care privacy
related crimes:
- a federal misdemeanor for “knowing” violations of
the administrative simplification provisions; the DOJ Opinion
says this crime “requires only proof of knowledge of the
facts that constitute the offense” not “proof of knowledge
that the conduct was contrary” to law;
- a five year felony if a knowing violation involved false pretenses
(such as misrepresentation of identity); and
- a 10 year felony if a knowing violation involved intent to transfer
or use PHI for gain or to cause harm.
United States v. Gibson, resolved by plea
agreement in Seattle, Washington in late 2004, has been the only
HIPAA privacy prosecution so far. Mr. Gibson was employed at a Seattle
cancer center, and he obtained “demographic” health
information for a cancer patient treated at his employer’s
facility. Thereafter, Gibson obtained credit cards in the patient's
name, used for cash advances and items worth more than $9,000. He
was sentenced to 16 months in jail.
DOJ June 1, 2005 Opinion
According to the DOJ Opinion, DOJ was asked by the
HHS General Counsel:
whether the only persons who may be directly liable
under section 1320d-6 [the “HIPAA privacy crimes”]
are those persons to whom the substantive requirements of [HIPAA
apply, i.e., covered entities] or whether this provision may also
render directly liable other persons, particularly those who obtain
protected health information in a manner that causes a person
to whom the substantive requirements of the subtitle apply to
release the information in violation of that law.
In response, DOJ opined that the parties “directly”
liable included the “covered entities” and, “depending
on the facts of a given case,” in addition:
certain directors, officers, and employees of these
entities may be liable directly . . . , in accordance with general
principles of corporate criminal liability, as these principles
are developed in the course of particular prosecutions. Other
persons may not be liable directly under this provision. The liability
of persons for conduct that may not be prosecuted directly . .
. will be determined by principles of aiding and abetting liability
and of conspiracy liability.
The DOJ Opinion stressed that:
an analysis of liability under section 1320d-6
must begin with covered entities, the only persons to whom
the standards apply. If the covered entity is not
an individual, general principles of corporate criminal liability
will determine the entity's liability and that of individuals within
the entity, including directors, officers and employees. Finally,
certain conduct of these individuals and that of other persons outside
the covered entity, including of recipients of protected information,
may be prosecuted in accordance with principles of aiding and abetting
liability and of conspiracy liability.
(Emphasis added). The DOJ Opinion concluded:
When the covered entity is not an individual, principles
of corporate criminal liability will determine the entity's liability
and the potential liability of particular individuals who act
for the entity. . . . [T]he conduct of an entity's agents may
be imputed to the entity when the agents act within the scope
of their employment, and the criminal intent of agents may be
imputed to the entity when the agents act on its behalf. See Kathleen
F. Brickley [sic, Brickey], Corporate Criminal Liability
§§ 3-4 (2d ed. 1992) [hereafter, “Brickey”].
In addition, we recognize that, at least in limited circumstances,
the criminal liability of the entity has been attributed to individuals
in managerial roles . . . .
The DOJ Opinion declined to discuss further these
general corporate and aiding and abetting liability principles,
noting the law varies in different jurisdictions and will be applied
on a case by case basis.
Principles of Corporate Criminal Liability
Professor Brickey’s analysis of these general
corporate liability issues provides some guidance. She notes that:
in the context of corporate criminal prosecutions,
“within the scope of employment” is a term of art
signifying little more than that the employee’s crime must
be committed in connection with his performance of some job-related
activity . . . .
Professor Brickey also has observed that the “clear
weight of federal authority” holds a corporation bound by
the acts of its agent even though the agent acts contrary to actual
instructions or policy.
According to Professor Brickey, it is accepted doctrine
that an agent “must intend to benefit the corporation if the
entity is to share responsibility,” with the agent intending
to produce “some benefit to [the] corporation or some benefit
to himself and secondarily to [the] corporation.” Following
this analysis, for obvious reasons, it’s easier to find intent
to benefit an entity if the individual involved is the entity’s
owner.
Where a “rogue” employee acts with no
intent to benefit a covered entity, and solely for personal gain,
it will be harder for prosecutors to show a covered entity was “in
violation of HIPAA,” an element of the crime according to
the DOJ Opinion.
