The Justice Department has decided that most healthcare employees can't be prosecuted for stealing personal data under privacy rules that took effect in 2003 and were based on the Health Insurance Portability and Accountability Act of 1996.
The ruling could jeopardize the lone conviction obtained under the medical privacy rules and could stop federal prosecutors from pursuing some of the more than 13,000 complaints that have been filed alleging violations of those rules.
Hospitals, insurers, doctors and other healthcare providers that bill for their services are subject to criminal prosecution under the law, according to the June 1 memo signed by Steven Bradbury, the Justice lawyer who heads the office of legal counsel. But a hospital clerk, for example, and other employees cannot face criminal penalties because the law doesn't apply to them, Bradbury wrote.
The memo was the subject of extensive internal debate within the Bush administration, with at least one federal prosecutor voicing opposition to its conclusion.
"As prosecutors in the field, we're disappointed with the opinion," said Emily Langlie, spokeswoman for U.S. Attorney John McKay in Seattle.
Last August, McKay's office obtained a guilty plea from a technician at the Seattle Cancer Care Alliance. Richard Gibson was sentenced to 16 months in prison after admitting that he stole the identity of a cancer patient and used the information to obtain credit cards in the patient's name. Gibson bought $9,100 worth of jewelry, video games and a barbecue grill using the cards.
"This case should serve as a reminder that misuse of patient information may result in criminal prosecution," McKay said at the time.
Langlie said prosecutors are waiting to see if Gibson attempts to withdraw his plea or a federal judge intervenes. She said he could be prosecuted for identity theft.
Officials at the Justice Department and HHS declined to comment Tuesday. The existence of the memo was first reported by the New York Times.