Blog Editors

S. Elizabeth Malloy
Andrew Katsanis Professor of Law
Univ. of Cincinnati College of Law
Email
Web Profile

Resources

About HealthLawProf Blog
Email Editor Comments & Content

Find Health Law Profs
Google Scholar
Law Schools
SSRN

Free Legal Web Sites
Findlaw
JURIST

Blog Traffic

Since November 8, 2004

Blogware

Powered by TypePad

Notices

© Copyright All Rights Reserved
Contact post author for permissions

« New Developments in Contraception | Main | Cruise Ships and the Disabled »

June 7, 2005

DOJ Issues New Ruling on HIPAA

In a surprising ruling, the DOJ has issued a new ruling that dramatically limits who may be prosecuted for violating every health attorneys favorite law -- the Health Insurance Portability and Accountability Act.  According to the New York Times,

An authoritative new ruling by the Justice Department sharply limits the government's ability to prosecute people for criminal violations of the law that protects the privacy of medical records.

The criminal penalties, the department said, apply to insurers, doctors, hospitals and other providers - but not necessarily their employees or outsiders who steal personal health data.

In short, the department said, people who work for an entity covered by the federal privacy law are not automatically covered by that law and may not be subject to its criminal penalties, which include a $250,000 fine and 10 years in prison for the most serious violations.

The reasoning is that federal regulations establish the standards for medical privacy. The regulations apply just to "covered entities," including insurers and health care providers. Thus, only covered entities can be prosecuted for criminal violations of the law.

This interpretation is set forth in an opinion written by the office of legal counsel at the Justice Department. The opinion, dated June 1, is binding on the executive branch of the federal government, but not on judges. It was prepared over the last 16 months to answer questions from the criminal division of the Justice Department and the Health and Human Services Department.

The ruling was a surprise to many lawyers. Robert M. Gellman, an expert on privacy and information policy, said, "Under this decision, a tremendous amount of conduct that is clearly wrong will fall outside the criminal penalties of the statute," the Health Insurance Portability and Accountability Act of 1996.

If a hospital sells a list of patients' names to a firm for marketing purposes, the hospital can be held criminally liable, Mr. Gellman said. But if a hospital clerk does the same thing, in defiance of hospital policy, the clerk cannot be prosecuted under the 1996 law, because the clerk is not a "covered entity."

Very interesting -- announced the same day that we hear that more people's financial records have suspiciously gone missing - I am not sure that this is the time to cutback on who may be covered by the our privacy laws.  (I do not yet have a link to the report but will update you when I do. [bm]

June 7, 2005 | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341bfae553ef00d835121f8c53ef

Listed below are links to weblogs that reference DOJ Issues New Ruling on HIPAA: