Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - HIPAA/advisory bulletins
Home

Practice Areas: HIPAA
 

Legal Services

Related Practice Areas

Advisory Bulletins

Publications & Resources

HIPAA Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin

Email this page to a colleague
Print version


Justice Department Limits Prosecution Under HIPAA

By David V. Marshall (with assistance from Rebecca L. Williams)
[June 2005]

The U.S. Department of Justice (DOJ) recently issued an internal opinion limiting DOJ criminal prosecutions under the federal health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). The DOJ Opinion was leaked to the Internet, see http://www.worldprivacyforum.org/pdf/hipaa_opinion_06_01_2005.pdf.

In sum, the DOJ Opinion limits prosecutions to:

  • “covered entities,” that is, health care providers, health plans (insurers), health care clearinghouses, and sponsors of Medicare prescription drug cards;
  • certain directors, officers, and employees of such covered entities who may be criminally liable “directly” “in accordance with general principles of corporate criminal liability” (little explained in the DOJ opinion); and
  • those third parties who cause, aid or abet, counsel, command, induce, procure, or conspire with, a covered entity to act (through employee conduct imputed to the entity in certain circumstances) in violation of HIPAA, liable under “principles of aiding and abetting liability and of conspiracy . . . .”

The DOJ Opinion leaves much unsaid. Although federal prosecutors likely will act with caution in applying its guidance, prosecutors retain the ability to prosecute parties outside of covered entities, depending on the applicable facts.


Background

HIPAA’s privacy regulations, in part, require “covered entities” to safeguard protected health information (PHI) and restrict uses and disclosures of PHI. PHI generally is individually identifiable health information, including “demographic information,” such as a patient’s name, date of birth, and social security number or a provider's patient list. Under HIPAA, a “person who knowingly and in violation” of the “Administrative Simplification” provisions of HIPAA, “uses or causes to be used a unique health identifier,” “obtains individually identifiable health information relating to an individual,” or “discloses individually identifiable health information to another person” may:

(1) be fined not more than $50,000, imprisoned not more than one year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than five years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

HIPAA thus created three new health care privacy related crimes:

  • a federal misdemeanor for “knowing” violations of the administrative simplification provisions; the DOJ Opinion says this crime “requires only proof of knowledge of the facts that constitute the offense” not “proof of knowledge that the conduct was contrary” to law;
  • a five year felony if a knowing violation involved false pretenses (such as misrepresentation of identity); and
  • a 10 year felony if a knowing violation involved intent to transfer or use PHI for gain or to cause harm.

United States v. Gibson, resolved by plea agreement in Seattle, Washington in late 2004, has been the only HIPAA privacy prosecution so far. Mr. Gibson was employed at a Seattle cancer center, and he obtained “demographic” health information for a cancer patient treated at his employer’s facility. Thereafter, Gibson obtained credit cards in the patient's name, used for cash advances and items worth more than $9,000. He was sentenced to 16 months in jail.


DOJ June 1, 2005 Opinion

According to the DOJ Opinion, DOJ was asked by the HHS General Counsel:

whether the only persons who may be directly liable under section 1320d-6 [the “HIPAA privacy crimes”] are those persons to whom the substantive requirements of [HIPAA apply, i.e., covered entities] or whether this provision may also render directly liable other persons, particularly those who obtain protected health information in a manner that causes a person to whom the substantive requirements of the subtitle apply to release the information in violation of that law.

In response, DOJ opined that the parties “directly” liable included the “covered entities” and, “depending on the facts of a given case,” in addition:

certain directors, officers, and employees of these entities may be liable directly . . . , in accordance with general principles of corporate criminal liability, as these principles are developed in the course of particular prosecutions. Other persons may not be liable directly under this provision. The liability of persons for conduct that may not be prosecuted directly . . . will be determined by principles of aiding and abetting liability and of conspiracy liability.

The DOJ Opinion stressed that:

an analysis of liability under section 1320d-6 must begin with covered entities, the only persons to whom the standards apply. If the covered entity is not an individual, general principles of corporate criminal liability will determine the entity's liability and that of individuals within the entity, including directors, officers and employees. Finally, certain conduct of these individuals and that of other persons outside the covered entity, including of recipients of protected information, may be prosecuted in accordance with principles of aiding and abetting liability and of conspiracy liability.

(Emphasis added). The DOJ Opinion concluded:

When the covered entity is not an individual, principles of corporate criminal liability will determine the entity's liability and the potential liability of particular individuals who act for the entity. . . . [T]he conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf. See Kathleen F. Brickley [sic, Brickey], Corporate Criminal Liability §§ 3-4 (2d ed. 1992) [hereafter, “Brickey”]. In addition, we recognize that, at least in limited circumstances, the criminal liability of the entity has been attributed to individuals in managerial roles . . . .

The DOJ Opinion declined to discuss further these general corporate and aiding and abetting liability principles, noting the law varies in different jurisdictions and will be applied on a case by case basis.


