Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
SCOPE OF CRIMINAL ENFORCEMENT UNDER 42 U.S.C. § 1320d-6 Covered entities and those persons rendered accountable by
general principles of corporate criminal liability may be prosecuted directly
under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in
that provision requires only proof of knowledge of the facts that constitute the
offense. MEMORANDUM OPINION FOR
THE GENERAL COUNSEL
DEPARTMENT OF HEALTH
AND HUMAN SERVICES
AND
THE SENIOR COUNSEL
TO THE DEPUTY
ATTORNEY GENERAL
You have asked jointly for our opinion concerning the scope of 42 U.S.C. §
1320d-6 (2000), the criminal enforcement provision of the Administrative
Simplification subtitle of the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 ("HIPAA"). Specifically, you
have asked, first, whether the only persons who may be directly liable under
section 1320d-6 are those persons to whom the substantive requirements of the
subtitle, as set forth in the regulations promulgated thereunder, apply—i.e.,
health plans, health care clearinghouses, certain health care providers, and
Medicare prescription drug card sponsors—or whether this provision may also
render directly liable other persons, particularly those who obtain protected
health information in a manner that causes a person to whom the substantive
requirements of the subtitle apply to release the information in violation of
that law. We conclude that health plans, health care clearinghouses, those
health care providers specified in the statute, and Medicare prescription drug
card sponsors may be prosecuted for violations of section 1320d-6. In addition,
depending on the facts of a given case, certain directors, officers, and
employees of these entities may be liable directly under section 1320d-6, in
accordance with general principles of corporate criminal liability, as these
principles are developed in the course of particular prosecutions. Other persons
may not be liable directly under this provision. The liability of persons for
conduct that may not be prosecuted directly under section 1320d-6 will be
determined by principles of aiding and abetting liability and of conspiracy
liability. Second, you have asked whether the "knowingly" element of section
1320d-6 requires only proof of knowledge of the facts that constitute the
offense or whether this element also requires proof of knowledge that the
conduct was contrary to the statute or regulations. We conclude that "knowingly"
refers only to knowledge of the facts that constitute the offense.
I.
Congress enacted the Administrative Simplification provisions of HIPAA to
improve "the efficiency and effectiveness of the health care system" by
providing for the "establishment of standards and requirements for the
electronic transmission of certain health information." 42 U.S.C. § 1320d note.
These provisions added a new "Part C: Administrative Simplification" to Title XI
of the Social Security Act and have been codified at 42 U.S.C. §§ 1320d-1320d-8.
Part C directs the Secretary of the Department of Health and Human Services
("HHS") to "adopt standards for transactions, and data elements for such
transactions, to enable health information to be exchanged electronically."
Id. § 1320d-2(a)(1); see also id. § 1320d-2(b)(1) (requiring the
Secretary to adopt standards concerning unique health identifiers); id. §
1320d-2(c)(1) (same with respect to code sets); id. § 1320d-2(d)(1) (same
with respect to security); id. § 1320d-2(e)(1) (same with respect to
electronic signatures); id. § 1320d-2(f) (same with respect to transfer
of information among health plans). Various provisions of this part further
specify the standards to be adopted, the factors the Secretary must consider,
the procedures for promulgating the standards, and the timetable for their
adoption. Id. §§ 1320d-1 to 1320d-3. Pursuant to this authority, the
Secretary has adopted standards and specifications for implementing them.
See 45 C.F.R. pts. 160-164 (2004).
Section 1320d-1 specifies the persons to whom the standards
apply:
Any standard adopted under this part shall apply, in whole and
in part, to the following persons:
(1) A health plan.
(2) A health care
clearinghouse.
(3) A health care provider who transmits any health
information in electronic form in connection with a transaction referred to in
section 1320d-2(a)(1) of this title.
Id. § 1320d-1; see also 45 C.F.R. § 160.102(a)
(with respect to general administrative requirements "[e]xcept as otherwise
provided, the standards, requirements, and implementation specifications adopted
under this subchapter apply to" the entities listed in section 1320d-1);
id. § 162.100 (same with respect to additional administrative
requirements); id. § 164.104 (same with respect to security and privacy
regulations). The regulations refer to each of these three groups of persons as
a "covered entity." Id. § 160.103. To this list of persons to whom the
standards apply, Congress later added Medicare prescription drug card sponsors.
