News, Developments, and Insights

high-tech technology background with eyes on computer display


The Office of Legal Counsel (OLC) of the DOJ has issued a highly suspect interpretation of the original HIPAA that seriously undermines the enforceability of HIPAA.

Some background: In 1996, Congress Passed the Health Insurance Portability and Accountability Act (HIPAA).  The Act, at 42 U.S.C. § 1320d-6, provided in part for the protection of medical privacy – although it left the specific details to the Department of Health and Human Services (HHS) to establish via a rulemaking.  HIPAA contained civil and criminal penalties for when:

A person who knowingly and in violation of this part–

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person

HHS promulgated detailed regulations under HIPAA during the Clinton Administration.  In 2000, HHS issued a final rule, but the Bush Administration announced that the rule would not go into effect.  A bit later on, the Bush Administration issued a rewritten rule, weakening many of HIPAA’s protections, but leaving much of the rule intact.  This new HIPAA rule became effective in 2003.

But now the OLC has delivered quite a blow to HIPAA in an opinion interpreting HIPAA’s criminal enforcement provision (quoted above).

Professor Peter Swire (law, Ohio State), who worked on the HIPAA rule under the Clinton Administration, has written a very clear and persuasive attack on the OLC’s interpretation.  Swire writes:

One sad result of the OLC opinion may be to make the hundreds of thousands of people who have worked to create safeguards feel like chumps. In good faith, nurses, doctors, IT staff, and many others have built systems that supply good health care while respecting patients’ privacy. Now, seeing that the federal government has created immunity for bad actors, all these people may wonder why they tried so hard to do the right thing.

Swire provides useful background about civil and criminal enforcement under HIPAA:

OCR also reports that it has received over 13,000 HIPAA privacy complaints in the past two years.

Somehow, though, OCR has not yet brought a single civil enforcement action. In part, it likely made sense for the first few months or a year for OCR to emphasize helping organizations come into compliance with the new rule. Even now, two full years after compliance was due and five years after the final rule was announced, there is a major role for OCR in helping teach organizations how to do better.

With that said, however, the utter lack of enforcement actions sends a clear signal to health insurers and providers who are covered by HIPAA. The signal, growing ever stronger as the months go by, is that HHS will not act even against flagrant violations of the privacy rule.

With no private right of action, and no civil enforcement actions, the only big enforcement news has been on the criminal front. In 2004 the U.S. attorney in Seattle announced that Richard Gibson was being indicted for violating the HIPAA privacy law. Gibson was a phlebotomist – a lab assistant – in a hospital. While at work he accessed the medical records of a person with a terminal cancer condition. Gibson then got credit cards in the patient’s name and ran up over $9,000 in charges, notably for video game purchases. In a statement to the court, the patient said he “lost a year of life both mentally and physically dealing with the stress” of dealing with collection agencies and other results of Gibson’s actions. Gibson signed a plea agreement and was sentenced to 16 months in jail.

At the time, the Department of Justice trumpeted the first HIPAA criminal prosecution. The DOJ site announced: “This case should serve as a reminder that misuse of patient information may result in criminal prosecution.”

Under its new legal opinion, however, Gibson could no longer be prosecuted under HIPAA.

Swire provides a clear analysis of the OLC opinion:

The Office of Legal Counsel (OLC) is a part of the Department of Justice that issues opinions, often on tricky legal issues that involve more than one part of the federal government. As a preliminary matter, it is odd for OLC to issue an opinion in the absence of a conflict among agencies or similar controversy. The very existence of the opinion is a sign of substantial political-level interest in the issue. (In addition, more than one source has informed me that senior officials were involved at both DOJ and HHS, including the deputy attorney general.)

The OLC opinion, dated June 1 but not made public until a New York Times article of June 7, answers a request from the general counsel of HHS for clarification of the scope of the HIPAA criminal provision.

The answer is that the criminal provision applies to “covered entities” under HIPAA. These covered entities are defined under the HIPAA electronic payment, security, and privacy rules to include essentially the following: health care providers, health plans (insurers), and health care clearinghouses. Roughly speaking, that means that the criminal provision applies to hospitals and health insurance companies, but not to individuals.

The OLC opinion does find that the law can apply to a few individuals. Certain directors, officers, and employees may be criminally liable “in accordance with general principles of corporate criminal liability.” The opinion emphasizes that criminal liability will apply especially when “the agents act within the scope of their employment.” For instance, a hospital might make a corporate decision to sell medical records in violation of HIPAA. For these employees, who act criminally but within their job description, then there could be criminal liability.

It is appropriate for the criminal law to apply to this sort of knowing violation of law. But we all know that outside hackers and rogue insiders such as Mr. Gibson pose much, much more of a threat. It is (presumably) rare for a health insurance company or medical provider to create an ongoing program of HIPAA violations as part of people’s scope of employment. Yet, OLC finds that other persons would “not be liable directly under this provision.”

Swire then offers a blistering critique of the OLC opinion:

For a law professor who teaches statutory interpretation, the OLC opinion is terribly frustrating to read. The opinion reads like a brief for one side of an argument. Even worse, it reads like a brief that knows it has the losing side but has to come out with a predetermined answer. . . .

First, the statute applies to “a person who knowingly and in violation of this part.” The effect of the OLC opinion is to change the statute to say “a person who is a covered entity who knowingly and in violation of this part.” The natural reading, in my view, is that “a person” can include hospital employees such as Gibson who abuse patient records. Gibson is “a person.” He is violating “this part” – the HIPAA rule – when he misuses the patient records.

