The Bush Department of Justice has issued a controversial interpretation of HIPAA that significantly weakens it. This is good or bad news depending on your point of view. This is a political move or a run-of-the-mill ruling, depending on who you talk to.
What the DOJ said:
Only covered entities -- like health plans, health care clearinghouses, and health care providers -- can be prosecuted for violating the criminal provisions of HIPAA. (In addition, it is possible for certain corporate officers to be prosecuted.)
This would then include doctors, other health care providers, some officers, and legal persons -- entities like insurers and hospitals, but not necessarily their employees.
This is true, even if, in all other respects, that employee violated the letter of HIPAA.
I have often wondered about who is and who is not covered by HIPAA. Now we have some more guidance.
42 USC 1320d-6(a) reads:
"A person who knowingly and in violation of this part . . .
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
person, shall be punished as provided in subsection (b) of this section."
This could be read as covering all people who commit any of the above acts. The DOJ disagrees.
Their decision turns on their interpretation of the phrase "this part."
The DOJ takes it to means the statute itself, and therefore finds that the criminal penalties can only apply to specifically "covered entities."
This interpretation would seemingly subvert the federal government's own prosecution last year of an employee for stealing information from a patient.
On person who disagrees with the interpretation is Peter Swire, professor at Ohio State University and former chief counselor for privacy in the Clinton Administration. He argues that the criminal penalties are distinct from the civil penalties, and were specifically written by Congress is such a way so as to cover any violation of the statue.
He may or may not be correct, but he is certainly right that at HIPAA conferences and in articles written about HIPAA one almost always hears about the potential for "10 years in prison."
While that could still happen for covered entities and actors, employees should breathe a little easier now.