Jamie Knapp: Analysis Update:
A couple of folks (@LaClason and @PogoWasRight) pointed out that, in regard to my earlier post
this morning, HITECH did add a change to the actual HIPAA statute that is intended to be used (and has been used) to prosecute employees or third parties for acts that would be violations if they were covered entities, mainly to avoid the anomaly that rogue employees or other bad actors are free from HIPAA criminal liabilities because they aren't the actual covered entity.
Prior to HITECH, Section 1320d-6(a) had one sentence, that says: "A person who knowingly and in violation of this part (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section." HITECH added a second sentence: "For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization." The copy of 42 USC 1320d-6 that I pulled up online didn't have the added language, which explains my miss of it.
However, it did give me an opportunity to re-review the new statutory language, and in fact I maintain my opinion: Knapp (and Chelsea Stewart in an earlier case) should not have been convicted, because their acts were not in violation of HIPAA. That's because the HITECH-added language, which is intended to make them criminally liable (and pursuant to which they were held criminally liable), is deficient from a statutory construction standpoint.
The added language says “for purposes of the previous sentence,” which would be fine to change something within the construct of the previous sentence. (Example: "It is a violation of fashion law to wear white after Labor Day. For purposes of the preceding sentence, white shall include bone, ecru, ivory, eggshell, and taupe.") But the preceding sentence still says the obtaining or disclosing must be “in violation of this part.” It doesn’t change the definition of a covered entity or put obligations onto anyone other than a covered entity.
And you can’t change the meaning of “in violation of this part” by such a passing reference. In other words, you can’t change the definition of “in violation of this part” to simply mean any obtaining or disclosing of IIHI “if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization.” If that’s the case, then any obtaining or disclosing of IIHI that is (i) “maintained by a covered entity” and (ii) “without authorization” would be a violation. And if that’s the case, every obtaining or disclosing of hospital-held PHI for treatment, payment, or healthcare operations (i.e., uses and disclosures for which an authorization is not required) would be a HIPAA violation.
HITECH was a hastily- and sloppily-written statute. But it’s also another example of the pure lawlessness of the current federal government. If we are to live under the rule of law, laws must apply equally to all. They must be clearly written so citizens can know exactly what conduct is prohibited and what is allowed. Words have meaning, and the meaning of words has consequences. When it comes to criminal law, where one’s property or liberty can be removed by the state, there cannot be a “well, you know what I mean” quality to it. Criminal statutes in particular MUST be clearly and precisely written. If there is any ambiguity (and there certainly is here), the benefit of the doubt must go to the accused.
Congress had the opportunity to fix this loophole by changing the definition of Covered Entity or by specifying a new and separate violation (i.e., “a person violates this part if . . . “ or “It is a violation of this part if a person . . . “), but they didn’t do so.
I hope the next person who is charged under this provision challenges it on these grounds. I don’t object at all to holding employees and other non-covered-entities criminally liable for these types of breaches. I think this is a loophole that should be and needs to be closed. But the law should be written to make these types of breaches actual violations of the law, and what is written doesn't do that. Have some respect for the rule of law.
Blogger: HIPAA Blog - Edit your Template