See Medicare Prescription Drug, Improvement and Modernization Act of
2003, Pub. L. No. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 ("For purposes of
the program under this section, the operations of an endorsed program are
covered functions and a prescription drug card sponsor is a covered entity for
purposes of applying part C of title XI and all regulatory provisions
promulgated thereunder. . . ."), codified at 42 U.S.C.A. § 1395w-141(h)(6) (West
2004).
Various statutes and regulations define these four categories of covered
entities. A "prescription drug card sponsor" is "any nongovernmental entity that
the Secretary [of HHS] determines to be appropriate to offer an endorsed
discount card program," including "a pharmaceutical benefit management company"
and "an insurer." 42 U.S.C.A § 1395w-141(h)(1)(A). A "health plan" is "an
individual or group plan that provides, or pays the cost of, medical care . . .
." Id. § 1320d(5). A "health care clearinghouse" is an "entity that
processes or facilitates the processing of nonstandard data elements of health
information into standard data elements." Id. § 1320d(2). Finally, a
"health care provider" is any "person furnishing health care services or
supplies," including a "provider of services" and a "provider of medical or
other health services." Id. § 1320d(3). These latter two terms are
further defined in 42 U.S.C. § 1395x. A "provider of services" is a "hospital,
critical access hospital, skilled nursing facility, comprehensive outpatient
rehabilitation facility, home health agency, [or] hospice program . . . ."
Id. § 1395x(u). And a "provider of medical and other health services" is
any person who provides any of a long list of such services, including
"physicians' services," "services and supplies . . . furnished as an incident to
a physician's professional service, of kinds which are commonly furnished in
physicians' offices and are commonly either rendered without charge or included
in the physicians' bills," "outpatient physical therapy services," "qualified
psychologist services," "clinical social worker services," and certain services
"performed by a nurse practitioner or clinical nurse specialist." Id. §
1395x(s). These health care providers only qualify as covered entities if they
"transmit[] any health information in electronic form in connection with"
certain transactions described in section 1320d-2. Id. § 1320d-1(a)(3).
The regulations further define the covered entities. See 45 C.F.R. §
160.103.
These covered entities must comply with the regulations promulgated pursuant
to Part C. Section 1320d-4 requires compliance with the regulations within a
certain time period by "each person to whom the standard or implementation
specification [adopted or established under sections 1320d-1 and 1320d-2]
applies." 42 U.S.C. § 1320d-4(b). Failure to comply with the regulations may
render the covered entity either civilly or criminally liable.
The statute grants to the Secretary of HHS the authority for civil
enforcement of the standards. Section 1320d-5(a) states, "Except as provided in
subsection (b) of this section, the Secretary shall impose on any person who
violates a provision of this part a penalty of not more than $100 for each such
violation . . . ." Id. § 1320d-5(a)(1). Subsection (b) provides for three
exceptions. First, a civil "penalty may not be imposed . . . with respect to an
act if the act constitutes an offense punishable under" the criminal enforcement
provision. Id. § 1320d-5(b)(1). Second, a civil "penalty may not be
imposed . . . with respect to a provision of this part if it is established to
the satisfaction of the Secretary that the person liable for the penalty did not
know, and by exercising reasonable diligence would not have known, that such
person violated the provision." Id. § 1320d-5(b)(2). Third, a civil
"penalty may not be imposed . . . if the failure to comply was due to reasonable
cause and not to willful neglect; and the failure to comply is corrected" within
a specified period of time. Id. § 1320d-5(b)(3).
The statute prescribes criminal sanctions only for those violations of the
standards that involve the disclosure of "unique health identifiers," id.
§ 1320d-6(a), or of "individually identifiable health information," id.,
that is, that subset of health information that, inter alia, "identifies
the individual" or "with respect to which there is a reasonable basis to believe
that the information can be used to identify the individual," id. §
1320d(6). More specifically, section 1320d-6(a) provides:
A person who knowingly and in violation of this part—
(1) uses
or causes to be used a unique health identifier;
(2) obtains individually
identifiable health information relating to an individual; or
(3) discloses
individually identifiable health information to another person, shall be
punished as provided in subsection (b) of this section.
