A new and startling legal opinion by the Bush administration drastically cuts back the medical privacy protections of Americans. This article explains why the new opinion is bad law and bad policy.
The new opinion, accompanied by other administration actions, is turning the medical privacy law into little more than a voluntary standard. Unless the administration pulls back from its current position, it will be up to Congress to protect privacy and say that obviously criminal behavior should be punished by the criminal law.
Today’s medical privacy law comes from the Health Insurance Portability and Accountability Act (HIPAA), passed with bipartisan support in 1996. HIPAA had a simple logic= Part of HIPAA said that the health payment system should modernize, switching from paper to electronic records. At the same time, privacy and security should be built into the health care system, so that the new electronic records would be kept safe.
Congress gave itself until the summer of 1999 to write detailed health privacy law. When it couldn’t agree on a bill, President Clinton announced a proposed medical privacy rule in 1999. After review of over 50,000 public comments, a final rule was issued in late 2000. As chief counselor for privacy under President Clinton, I worked intensively on the rule.
Drama followed with the change of administrations. Intense lobbying by health insurance and other industry groups nearly led to cancellation of the privacy rule. The New York Times reported that administration officials thought the rule was “fundamentally flawed.” President Bush overruled his advisors, however, and decided to keep the rule. Revisions of the privacy rule followed, but the bulk of privacy protections went into effect in April 2003.
From my work with many parts of the health care industry, I know that reactions to HIPAA have been mixed. Many people say that it has led to common-sense measures to protect privacy, protections that otherwise would not have been built into the new computer systems. Others complain that it is bureaucratic and creates barriers to sensible uses of medical information. My own sense is that the Department of Health and Human Services (HHS) did not give enough support to education and outreach as the rule went into effect. Many health care providers have been confused about what was required, and many of the most bitter complaints against HIPAA are for things that are not actually required by the rule.
Almost No Civil and Criminal Enforcement
HHS, through its Office of Civil Rights (OCR), is given the job of civil enforcement of the HIPAA privacy rule. The statute does not create a private right of action – a person whose medical record is disclosed instead can file a complaint with OCR. A key part of HIPAA enforcement, therefore, concerns how OCR has exercised its authority since compliance was required in April 2003.
From my time working in government, I know a number of the professional employees at OCR and respect them entirely. OCR has set up an easy-to-use complaint form at www.hhs.gov/ocr/hipaa. OCR also reports that it has received over 13,000 HIPAA privacy complaints in the past two years.
Somehow, though, OCR has not yet brought a single civil enforcement action. In part, it likely made sense for the first few months or a year for OCR to emphasize helping organizations come into compliance with the new rule. Even now, two full years after compliance was due and five years after the final rule was announced, there is a major role for OCR in helping teach organizations how to do better.
With that said, however, the utter lack of enforcement actions sends a clear signal to health insurers and providers who are covered by HIPAA. The signal, growing ever stronger as the months go by, is that HHS will not act even against flagrant violations of the privacy rule.
With no private right of action, and no civil enforcement actions, the only big enforcement news has been on the criminal front. In 2004 the U.S. attorney in Seattle announced that Richard Gibson was being indicted for violating the HIPAA privacy law. Gibson was a phlebotomist – a lab assistant – in a hospital. While at work he accessed the medical records of a person with a terminal cancer condition. Gibson then got credit cards in the patient’s name and ran up over $9,000 in charges, notably for video game purchases. In a statement to the court, the patient said he “lost a year of life both mentally and physically dealing with the stress” of dealing with collection agencies and other results of Gibson’s actions. Gibson signed a plea agreement and was sentenced to 16 months in jail.
At the time, the Department of Justice trumpeted the first HIPAA criminal prosecution. The DOJ site announced: "This case should serve as a reminder that misuse of patient information may result in criminal prosecution."
Under its new legal opinion, however, Gibson could no longer be prosecuted under HIPAA.
What the OLC Opinion Says
The Office of Legal Counsel (OLC) is a part of the Department of Justice that issues opinions, often on tricky legal issues that involve more than one part of the federal government. As a preliminary matter, it is odd for OLC to issue an opinion in the absence of a conflict among agencies or similar controversy. The very existence of the opinion is a sign of substantial political-level interest in the issue. (In addition, more than one source has informed me that senior officials were involved at both DOJ and HHS, including the deputy attorney general.)
The OLC opinion, dated June 1 but not made public until a New York Times article of June 7, answers a request from the general counsel of HHS for clarification of the scope of the HIPAA criminal provision.
