HIPAA Blog

[ Tuesday, June 07, 2005 ]

 

Gibson Undone? You might recall that, in connection with what is so far the only HIPAA criminal prosecution, HIPAAcrats had a lot to say about whether it was appropriate for criminal sanctions to be levied against an individual employee of a covered entity. Mr. Gibson was not a covered entity, but he worked for one. However, the fact that he was not a covered entity did not deter the federal prosecutor from getting a guilty plea from him.

There are basically 2 schools of thought here. Washington State's US Attorney (along with my friend AUSA Pete Winn) feel that you don't have to be a covered entity to be guilty under HIPAA. There is some precedent to that in federal jurisprudence, that basically goes along the lines that you can't do something through a surrogate that would be illegal for you to do, nor can the surrogate do something through or on behalf of another party if it were illegal for that other party to do it. I think it's a tenuous argument, but I'm not an appellate lawyer (especially not a federal criminal appellate lawyer -- good God, isn't HIPAA boring enough?).

The other school of thought is that HIPAA explicitly applies to covered entities, and to covered entities only. Can a non-covered entity violate a law that does not apply to it? I think this is the better argument, but Pete and the other AUSAs have precedent on their side, not to mention the power of the federal government. Of course, there's some benefit to covered entities if they can scare their employees with potential jail time for violating the company's HIPAA policies, but ultimately, I don't see how the government wins that type of case, unless the defendant just gives up (which is what Gibson did).

Well, today the HIPAAcrat world is abuzz with this story from the NY Times. The DOJ office of legal counsel (the lawyers' lawyers, I guess) has drafted an opinion that says you can't hold HIPAA against non-covered entities. They acknowledge that a lot of privacy breaches will now no longer be criminal; for example, a hospital that sells PHI violated HIPAA, but a clerk working in the hospital billing office that does the same thing does not violate HIPAA.

The opinion hasn't yet been published, but I'll link it when it is (and let you know if I think it really changes anything). I'll also let you know if it effects the Gibson case. I don't think it will, because if Gibson gets his HIPAA conviction overturned (and he pled to it, remember), the AUSA will try him for identity theft instead.

Which brings up another good point: even if HIPAA doesn't apply, State laws might. Other federal laws, such as the identity theft laws, might also apply (remember, the big damage and potential big money in HIPAA breaches isn't the medical information; it's the social security numbers, account numbers, credit card numbers, mothers' maiden names, and other things that allow identity theft or credit card or bank scams).


[UPDATE]: The potential impact of the DOJ opinion (which still isn't available to the public, BTW) on Gibson has been noted by the Seattle Times (hat tip to Jeff Sconyers). I generally agree with the story, it'll be up to Gibson to appeal, and even if he's successful, the AUSA will certainly charge him with one of the many other violations his actions could be categorized under (he pled guilty, remember, so I don't think he will appeal; if he did, I think he'd be successful, more likely than not).

I think the opinion is right, by the way; I don't think a person who doesn't meet the definition of a "covered entity" can violate HIPAA. Such a person could cause his employer to violate HIPAA, but couldn't do so himself/herself. I also think it's possible that the opinion will be retracted. It sure sounds like the Washington US Attorney and staff were blindsided by this, and I find it odd that the DOJ general counsel would not confer with them prior to publishing the opinion. My spidey-sense tells me that the distribution of this opinion to the NY Times might have been an intentional or unintentional leak.

Oh, one more thing: on further reading of the Seattle Times story, unless he's been misquoted of taken way out of context, I think Peter Swire is a partisan jerk. The basis for the opinion is pretty well reasoned, and while it may be bad public policy, it actually is very good law: HIPAA applies to covered entities, and I fail to see how a person can break a law that doesn't apply to them. And this opinion does nothing to get the health care industry out of criminal prosecution. The industry itself is the only thing left in the law's criminal crosshairs; what it does is get the "small fry" employees and grunts out of criminal prosecution. One could argue that this makes the law less effective (I would agree, on policy grounds and on practical grounds, since it avoids the likely wrongdoers and sure makes it less of a club for law-abiding hospitals and physician groups to beat on or scare their employees). But the problem isn't one of interpretation, it's one of drafting. The law is written to apply to covered entities, not covered entities and their employees and agents.

And still one more thing (I've edited this post more times than I want to admit): as the HIPAA Wire points out, if you were relying on the Gibson case's outcome to allow you to think the HIPAA police will make sure your employees aren't doing bad things, you're mistaken. It is your policies and procedures, and your own enforcement of them (that includes vigilance in making sure they are followed and sniffing out wrongdoers), that are the basis for keeping your employees on the straight and narrow. That was the case before Gibson, and it's even more so now. You may not be able to scare them straight with the threat of jail time, but you must scare them straight with your policies and procedures, and the threat of termination.

Jeff [4:53 PM]

Comments:
Outstanding post. My head was spinning before I read your take on it, now the room has slowed down a bit, and I can breathe.
I still haven't sorted out what the drill is on this, but I am tending to agree with you. In the end it will be the entities responsibility to ensure compliance--- and they after all have the resources and mojo to do so.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template