In his book, Goldsmith stresses the tremendous reach of Office of Legal Counsel opinions.
“If OLC interprets a law to allow a proposed action, then the Justice Department won’t prosecute those who rely on the OLC ruling,” Goldsmith writes. “Even independent counsels would have trouble going after someone who reasonably relied on one. … One consequence of OLC’s authority to interpret the law is the power to bestow on government officials what is effectively an advance pardon for actions taken at the edges of vague criminal laws. … It is one of the most momentous and dangerous powers in the government: the power to dispense get-out-of-jail-free cards.”
When it came to national security issues, Goldsmith writes in his book, it was his job to interpret the law in light of government policies and to issue OLC opinions “to make sure the president could act right up to the chalk line of legality.” The president, Goldsmith writes, “Had to do what he had to do to protect the country. And the lawyers had to find some way to make what he did legal.”
And yet, when he arrived at OLC, Goldsmith writes that he reviewed a number of then-current OLC opinions that were “deeply flawed, sloppily reasoned, overbroad and incautious in asserting extraordinary constitutional authority on behalf of the president.”
Bradbury, in his 14-page HIPAA opinion dated June 1, 2005, told federal prosecutors—and current or would-be privacy violators, including, presumably, government officials—that, generally speaking, only covered entities, not their employees or other third parties who obtain and misuse patient information, could be criminally charged with HIPAA privacy violations. The statute says a HIPAA privacy violator is “A person who knowingly ... uses or causes to be used” protected healthcare information in contrary to the law. It calls for the stiffest fines and sentences of up to $250,000 and 10 years in prison for the most egregious privacy violators, those “with intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm.” Since most covered entities are corporations, the Bradbury ruling seemed to make moot the penalty of incarceration, according to a legal expert critical of the opinion.
“We all know that hospitals and health insurance companies don’t go to jail,” writes Peter Swire, a lawyer, Ohio State University law professor and former Clinton administration HIPAA adviser, in a written rebuttal to the Bradbury opinion published online by the Center for American Progress “The common sense of the statute is that Congress intended individuals who violated the HIPAA rules to go to jail.”
Swire, who served a stint as chief counselor for privacy in Clinton’s Office of Management and Budget, called Bradbury’s interpretation of the HIPAA statute “absurd,” adding that it was at once both “bad law and bad policy.”
These two events—Bradbury’s alleged involvement in the domestic surveillance program and his writing an OLC opinion exempting those who improperly “used or caused to be used” healthcare data but who are not covered entities—may well be just a strange coincidence.
Paul Murphy was the associate deputy attorney general at the Justice Department when he wrote Goldsmith in mid-January 2004 first asking for the OLC opinion on the scope of the criminal penalty provisions of HIPAA. Murphy says that during his tenure at the Justice Department, he had a varied portfolio of work, which included healthcare fraud, criminal and civil matters as well as HIPAA. Murphy says he also served as chief of staff for three deputy attorneys general, the last being Comey, before Murphy left Washington in late January 2004 to become the U.S. attorney in Savannah, Ga.
Murphy is now a partner with the Atlanta law firm of King & Spalding.
The compliance deadline for the HIPAA privacy rule and the trigger date for its criminal penalty provision, was April 14, 2003. Thus, by the time Murphy had written to Goldsmith asking for his opinion about the scope of HIPAA’s criminal penalties, the nation’s key healthcare privacy law already had been in full force for nine months. By the time Bradbury answered with an OLC opinion, the criminal law had been in effect for more than two years. Meanwhile, Gibson and another HIPPA violator in New York had been prosecuted under the initial interpretation that the criminal provisions of HIPAA applied to everyone, whether they were a covered entity or not. Those two would be the last, however. All subsequent federal prosecutions citing HIPAA criminal privacy violations—and there have been only a handful since—have used a legal theory that requires bootstrapping HIPAA onto another criminal statute.
In a telephone interview, Murphy says that his request to the OLC wasn’t the result of any pending criminal case.