The answer is that the criminal provision applies to “covered entities” under HIPAA. These covered entities are defined under the HIPAA electronic payment, security, and privacy rules to include essentially the following: health care providers, health plans (insurers), and health care clearinghouses. Roughly speaking, that means that the criminal provision applies to hospitals and health insurance companies, but not to individuals.
The OLC opinion does find that the law can apply to a few individuals. Certain directors, officers, and employees may be criminally liable “in accordance with general principles of corporate criminal liability.” The opinion emphasizes that criminal liability will apply especially when “the agents act within the scope of their employment.” For instance, a hospital might make a corporate decision to sell medical records in violation of HIPAA. For these employees, who act criminally but within their job description, then there could be criminal liability.
It is appropriate for the criminal law to apply to this sort of knowing violation of law. But we all know that outside hackers and rogue insiders such as Mr. Gibson pose much, much more of a threat. It is (presumably) rare for a health insurance company or medical provider to create an ongoing program of HIPAA violations as part of people’s scope of employment. Yet, OLC finds that other persons would “not be liable directly under this provision.”
Why the OLC Opinion is Bad Law
For a law professor who teaches statutory interpretation, the OLC opinion is terribly frustrating to read. The opinion reads like a brief for one side of an argument. Even worse, it reads like a brief that knows it has the losing side but has to come out with a predetermined answer.
Here is what the statute says in full, at 42 U.S.C. § 1320d-6:
Wrongful disclosure of individually identifiable health information
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section.
A person described in subsection (a) of this section shall—
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
There are five straightforward arguments against the OLC position. First, the statute applies to “a person who knowingly and in violation of this part.” The effect of the OLC opinion is to change the statute to say “a person who is a covered entity who knowingly and in violation of this part.” The natural reading, in my view, is that “a person” can include hospital employees such as Gibson who abuse patient records. Gibson is “a person.” He is violating “this part” – the HIPAA rule – when he misuses the patient records.
Second, the criminal statute includes jail time. Indeed, the jail time increases from one year to five years to ten years based on the seriousness of the offense. Yet the OLC opinion says that Congress intended to make the covered entities the target of the criminal provision. We all know that hospitals and health insurance companies don’t go to jail. The common sense of the statute is that Congress intended individuals who violated the HIPAA rules to go to jail.
There is a third, related, point about an offense “committed under false pretenses.” The OLC opinion says the entire criminal provision is about covered entities, but that it also may sometimes apply to employees “acting within the scope of employment.” Can an employee be acting within the scope of employment and also be acting under false pretenses? I haven’t been able to think of how this jail time provision can ever apply under the OLC view – the employee would have to be truly within the scope of employment and acting under false pretenses at the same time. The OLC opinion seems to make the false pretense provision meaningless.
On the fourth argument, the OLC opinion itself lets the reader see its weakness. In (a)(1), Congress specifically made it a crime where a person “obtains individually identifiable health information relating to an individual.” (The person must of course act knowingly and in violation of the HIPAA standards.) Now it is a standard and important part of reading a statute to give effect to each provision in the law. That is, the criminal provision of (a)(1) must mean something. The OLC admits: “It could be argued that by including a distinct prohibition on obtaining health information, the law was intended to reach the acquisition by a person who is not a covered entity but who ‘obtains’ it from such an entity in a manner that causes the entity to violate” the privacy rule.
This sentence makes a great deal of sense – Congress intended to criminalize the illegal “obtaining” of health information when it made it a crime for any person to “obtain” health information. In the face of this clear language, OLC has to become amazingly inventive to save its preferred outcome. On the OLC view, Congress was not concerned about criminal activities by outsiders who steal medical records, or by insiders who sell medical records or use them for their own advantage. Instead, on the OLC view, Congress wrote the provision only to get at the covered entities, whose privacy activities are already regulated in other ways. And, on the OLC’s view, Congress did this without ever mentioning covered entities.
It is a canon of statutory construction that we should not reach “absurd” conclusions in interpreting a statute. This interpretation by OLC is absurd.
The last argument against the OLC opinion is that it treats the civil and criminal provisions as having the same scope, even though they are different statutes, with different purposes, and with different language. The civil provision does apply only to covered entities such as providers and health insurers. Those covered entities then are responsible for establishing privacy and security programs, and also complying with other administrative provisions such as standard formats for electronic payments. The covered entities pay civil fines (if and when HHS begins to bring civil enforcement actions).