The DOJ Opinion states “certain directors,
officers, and employees of these [covered] entities may be liable
directly under” HIPAA “depending on the facts of a given
case.” Again, the DOJ Opinion contains little explanation,
but references Brickey. Professor Brickey’s treatise
says there is liability for corporate entity managers and employees
for offenses committed by the corporate entity, including:
(1) liability for “direct” participants,
whose conduct results in entity liability;
(2) liability for managers with duties to control illegal conduct
based on responsibilities within the organization (now called
“responsible corporate officers” under the Supreme
Court cases); and
(3) liability under the federal aiding, abetting and causation
statute.
The aiding and abetting statute provides:
(a) Whoever commits an offense against the United
States or aids, abets, counsels, commands, induces or procures
its commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly
performed by him or another would be an offense
against the United States, is punishable as a principal. (Emphasis
added.)
Professor Brickey’s treatise has observed, now
particularly relevant to this recent DOJ Opinion and its interpretation
of HIPAA, that:
the legislative history [of the aiding and abetting
statute] . . . contains an explicit statement of congressional
purpose “to clarify and make certain the intent to punish
aiders and abettors regardless of the fact that they may be incapable
of committing the specific violation which they are charged to
have aided and abetted.”
The court in U.S. v. Scannapieco (a 5th Circuit
case) reached the same conclusion. Scannapieco upheld the
conviction of a firearms dealer's salesman under
the aiding and abetting statute for causing a violation of a statute
that prohibits a dealer from selling and delivering
firearms to a buyer while knowing the buyer does not reside in the
state of the sale, despite the fact the dealer
was not present at the time of the illegal sales and not convicted
of the sales. In Scannapieco, the court held the aiding and abetting
statute permits conviction as a "causer" even though the
accused was himself not capable of committing the act forbidden
by federal statute (he was not a dealer and the
statute prohibited only acts by a dealer).
Professor Brickey’s treatise noted that “an
aider and abettor may be held accountable as a principal even though
the perpetrator has not first been tried and convicted or even identified,
so long as the government proves the crime was actually committed.”
In other words, DOJ prosecutors may charge that an employee caused
an entity to act “in violation of” HIPAA and that the
employee is therefore liable, without charging the entity.
Finally, the DOJ Opinion states that the “conspiracy
statute prescribes punishment “if two or more persons conspire
. . .to commit any offense against the United States . . . and one
or more of such persons do any act to effect the object of the conspiracy.”
Federal conspiracy liability is broad, and poses risk to third parties
who affiliate with covered entity employees who “cause”
an entity to violate HIPAA.
Conclusion
Analysis of the risk of criminal prosecution under
HIPAA has become very fact specific. Federal prosecutors may conclude
there is no employee or third-party liability without a nexus between
the particular individual and a covered entity acting “in
violation of” HIPAA's privacy standards. Where there is
a nexus with a covered entity, where protected records came from
a provider and the third party dealt directly with a health care
provider through one of its employees, then there is greater risk
a prosecutor might bring a case. Arguably, based on the corporate
liability doctrines referenced in the DOJ Opinion, such a prosecution
should fail absent proof the employee acted with some intent to
benefit the employer entity.
Because the DOJ Opinion left to the DOJ Criminal
Division and local U.S. Attorneys application of the DOJ Opinion
to real world cases, we will have to await those cases to know for
certain how line-level prosecutors will follow the DOJ guidance.
For further information, please contact:
Bellevue –
David
V. Marshall, davidmarshall@dwt.com
San Francisco – Paul
Smith, paulsmith@dwt.com
Seattle – Rebecca
L. Williams, RN, JD, beckywilliams@dwt.com
Los Angeles – Thomas
Jeffry, thomasjeffry@dwt.com
To subscribe to this list, visit https://www.dwt.com/emailupdate.htm.
To unsubscribe, send a message to DWTAlert@dwt.com.
This Advisory is a publication of the HIPAA Law Department of Davis
Wright Tremaine LLP. Our purpose in publishing this Advisory is
to inform our clients and friends of recent developments in HIPAA
law. It is not intended, nor should it be used, as a substitute
for specific legal advice as legal counsel may only be given in
response to inquiries regarding particular situations.
Davis
Wright Tremaine LLP | 2600 Century Square | 1501 Fourth Avenue |
Seattle, Washington 98101
return to Advisory Bulletins main page
|