Second, the criminal statute includes jail time. Indeed, the jail time increases from one year to five years to ten years based on the seriousness of the offense. Yet the OLC opinion says that Congress intended to make the covered entities the target of the criminal provision. We all know that hospitals and health insurance companies don’t go to jail. The common sense of the statute is that Congress intended individuals who violated the HIPAA rules to go to jail.

There is a third, related, point about an offense “committed under false pretenses.” The OLC opinion says the entire criminal provision is about covered entities, but that it also may sometimes apply to employees “acting within the scope of employment.” Can an employee be acting within the scope of employment and also be acting under false pretenses? I haven’t been able to think of how this jail time provision can ever apply under the OLC view – the employee would have to be truly within the scope of employment and acting under false pretenses at the same time. The OLC opinion seems to make the false pretense provision meaningless.

On the fourth argument, the OLC opinion itself lets the reader see its weakness. In (a)(1), Congress specifically made it a crime where a person “obtains individually identifiable health information relating to an individual.” (The person must of course act knowingly and in violation of the HIPAA standards.) Now it is a standard and important part of reading a statute to give effect to each provision in the law. That is, the criminal provision of (a)(1) must mean something. The OLC admits: “It could be argued that by including a distinct prohibition on obtaining health information, the law was intended to reach the acquisition by a person who is not a covered entity but who ‘obtains’ it from such an entity in a manner that causes the entity to violate” the privacy rule.

This sentence makes a great deal of sense – Congress intended to criminalize the illegal “obtaining” of health information when it made it a crime for any person to “obtain” health information. In the face of this clear language, OLC has to become amazingly inventive to save its preferred outcome. On the OLC view, Congress was not concerned about criminal activities by outsiders who steal medical records, or by insiders who sell medical records or use them for their own advantage. Instead, on the OLC view, Congress wrote the provision only to get at the covered entities, whose privacy activities are already regulated in other ways. And, on the OLC’s view, Congress did this without ever mentioning covered entities.

It is a canon of statutory construction that we should not reach “absurd” conclusions in interpreting a statute. This interpretation by OLC is absurd.

The last argument against the OLC opinion is that it treats the civil and criminal provisions as having the same scope, even though they are different statutes, with different purposes, and with different language. The civil provision does apply only to covered entities such as providers and health insurers. Those covered entities then are responsible for establishing privacy and security programs, and also complying with other administrative provisions such as standard formats for electronic payments. The covered entities pay civil fines (if and when HHS begins to bring civil enforcement actions).

By contrast, the criminal provision is tailored to specific pieces of HIPAA where Congress had the greatest concern about abuse. For instance, the privacy rule creates administrative rules such as training requirements and the need to name a chief privacy officer. These administrative requirements are omitted from the criminal provision, as are violations of the security rule and the payments rule. For the criminal provision, Congress focused on specific privacy violations, notably the obtaining or misuse of patient records under false pretenses or for personal gain.

When Congress targeted these information crimes, and called for jail time, it created a criminal provision that is different from the civil provision. The OLC opinion essentially assumes that the scope of the civil and criminal provisions is the same. The OLC opinion tries to suppress the clear text of the criminal provision about “person,” “false pretenses,” “obtaining” and other terms. A fairer and more neutral reading of the statute would be to recognize the different scope that follows from the different language and different goals of the civil and criminal provisions.

For a further critique, see Bruce Schneier’s take.  In a contrary opinion, Jeff Drummond, a lawyer who represents hospitals and health care entities, comments on HIPAA blog (yes, there is indeed a blog devoted to HIPAA, which is a good cure for insomnia):

The basis for the opinion is pretty well reasoned, and while it may be bad public policy, it actually is very good law: HIPAA applies to covered entities, and I fail to see how a person can break a law that doesn’t apply to them. And this opinion does nothing to get the health care industry out of criminal prosecution. The industry itself is the only thing left in the law’s criminal crosshairs; what it does is get the “small fry” employees and grunts out of criminal prosecution. One could argue that this makes the law less effective (I would agree, on policy grounds and on practical grounds, since it avoids the likely wrongdoers and sure makes it less of a club for law-abiding hospitals and physician groups to beat on or scare their employees). But the problem isn’t one of interpretation, it’s one of drafting. The law is written to apply to covered entities, not covered entities and their employees and agents.

This argument by Drummond strikes me as very unpersuasive.  Besides resorting to an ad hominem attack on Swire (not included in the excerpt here), he does not respond to some of Swire’s strongest arguments, such as the fact that the law will not punish the bad apples who go outside of the scope of their employment.  This seems quite backwards.  It is people like Gibson that seem most suited for HIPAA’s criminal penalties.  The OLC opinion creates absurd results and severely weakens HIPAA’s enforceability.  Drummond oddly recognizes how foolish these results are on policy and practical grounds, yet he finds the OLC opinion to be “very good law.”  So under Drummond’s view, Congress played the fool, writing a stupid and absurd law.  HIPAA certainly has many problems, but its not applying criminal penalties to employees was not one of them.  I agree with Swire – Congress wasn’t the fool and the law was fine before the OLC got its hands on it and twisted it into a pretzel.

Originally posted at PrawfsBlawg


* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
LinkedIn Influencer blog

TeachPrivacy Ad Privacy Training Security Training 01