By contrast, the criminal provision is tailored to specific pieces of HIPAA where Congress had the greatest concern about abuse. For instance, the privacy rule creates administrative rules such as training requirements and the need to name a chief privacy officer. These administrative requirements are omitted from the criminal provision, as are violations of the security rule and the payments rule. For the criminal provision, Congress focused on specific privacy violations, notably the obtaining or misuse of patient records under false pretenses or for personal gain.
When Congress targeted these information crimes, and called for jail time, it created a criminal provision that is different from the civil provision. The OLC opinion essentially assumes that the scope of the civil and criminal provisions is the same. The OLC opinion tries to suppress the clear text of the criminal provision about “person,” “false pretenses,” “obtaining” and other terms. A fairer and more neutral reading of the statute would be to recognize the different scope that follows from the different language and different goals of the civil and criminal provisions.
In conclusion on the law, the text of the criminal provision contradicts the OLC opinion in numerous ways. The intent of Congress is even clearer. Later in the OLC opinion, on a different topic, the opinion suddenly recognizes what the statute is all about: “the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.” This sentence left me shaking my head in wonder. The entire discussion to that point had minimized Congress’ concern for the medical privacy of individuals. The opinion had assumed that Congress wanted to exempt employees and thieves from criminal penalty. Then, on a relatively minor issue, the OLC suddenly remembered the point of the entire statute.
A better legal opinion would have remembered Congress’ intent all along, especially when that intent is bolstered by multiple, conclusive textual arguments.
Why the OLC Opinion is Bad Policy
The simplest explanation for the bad OLC opinion is politics. Parts of the health care industry lobbied hard to cancel HIPAA in 2001. When President Bush decided to keep the privacy rule – quite possibly based on his sincere personal views – the industry efforts shifted direction. Industry pressure has stopped HHS from bringing a single civil case out of the 13,000 complaints. Now, after a U.S. attorney’s office had the initiative to prosecute Mr. Gibson, senior officials in Washington have clamped down on criminal enforcement. The participation of senior political officials in the interpretation of a statute, rather than relying on staff attorneys, makes this political theory even more convincing.
So far as federal enforcement is concerned, the OLC opinion essentially makes the privacy rule into a voluntary standard. I have been in numerous conferences and meetings on HIPAA in recent years. In practically every instance, the lawyers stress the serious enforcement provisions for the privacy rule. They often put the text of the criminal provision up on a slide, and linger over the “10 years in jail” language. Then, everyone gets down to the business of figuring out how to put privacy and security safeguards into place.
One sad result of the OLC opinion may be to make the hundreds of thousands of people who have worked to create safeguards feel like chumps. In good faith, nurses, doctors, IT staff, and many others have built systems that supply good health care while respecting patients’ privacy. Now, seeing that the federal government has created immunity for bad actors, all these people may wonder why they tried so hard to do the right thing.
Another result of the OLC opinion will likely be to annul Mr. Gibson’s plea agreement. Although it is difficult to guess the exact procedure, it will be difficult to keep him in jail when the Justice Department has announced that the statute does not apply to employees such as he was.
Under the Gibson facts, it may be possible to bring a new indictment for identity theft. For many other HIPAA violations, however, there may be no other statute as backup. An employee disclosure of patient data, even in bulk to the Internet, even for personal gain, may avoid criminal penalty entirely. Perhaps a U.S. attorney will try to indict under mail fraud or wire fraud, on the theory that the hospital employee misappropriated the records. That is an untested theory, however, and it would be far more sensible to punish medical privacy violations under the medical privacy law.
Looking ahead, one might imagine that President Bush will ride to the rescue of HIPAA as he did in 2001. More likely, it will be up to Congress to decide whether criminal abuse of medical records deserves to be covered by criminal law.
If Congress does act, there are ways to criminalize clearly bad behavior while reassuring ordinary health care employees that they will not be subject to prosecution. When there is enforcement against the bad actors, then the good persons in every organization have more leverage to insist on doing things right. Americans of every political persuasion want their medical records handled with privacy and security. The signal from our government should be to encourage sensible safeguards. The OLC opinion, sadly, twists the statute to do the opposite.
Peter Swire is professor of law and John Glenn Scholar of Public Policy Research at the Moritz College of Law of the Ohio State University. From 1999 until early 2001 he served as chief counselor for privacy in the U.S. Office of Management and Budget.