Id. § 1320d-6(a). Subsection (b) sets forth a tiered
penalty scheme. A violation of subsection (a) is punishable generally as a
misdemeanor by a fine of not more than $50,000 and/or imprisonment for not more
than one year. Id. § 1320d-6(b)(1). Certain aggravating circumstances may
make the offense a felony. Subsection (b)(2) provides for a maximum penalty of a
$100,000 fine and/or five-year imprisonment for violations committed under false
pretenses. Id. § 1320d-6(b)(2). And subsection (b)(3) reserves the
statute's highest penalties—a fine of not more than $250,000 and/or imprisonment
of not more than ten years—for those offenses committed "with intent to sell,
transfer, or use individually identifiable health information for commercial
advantage, personal gain, or malicious harm." Id. § 1320d-6(b)(3).
II.
A.
We address first which persons may be prosecuted under the criminal
enforcement provision, section 1320d-6. Specifically, we address whether section
1320d-6 renders liable only covered entities or whether the provision applies to
any person who does an act described in that provision, including, in
particular, a person who obtains protected health information in a manner that
causes a covered entity to violate the statute or regulations. We conclude that
an analysis of liability under section 1320d-6 must begin with covered entities,
the only persons to whom the standards apply. If the covered entity is not an
individual, general principles of corporate criminal liability will determine
the entity's liability and that of individuals within the entity, including
directors, officers, and employees. Finally, certain conduct of these
individuals and that of other persons outside the covered entity, including of
recipients of protected information, may be prosecuted in accordance with
principles of aiding and abetting liability and of conspiracy liability.
We begin with the language of the statute. See Liparota v. United
States, 471 U.S. 419, 424 (1985) ("The definition of the elements of a
criminal offense is entrusted to the legislature, particularly in the case of
federal crimes, which are solely the creatures of statute."). Section 1320d-6(a)
states that:
A person who knowingly and in violation of this part—
(1) uses
or causes to be used a unique health identifier;
(2) obtains individually
identifiable health information relating to an individual;
or
(3)
discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
42 U.S.C. § 1320d-6(a). Because Congress enacted the
Administrative Simplification provisions for the express purpose of facilitating
the use of health identifiers and the acquisition and disclosure of health
information, an act listed in subsections (a)(1) to (a)(3) must be done "in
violation of this part" in order to constitute a criminal offense. The phrase
"this part" refers to "Part C – Administrative Simplification," codified at
sections 1320d to 1320d-8. Section 1320d-1(a) makes clear that the standards
promulgated under Part C apply only to covered entities: "Applicability. Any
standard adopted under this part shall apply, in whole or in part, to the
following persons: (1) A health plan. (2) A health care clearinghouse. (3)
[Certain] health care provider[s.]" Id. § 1320d-1(a); see also 45
C.F.R. § 160.102(a); id. § 162.100; id. § 164.104; Exec. Order No.
13,181, 65 F.R. 81,321 (Dec. 20, 2000), reprinted in 42 U.S.C. § 1320d-2
note ("HIPPA applies only to 'covered entities,' such as health care plans,
providers, and clearinghouses. HIPAA regulations therefore do not apply to other
organizations and individuals that gain access to protected health information .
. . ."). Congress expanded this list to include Medicare prescription drug card
sponsors "for purposes of applying part C['s]" Administrative Simplification
provisions. 42 U.S.C.A. § 1395w-141(h)(6). And these provisions require only
"each person to whom the standard or implementation specification applies"—i.e.,
the covered entities—to comply with it. Id. § 1320d-4(b). Because Part C
makes the standards applicable only to covered entities and because it mandates
compliance only by covered entities, only a covered entity may do one of the
three listed acts "in violation of this part." Other persons cannot violate Part
C directly because the part simply does not apply to them. When the covered
entity is not an individual, principles of corporate criminal liability
discussed infra will determine when a covered entity has violated Part C
and when these violations can be attributed to individuals in the entity.
