The HITECH Act corrected what federal prosecutors had viewed as a flaw in HIPAA’s criminal provisions at 42 U.S.C. § 1320d-6, which had stated:
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
So to be guilty, the person had to be in violation of HIPAA. And who has to comply with HIPAA? Covered entities. And the only person who can be a covered entity is a provider that transmits one or more of the standard transactions (primarily billing transactions) in electronic format. A human being cannot be a health plan, a health care clearinghouse, or a Medicare prescription drug sponsor. Human beings can own health plans. They can manage health plans. They can be employees of a health plan. But they can’t be a health plan or the two other types of covered entities.
The Department of Justice (“DOJ”) even put out a memorandum stating that DOJ could not prosecute a non-covered entity under 1420d-6. Of course, they ignored their own memo and prosecuted a number of employees of covered entities. But they fixed it in the HITECH Act by adding the following after the section quoted above:
For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.
The statute did not, however, define who could be an “other individual” that could be guilty of a criminal HIPAA violation. Among likely “others” are the following: former employees; independent contractors; medical, nursing, or other students; volunteers; and even patients who walk out with other patients’ individually identifiable health information. But would the term extend to the daughter of a hospital worker who misuses health information that she is exposed to during mother-daughter day (not a good idea to have after HIPAA)?
A recent indictment by the U.S. Attorney for the Northern District of Georgia shows just how broad the term “other individual” is. The U.S. Attorney recently indicted a man who had impersonated a doctor and had treated more than 1000 patients. The indictment was for, among health care fraud crimes, violating HIPAA by knowingly disclosing individually identifiable health information to another person, under false pretenses, and with the intent to use the information for commercial advantage and personal gain. So the HIPAA criminal provisions now apparently cover anyone that wrongfully obtains or discloses individually identifiable health information whether or not that person has any valid relationship with a covered entity. Stay tuned for more such indictments!