A little-noticed legal opinion from the U.S. Justice Department may make it more difficult for federal law enforcement officials to prosecute individuals for alleged criminal violations of privacy provisions of the Health Insurance Portability and Accountability Act.
While the 14-page opinion issued June 1 deals with criminal prosecutions by the Justice Department under HIPAA, HHS' Office for Civil Rights has enforcement authority over alleged civil HIPAA privacy violations. Despite the fact that the office has received more than 13,000 privacy complaints since the provisions went into effect in April 2003, it has yet to bring a civil enforcement action, according to former Clinton privacy adviser Peter Swire.
"My concern is that the Bush administration has not supported HIPAA enforcement," said Swire, a law professor at the Moritz College of Law at Ohio State University who served as President Clinton's chief counselor for privacy.
The HIPAA privacy provisions provide for criminal violations that can include fines up to $500,000 and jail time up to 10 years. Civil penalties range from $100 to $25,000.
The Justice Department legal opinion, signed by Steven Bradbury, principal deputy attorney general in the department's Office of Legal Counsel, details how the criminal provisions of the privacy law should only apply to so-called "covered entities" defined in the statute. The opinion said the criminal provisions don't apply directly to employees of such covered organizations.
"We conclude that health plans, healthcare clearinghouses, those healthcare providers specified in the statute and Medicare prescription-drug card sponsors may be prosecuted for violations of (HIPAA). ... Other persons may not be liable for this provision," according to the opinion.
Swire, in an editorial written for the Center for American Progress' Web site, said that the Justice Department opinion "drastically reduces" the medical privacy protections under HIPAA and is both "bad law and bad policy."
But Peter Winn, an assistant U.S. attorney in Seattle, wrote in an editorial posted on the Web site of the health law section of the American Bar Association that Swire's view that prosecutors are being hamstrung by the Office of Legal Counsel is "unduly pessimistic."
Winn wrote that federal prosecutors still can bootstrap their way into the HIPAA privacy law by applying an unrelated, but routinely used 1948 criminal statute that makes agents responsible for violations of laws that, as written, aim at their principals. By applying the statute to future HIPAA cases, prosecutors could, in effect, make healthcare employees responsible for HIPAA violations, according to Winn.
He predicted that, the legal opinion notwithstanding, there will be more federal criminal convictions for HIPAA violations. Only one person has been convicted in a criminal case under HIPAA.