That the statute criminalizes the "obtain[ing]" of individually identifiable
health information in violation of Part C, id. § 1320d-6(a)(2), in
addition to its disclosure, does not convince us that our reading of section
1320d-6 according to its plain terms is incorrect. It could be argued that, by
including a distinct prohibition on obtaining health information, the law was
intended to reach the acquisition of health information by a person who is not a
covered entity but who "obtains" it from such an entity in a manner that causes
the entity to violate Part C. Id. Further examining the statute and the
regulations, however, reveals that the inclusion of section 1320d-6(a)(2) merely
reflects the fact that the statute and the regulations limit the acquisition, as
well as the disclosure and use, of information by covered entities. Those
sections of the statute authorizing the Secretary of HHS to promulgate
regulations speak broadly of adopting standards, inter alia, "for transactions,"
"providing for a standard unique health identifier," and concerning "security."
See id. § 1320d-2. They do not speak only of regulations governing the
"use" and "disclosure" of information; the language used in these provisions
easily encompasses the acquisition of information. Pursuant to this
authority, the Secretary has promulgated regulations governing the acquisition
of certain information by a covered entity. See, e.g., 45 C.F.R. §
164.500(b)(1) ("When a health care clearinghouse creates or receives
protected health information . . . .") (emphasis added); id. §
164.502(b)(1) ("When using or disclosing protected health information or when
requesting protected health information from another covered entity . . .
.") (emphasis added); id. § 164.514(d)(4)(i) ("A covered entity must
limit any request for protected health information to that which is
reasonably necessary . . . .") (emphasis added). Failure to comply with these
regulations may render a covered entity liable for "obtain[ing] individually
identifiable health information" "in violation of this part." 42 U.S.C. §
1320d-6(a)(2).
The difference between the language used in the civil enforcement provision
and that used in the criminal enforcement provision does not support a broader
reading of section 1320d-6. The civil enforcement provision makes liable "any
person who violates a provision of this part." Id. § 1320d-5(a)(1). The
criminal enforcement provision makes it a crime to do certain acts "knowingly
and in violation of this part." Id. § 1320d-6(a). To be sure, the statute
must be read as a whole and variations in the language of closely related
provisions should be given effect if possible. See Bryan v. United
States, 524 U.S. 184, 191-93 (1998) (interpreting the requirement that an
act be done "willfully" in one subsection of the statute by reference to the
"knowingly" requirement contained in other subsections of the same statute).
Here, however, the difference in phrasing used in the two provisions does not
constitute a basis for concluding that section 1320d-6 reaches persons who are
not, or are not part of, a covered entity. Section 1320d-6's use of "in
violation of," as opposed to "who violates," reflects only the difference in the
scope of the conduct proscribed by the two sections. Section 1320d-5 is phrased
as it is—"any person who violates a provision of this part"—because a violation
of any of the standards subjects the violator to civil penalties. See 42
U.S.C. § 1320d-5(a). In contrast, criminal punishment is restricted to those
violations of the standards—specified in subsections (a)(1) to (a)(3)—that
involve the improper use, acquisition, or disclosure of individually
identifiable health information or unique health identifiers. See id. §
1320d-6(a). Section 1320d-6(a) makes liable a person who "uses or causes to be
used," "obtains," or "discloses" such health information. Id. Having
described the prohibited acts using present tense verbs, the provision could not
retain the "violates this part" formulation; instead, it uses "in violation of
this part" to make clear that only those uses, acquisitions, and disclosures in
a manner contrary to the regulations are illegal. The difference in language
between section 1320d-5 and section 1320d-6 is thus best understood as nothing
more than a grammatical accommodation resulting from the need to describe the
acts for which section 1320d-6 prescribes criminal liability.
Although we conclude that Part C applies only to covered entities, we do not
read the term "person" at the beginning of section 1320d-6 to mean "covered
entity." Such a reading would not only be contrary to the language of that
provision but also create tension with other parts of the statute that appear to
use the term broadly, see, e.g., id. § 1320d-6(a)(3) (prohibiting
"disclos[ures] to another person"), and with the Dictionary Act, codified at 1
U.S.C. § 1 (2000), which sets forth a presumptively broad definition of person
wherever the term is used in the United States Code, a definition
presumptively applicable here because the defined terms specific to Part C do
not include the term "person." See 42 U.S.C. § 1320d. We conclude only
that the phrase "in violation of this part" restricts the universe of persons
who may be prosecuted directly. Section 1320d-6 provides criminal penalties for
"person[s]" who perform the listed acts "knowingly" and "in violation of this
part." Id. § 1320d-6. The "in violation of this part" limitation on the
scope of liability—like the "knowingly" requirement—is distinct from the
definition of "person." It describes that subset of persons who may be held
liable, provided that the other elements of the offense are also satisfied.
