[ Thursday, June 09, 2005 ]
HIPAA Crimes Opinion Posted:
(I know, I thought it might be pulled prior to publication; I was wrong
.) Our HIT list moderator Alan Goldberg has scanned and posted the DOJ opinion here
. I've scanned it and find it pretty well thought-out. It basically runs down two lines of thought (over 13 heavily-footnoted pages): who can violate HIPAA, and what do they need to know to have violated it. On the who question (the big question here, given Gibson), only persons or entities that meet the definition of "covered entity" can be prosecuted criminally. So, no Gibson. In certain cases, officers, directors, employees and agents of covered entities can be held liable, but only on the corporate-derivative grounds generally applicable to corporate criminal cases (think Enron
). On the knowledge question, the wrongdoer must only know the facts surrounding the HIPAA violation; it doesn't matter if the wrongdoer did not know the facts violated HIPAA. At its broadest, that means no "ignorance of the law" defense. But the big problem with the thinness of this knowledge requirement is that there are so many areas where people of good will (and lawyers, too) might all have legitimate differing opinions about whether a particular act or situation violated HIPAA. The opinion seems to close out the defense that (i) I knew what I was doing, (ii) I know what HIPAA says, but (iii) I thought it was OK anyway. Ultimately, a criminal defendant will be in the position of proving (or preventing the prosecution from proving beyond a reasonable doubt) that the situation did not violate HIPAA (in other words, that the defendant was right when he thought it was OK anyway) .
Much other commentary on this: Computer security guru Bruce Scheier
thinks this "guts" HIPAA (I naturally disagree; see my comment); partisan hack Peter Swire gets in his cuts here
(man, is that piece ripe for Fisking); Michael Cleverly wisely agrees
the official version of the opinion.
Jeff [11:10 AM]
Blogger: HIPAA Blog - Edit your Template