“It was driven by a desire to make sure the parameters of the statute were clear to everybody, prosecutors and providers alike,” Murphy says. “It was a reasonably new statute and there was some concern in the provider community. There was a lot of hand-wringing.”
But Murphy says he does not remember the specific providers that expressed concern and asked for the clarification. “A lot of this was so long ago, that all the details, I can’t recall.”
Asked if the law’s effects on electronic surveillance or data-mining, either by the government or private entities, may have been at issue, Murphy says, “I don’t recall anything like that. I had no discussion and I don’t know of any discussions with any telecom companies or any data miners. That was not the genesis of this. The real genesis of this was to make certain that prosecutors and the provider community knew what the parameters of this statute were.”
Was Bradbury’s legal opinion on HIPAA a get-out-of-jail-free card for data miners, and by extension, the government itself?
Barry Steinhardt, a lawyer who heads the technology and liberty program for the American Civil Liberties Union, says HIPAA provides no private right of action that would allow patients whose records have been improperly viewed or used by a data handler or data-miner to sue for civil damages. But, he says, “There are criminal penalties in HIPAA only a federal prosecutor can pursue. If I were the telecoms, I would be concerned about rogue prosecutors bringing prosecutions under HIPAA. They have reason to worry.”
Bradbury’s opinion was all the more unusual because it carried the potential to jeopardize the two HIPAA criminal prosecutions already in the can, both of which could have been appealed, citing the Bradbury memo.
Susan Loitz, the federal prosecutor on the Gibson case, recalls the victim, Eric Drew, initiated contact by calling and first speaking with a colleague. Loitz says she promptly returned Drew’s call and began her work. Based on a contemporaneous e-mail in her records, she says March 8, 2004, “was probably the day that I called him.” That was nearly two months after Murphy wrote Goldsmith on Jan. 14, 2004, first requesting an OLC review of the HIPAA criminal penalty provision, timing that would support Murphy’s recollection that the request was not driven by a pending criminal case.
But according to Loitz, there was no confusion in her mind, in her office, or in the Justice Department in Washington, about the HIPAA criminal provision or whether it applied to Gibson, even though it was the first prosecution under the then 16-month-old law.
Under a plea agreement, Gibson admitted to using Drew’s name, date of birth and other personal information to fraudulently obtain several credit cards and go on a $9,000 shopping spree. On Nov. 5, 2004, seven months before Bradbury issued his HIPAA opinion, Gibson was sentenced to 16 months in prison. Because Gibson had been prosecuted on other criminal charges as well as a HIPAA violation, he did not challenge his HIPAA conviction after the Bradbury opinion was released.
Loitz says that she did not contact the OLC for an opinion about the scope of HIPAA, and it would have been extraordinary for her to do so. “The Office of Legal Counsel is used when there are differences in point of view on how to handle something. At that time, I didn’t know there was anything going on with the respect to this issue at the (OLC).
But the decision to prosecute Gibson for a criminal HIPAA violation was made in Seattle, not Washington, she says. Thus, armed with charges reviewed in Washington, Loitz forged ahead with the Gibson prosecution, unaware of any high-level interest in HIPAA from Murphy or anyone else.
“No one let me know there was any controversy on this issue,” she says.
The Criminal Division in Washington would write the OLC on May 27, 2004, giving its position on the scope of the criminal HIPAA statute, as would Loitz’s boss, McKay, on March 17, 2005. Both opinions were part of the documents about the Bradbury opinion requested by Modern Healthcare but denied by the Justice Department. McKay is teaching at the University of Seattle School of Law. He did not respond to several requests to be interviewed for this story.
The Bradbury opinion on HIPAA touched off a brief but spirited battle of ideas within the legal community. In a caustic analysis published soon after Bradbury made the change known to the public, Swire argued that Bradbury had hobbled federal prosecutors, making it harder for them to charge and jail someone like Gibson with a HIPAA violation, since Gibson was not a “covered entity.”