Under this reading of the statute, section 1320d-6(a)(3) continues to make
"covered entities" liable for disclosure to any "person."
We have considered other laws using the phrase "in violation of." None of
these laws supports the view that, as used in 42 U.S.C. § 1320d-6, the phrase
should be read more expansively than we conclude. For instance, several of these
laws apply to the public generally, and, accordingly, do not shed light on
whether section 1320d-6 allows direct prosecutions of persons other than those
to whom the substantive requirements of HIPAA's Part C apply. See, e.g.,
18 U.S.C. § 547 (2000) ("Whoever receives or deposits merchandise in any
building upon the boundary line between the United States and any foreign
country, or carries merchandise through the same, in violation of law . .
. .") (emphasis added); 18 U.S.C.A. § 1590 (West Supp. 2004) ("Whoever knowingly
recruits, harbors, transports, provides, or obtains by any means, any person for
labor or services in violation of this chapter . . . .") (emphasis
added). And the phrasing of other laws makes it clear that "in violation of"
describes an item involved in the prohibited act, as opposed to the act itself.
For instance, 18 U.S.C. § 2113(c) (2000) penalizes "[w]hoever receives . . .
property . . . which has been taken . . . in violation of subsection (b) . . .
." Id. In this case, the placement of the phrase "in violation of"
following the word "which" makes plain that the phrase describes only the
property, a reading confirmed by the provision's use of the passive "has been
taken." Id.; see also 18 U.S.C. § 1170(b) (2000) ("Whoever
knowingly sells, purchases, uses for profit, or transports for sale or profit
any Native American cultural items obtained in violation of the Native
American Grave Protection and Repatriation Act . . . .") (emphasis added). In
contrast, the phrase "in violation of" in section 1320d-6 does not modify the
type of health care information involved in the offense; rather, it relates
directly to the acts prohibited by the provision (i.e., "uses or causes to be
used," "obtains," or "discloses"). Finally, we have reviewed the cases
interpreting these and other potentially analogous provisions and have found
none that would cause us to read section 1320d-6 in any way other than in
accordance with its plain meaning.
We conclude, therefore, that an assessment of liability under section 1320d-6
must begin with covered entities. The statute and regulations determine which
individuals and entities qualify as a "covered entity." See 42 U.S.C. §
1320d; id. § 1395w-141(h)(1); id. § 1395x; 45 C.F.R. § 160.103. A health care
provider, is any "person furnishing health care services or supplies," and will
be either an individual or an entity. 42 U.S.C. § 1320d(3); see also id.
§ 1395x. In contrast, a "health care clearinghouse," "health plan," and Medicare
"prescription drug card sponsor" will virtually never be an individual. See
id. § 1320d(2) & (5); id. § 1395w-141(h)(1)(A). When the covered
entity is not an individual, principles of corporate criminal liability will
determine the entity's liability and the potential liability of particular
individuals who act for the entity. Although we do not elaborate these
principles here, in general, the conduct of an entity's agents may be imputed to
the entity when the agents act within the scope of their employment, and the
criminal intent of agents may be imputed to the entity when the agents act on
its behalf. See Kathleen F. Brickley, Corporate Criminal Liability
§§ 3-4 (2d ed. 1992). In addition, we recognize that, at least in limited
circumstances, the criminal liability of the entity has been attributed to
individuals in managerial roles, including, at times, to individuals with no
direct involvement in the offense. See id. § 5. Consistent with
these general principles, it may be that such individuals in particular cases
may be prosecuted directly under section 1320d-6.
