Tuesday, June 07, 2005

A $250,000 Fine and 10 Years in Prison, Unless…

Ruling Limits Prosecutions of People Who Violate Law on Privacy of Medical Records

“An authoritative new ruling by the Justice Department sharply limits the government's ability to prosecute people for criminal violations of the law that protects the privacy of medical records.

The criminal penalties, the department said, apply to insurers, doctors, hospitals and other providers - but not necessarily their employees or outsiders who steal personal health data.

In short, the department said, people who work for an entity covered by the federal privacy law are not automatically covered by that law and may not be subject to its criminal penalties, which include a $250,000 fine and 10 years in prison for the most serious violations.

The reasoning is that federal regulations establish the standards for medical privacy. The regulations apply just to "covered entities," including insurers and health care providers. Thus, only covered entities can be prosecuted for criminal violations of the law.

This interpretation is set forth in an opinion written by the office of legal counsel at the Justice Department. The opinion, dated June 1, is binding on the executive branch of the federal government, but not on judges. It was prepared over the last 16 months to answer questions from the criminal division of the Justice Department and the Health and Human Services Department.

The ruling was a surprise to many lawyers. Robert M. Gellman, an expert on privacy and information policy, said, "Under this decision, a tremendous amount of conduct that is clearly wrong will fall outside the criminal penalties of the statute," the Health Insurance Portability and Accountability Act of 1996.

If a hospital sells a list of patients' names to a firm for marketing purposes, the hospital can be held criminally liable, Mr. Gellman said. But if a hospital clerk does the same thing, in defiance of hospital policy, the clerk cannot be prosecuted under the 1996 law, because the clerk is not a "covered entity."

In December 2000, President Bill Clinton issued sweeping privacy standards that affected virtually every part of the health care system. President Bush allowed the rules to take effect with some changes.

The government has received more than 13,000 complaints of violations of the privacy standards in the last two years. The government has not imposed any civil fines, but it has secured one criminal conviction. A Seattle man pleaded guilty last August to wrongful disclosure of personal health information.

The man, Richard W. Gibson, admitted that he had improperly obtained a patient's name, birth date and Social Security account number while working for a consortium of cancer hospitals. Mr. Gibson used the information to obtain four credit cards in the patient's name. Using the cards, Mr. Gibson bought more than $9,000 worth of video games, jewelry, porcelain figurines, groceries, gasoline and other items for his use.

He was sentenced to 16 months in prison.

The new Justice Department opinion appears to contradict the legal theory under which Mr. Gibson was prosecuted.

When informed of the new opinion, Gregory L. Ursich, a lawyer for the patient whose rights were violated, said Monday, ‘This is a very bizarre interpretation of the statute.’ ”

So,… will the one convicted thief get out of jail free? Has the Bush Justice Department gone nuts? Was it ever sane?

Tune in folks…, this one will be in the courts for the rest of our lives. It ranks up there with not letting the FBI check the firearms records of the 9-11 hijackers, or not supporting research that could take an innocent life, at least until after they're born, then all bets are off.…

con·cept: A $250,000 Fine and 10 Years in Prison, Unless…