Swire’s article prompted a quick response, published in a Justice Department bulletin from Peter Winn, an assistant U.S. attorney in the Seattle office and perhaps the “go-to guy” within the Justice Department on HIPAA.
Winn argued that Swire overstated the case by saying Bradbury had crippled HIPAA. In the bulletin, Winn laid out a strategy that prosecutors could use to still carry out “indirect prosecutions” of HIPAA violators who were not covered entities, even though it meant bootstrapping a HIPAA charge onto another, 1948 criminal statute.
But Winn also conceded in the bulletin that even that strategy has its limits. In the shadow of the Bradbury opinion, federal prosecutors will likely adopt “a conservative approach” to HIPAA and restrict charges to individuals normally involved in “the chain of trust” of routine healthcare recordkeeping and handling “unless the facts are particularly egregious.”
Winn speaks publicly about HIPAA and keeps track of federal HIPAA criminal prosecutions, but he would not discuss how McKay answered the OLC’s request for comment on a draft of its HIPAA opinion. Legislation introduced Sept. 15 by Rep. Pete Stark (D-Calif.) seeks closure of the Bradbury loophole, making sure the criminal provision is applicable to “a person (including an employee or other individual who is not a covered entity) … if the information is maintained by a covered entity … and the person knowingly obtained or disclosed such information without authorization.”
Eric Drew says that he has no trouble believing the government is snooping around in healthcare records, although he says he has no personal knowledge of anyone claiming to be a victim of government scrutiny of their medical information. His suspicion, he says, is rooted in bitter experience.
While Drew praises Loitz, the assistant U.S. attorney in Seattle who handled the prosecution of Gibson, the healthcare worker who victimized him, Drew also says he was given the brush when he tried earlier to get someone in the Justice Department or the Federal Trade Commission or any other Washington agency responsible for privacy enforcement to take an interest in his case. (Loitz says there are so many identity theft cases these days, police and prosecutors can’t handle them all, and that’s probably why Drew’s wasn’t embraced sooner.)
Drew says he’s convinced the only reason the government prosecuted Gibson was because it was shamed into doing so. Still critically ill with cancer, Drew hauled himself out of bed and, with the aid of a Seattle TV reporter, did most of the leg work in hunting down Gibson; then, on a TV news program, the reporter broadcast Gibson’s image taken by a cash register security camera at a home improvement store where he was making a credit card purchase in Drew’s name. Gibson was quickly identified. On Nov. 5, 2004, he was sentenced to 16 months in prison under terms of a plea agreement. But, seven months later, Bradbury, issued his opinion reversing the legal theory under which Gibson was prosecuted, in that Gibson was an employee of a covered entity, but not a covered entity himself.
According to Drew, Loitz got the conviction, “And then, on June 1, 2005, they said it was a fluke and it shouldn’t be enforced that way.”
Drew says federal prosecutors have been the focus of “a lot of political pressure” by lobbyists representing various healthcare industry groups, including insurance companies, hospitals and physicians, to relax privacy enforcement. But, in Drew’s view, the pressure doesn’t end there.
“The exemption of the health insurance industry for any sort of liability for privacy violations is one piece in the puzzle you’re pursuing,” he says. “They don’t want HIPAA enforced, because it will open up to the world that nothing is being enforced. The government is taking away any private right of action against any of these entities; meanwhile, the CIA and the FBI can tap into any record they want. It is a part of a bigger plan to integrate American identities into a larger identification system.”
“The government, especially this administration, has been pushing for more and more cover over the tracking of information on civilians and they’re doing it over (concerns for) national security,” he says. “But it’s a fine line, and in the name of national security, terrible things have been done. Look how we interned the Japanese in World War II. That was wrong, but in the interest of national security, it wasn’t even questioned at the time. This administration, they might even believe it’s the right thing to do, but we need to be very careful. That information should not be made available without a warrant. If you let an agency decide what they want to do where and when, it’s very, very dangerous.”