Other conduct that may not be prosecuted under section 1320d-6 directly may
be prosecuted according to principles either of aiding and abetting liability or
of conspiracy liability. The aiding and
abetting statute renders "punishable as a principal" anyone who "commits an
offense against the United States or aids, abets, counsels, commands, induces or
procures its commission" and anyone who "willfully causes an act to be done
which if directly performed by him or another would be an offense against the
United States." 18 U.S.C. § 2 (2000). And the conspiracy statute prescribes
punishment "if two or more persons conspire . . . to commit any offense against
the United States . . . and one or more of such persons do any act to effect the
object of the conspiracy." 18 U.S.C. § 371 (2000). Further
discussion of corporate criminal liability, aiding and abetting liability, and
conspiracy liability in the absence of a specific factual context would be
unfruitful, particularly because the contours of these legal principles may vary
by jurisdiction. Accordingly, we leave the scope of criminal liability under
these principles for consideration in the ordinary course of prosecutions.
B.
We address next whether the "knowingly" element of the offense set forth in
42 U.S.C. § 1320d-6 requires the Government to prove only knowledge of the facts
that constitute the offense or whether this element also requires proof that the
defendant knew that the act violated the law. We conclude that the "knowingly"
element is best read, consistent with its ordinary meaning, to require only
proof of knowledge of the facts that constitute the offense.
We begin again with the text of 42 U.S.C. § 1320d-6(a). See Liparota,
471 U.S. at 424.
A person who knowingly and in violation of this part—
(1) uses
or causes to be used a unique health identifier;
(2) obtains individually
identifiable health information relating to an individual;
or
(3)
discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
42 U.S.C. § 1320d-6(a). A plain reading of the text indicates
that a person need not know that commission of an act described in subsections
(a)(1) to (a)(3) violates the law in order to satisfy the "knowingly" element of
the offense. Section 1320d-6 makes the requirements that the act be done
"knowingly" and that it be done "in violation of this part" two distinct
requirements. Id. § 1320d-6. These two elements do not modify each other;
rather, they independently modify "uses or causes to be used," "obtains," and
"discloses." For example, defendants will be guilty of an offense if they both
"knowingly" "disclose[] individually identifiable health information" and they
"in violation of this part" "disclose[] individually identifiable health
information." The view that the statute requires proof of knowledge of the law
effectively reads "knowingly" to refer to the "violation of this part." But this
reading is contrary to the plain language of the statute, which sets forth these
terms as two separate elements each independently modifying the third element,
i.e., one of the listed acts. Accordingly, to incur criminal liability, a
defendant need have knowledge only of those facts that constitute the
offense.
Our reading of the "knowingly" element of the offense comports with the usual
understanding of the term. The Supreme Court has stated that "unless the text of
the statute dictates a different result, the term 'knowingly' merely requires
proof of knowledge of the facts that constitute the offense." Bryan, 524
U.S. at 193 (footnote omitted) ("[T]he term 'knowingly' does not necessarily
have any reference to a culpable state of mind or to knowledge of the law."). As
set forth above, the text of section 1320d-6 does not "dictate[] a different
result." Bryan, 524 U.S. at 193. In fact, its text dictates an
interpretation consistent with the ordinary understanding of "knowingly" as
referring only to "knowledge of the facts that constitute the offense."
Id.
The plain meaning of the "knowingly" element of section 1320d-6 must control,
"at least where the disposition required by the text is not absurd." Hartford
Underwriters Ins. Co. v. Union Planters Bank, N.A., 530 U.S. 1, 6 (2000). We
consider whether our reading of the criminal provision is absurd in light of the
possible exception to civil liability for reasonable ignorance of the law.
Sections 1320d-5 and 1320d-6 operate in a complementary fashion, covering
mutually exclusive conduct. See 42 U.S.C § 1320d-5(b)(1) (excepting from
civil penalties an act that "constitutes an offense punishable under section
1320d-6 of this title."). The civil
enforcement section provides, "A penalty may not be imposed . . . if . . . the
person liable for the penalty did not know, and by exercising reasonable
diligence would not have known, that such person violated the provision."
Id. § 1320d-5(b)(2). Section 1320d-5 therefore may be read to premise
civil liability on knowledge that the act in question violated the applicable
standard, not just on knowledge that the particular act occurred.
If civil sanctions (of fines up to $100) may be avoided by establishing
reasonable ignorance of the law, it might at first blush appear to be an absurd
result to conclude that the significantly more serious criminal punishments (of
fines up to $250,000 and imprisonment of up to ten years) may not be similarly
excused.