Principles of Corporate Criminal Liability

Professor Brickey’s analysis of these general corporate liability issues provides some guidance. She notes that:

in the context of corporate criminal prosecutions, “within the scope of employment” is a term of art signifying little more than that the employee’s crime must be committed in connection with his performance of some job-related activity . . . .

Professor Brickey also has observed that the “clear weight of federal authority” holds a corporation bound by the acts of its agent even though the agent acts contrary to actual instructions or policy.

According to Professor Brickey, it is accepted doctrine that an agent “must intend to benefit the corporation if the entity is to share responsibility,” with the agent intending to produce “some benefit to [the] corporation or some benefit to himself and secondarily to [the] corporation.” Following this analysis, for obvious reasons, it’s easier to find intent to benefit an entity if the individual involved is the entity’s owner.

Where a “rogue” employee acts with no intent to benefit a covered entity, and solely for personal gain, it will be harder for prosecutors to show a covered entity was “in violation of HIPAA,” an element of the crime according to the DOJ Opinion.

The DOJ Opinion states “certain directors, officers, and employees of these [covered] entities may be liable directly under” HIPAA “depending on the facts of a given case.” Again, the DOJ Opinion contains little explanation, but references Brickey. Professor Brickey’s treatise says there is liability for corporate entity managers and employees for offenses committed by the corporate entity, including:

(1) liability for “direct” participants, whose conduct results in entity liability;
(2) liability for managers with duties to control illegal conduct based on responsibilities within the organization (now called “responsible corporate officers” under the Supreme Court cases); and
(3) liability under the federal aiding, abetting and causation statute.

The aiding and abetting statute provides:

(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal. (Emphasis added.)

Professor Brickey’s treatise has observed, now particularly relevant to this recent DOJ Opinion and its interpretation of HIPAA, that:

the legislative history [of the aiding and abetting statute] . . . contains an explicit statement of congressional purpose “to clarify and make certain the intent to punish aiders and abettors regardless of the fact that they may be incapable of committing the specific violation which they are charged to have aided and abetted.”

The court in U.S. v. Scannapieco (a 5th Circuit case) reached the same conclusion. Scannapieco upheld the conviction of a firearms dealer's salesman under the aiding and abetting statute for causing a violation of a statute that prohibits a dealer from selling and delivering firearms to a buyer while knowing the buyer does not reside in the state of the sale, despite the fact the dealer was not present at the time of the illegal sales and not convicted of the sales. In Scannapieco, the court held the aiding and abetting statute permits conviction as a "causer" even though the accused was himself not capable of committing the act forbidden by federal statute (he was not a dealer and the statute prohibited only acts by a dealer).

Professor Brickey’s treatise noted that “an aider and abettor may be held accountable as a principal even though the perpetrator has not first been tried and convicted or even identified, so long as the government proves the crime was actually committed.” In other words, DOJ prosecutors may charge that an employee caused an entity to act “in violation of” HIPAA and that the employee is therefore liable, without charging the entity.

Finally, the DOJ Opinion states that the “conspiracy statute prescribes punishment “if two or more persons conspire . . .to commit any offense against the United States . . . and one or more of such persons do any act to effect the object of the conspiracy.” Federal conspiracy liability is broad, and poses risk to third parties who affiliate with covered entity employees who “cause” an entity to violate HIPAA.


Conclusion

Analysis of the risk of criminal prosecution under HIPAA has become very fact specific. Federal prosecutors may conclude there is no employee or third-party liability without a nexus between the particular individual and a covered entity acting “in violation of” HIPAA's privacy standards. Where there is a nexus with a covered entity, where protected records came from a provider and the third party dealt directly with a health care provider through one of its employees, then there is greater risk a prosecutor might bring a case. Arguably, based on the corporate liability doctrines referenced in the DOJ Opinion, such a prosecution should fail absent proof the employee acted with some intent to benefit the employer entity.

Because the DOJ Opinion left to the DOJ Criminal Division and local U.S. Attorneys application of the DOJ Opinion to real world cases, we will have to await those cases to know for certain how line-level prosecutors will follow the DOJ guidance.

For further information, please contact:

David V. Marshall David V. Marshall
Bellevue, WA
(425) 646-6100
davidmarshall@dwt.com

 Rebecca L. Williams Rebecca L. Williams
Seattle, WA
(206) 622-3150
beckywilliams@dwt.com

Bellevue – David V. Marshall, davidmarshall@dwt.com
San Francisco – Paul Smith, paulsmith@dwt.com
Seattle – Rebecca L. Williams, RN, JD, beckywilliams@dwt.com
Los Angeles – Thomas Jeffry, thomasjeffry@dwt.com


To subscribe to this list, visit https://www.dwt.com/emailupdate.htm.
To unsubscribe, send a message to DWTAlert@dwt.com.


This Advisory is a publication of the HIPAA Law Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in HIPAA law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Davis Wright Tremaine LLP | 2600 Century Square | 1501 Fourth Avenue | Seattle, Washington 98101

 

return to Advisory Bulletins main page

Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP
return to Advisory Bulletin main page