The absurd results canon of construction is "rarely invoke[d] . . . to
override unambiguous legislation." Barnhart v. Sigmon Coal Co., Inc., 534
U.S. 438, 459 (2002); Public Citizen v. U.S. Dep't of Justice, 491 U.S.
440, 470-71 (1989) (Kennedy, J., concurring) (noting that the canon is limited
"to situations where the result of applying the plain language would be, in a
genuine sense, absurd, i.e., where it is quite impossible that Congress could
have intended the result, and where the alleged absurdity is so clear as to be
obvious to most anyone."). Applying the usual definition of "knowingly" here
does not yield an absurd result, and certainly not one so absurd that it would
cause us to read the statute contrary to its plain meaning. The argument that
the statute should not be read so as to impose criminal punishment on the basis
of a lesser degree of intent than that required for civil sanction would be more
compelling if sections 1320d-5 and 1320d-6 covered the same acts. But they do
not. See 42 U.S.C. § 1320d-5(b)(1). Civil sanctions may be imposed for
violations of a wide variety of regulations. For these violations, the statute
provides a maximum $100 fine and sets forth certain exceptions to liability.
See id. § 1320d-5 ("General penalty for failure to comply with
requirements and standards"). In contrast, of
all the possible violations of the regulations, section 1320d-6 carves out a
limited set and subjects them to criminal punishment. Such punishment is
reserved for violations involving "unique health identifiers" and "individually
identifiable health information." See id. § 1320d-6 ("Wrongful disclosure
of individually identifiable health information"). Thus, the statute reflects a
heightened concern for violations that intrude upon the medical privacy of
individuals. In light of this concern, there is nothing obviously absurd about
the statute's allowing a defense of reasonable ignorance of the law for those
regulatory violations subject to civil penalty, but withholding this defense
with respect to those violations that threaten the privacy of individuals.
Accordingly, even reading section 1320d-6 in light of section 1320d-5(b)'s
exception to civil liability for reasonable ignorance of the law gives us no
reason to doubt that the plain and ordinary meaning of the "knowingly" element
of section 1320d-6 is the correct one.
Nor is it proper to apply here the exception to the usual meaning of
"knowingly" exemplified by Liparota. See 471 U.S. at 424-28.
Liparota is the case cited by the Supreme Court in Bryan as an
example of the exception to the rule—when "the text of the statute dictates a
different result"—that "knowingly" refers to the facts that constitute the
offense and not to the law. 524 U.S. at 193 & n.15. In Liparota, the
Supreme Court held that a statute forbidding fraudulent use of food stamps
required proof of knowledge that the use was unauthorized. See 471 U.S.
at 433. The statute in that case read: "whoever knowingly uses, transfers,
acquires, alters, or possesses coupons or authorization cards in any manner not
authorized by this chapter or the regulations issued pursuant to this chapter"
shall be guilty of a criminal offense. See id. at 420-21 n.1 (quoting 7
U.S.C. § 2024(b)(1)). This language is at least ambiguous; "knowingly" may
modify, for example, either only the verb "uses" or it may modify the entire
verbal phrase "uses . . . in any manner not authorized." Id.; see
id. at 424 (The "interpretations proffered by both parties accord with
congressional intent . . . . [T]he words themselves provide little guidance.
Either interpretation would accord with ordinary usage."); id. at 424 n.7
(referring to the statutory language and noting that "[o]ne treatise has aptly
summed up the ambiguity in an analogous situation.") (emphasis added).
But see Bryan, 524 U.S. at 193 n.15 (citations omitted) (In
Liparota, "we concluded that both the term 'knowing' . . . and the term
'knowingly' . . . literally referred to knowledge of the law as well as
knowledge of the relevant facts."). The Supreme Court then considered the
presumption that criminal statutes contain a mens rea element, applied the rule
of lenity, and rested its interpretation, in large part, on the concern that the
contrary reading would "criminalize a broad range of apparently innocent
conduct." See Liparota, 471 U.S. at 426-27.
Here, the "knowingly" element of section 1320d-6 is not ambiguous, see
supra; thus, it would be inappropriate to resort to the rule of lenity.
See Chapman v. United States, 500 U.S. 453, 463 (1991) ("The rule of
lenity . . . is not applicable unless there is a grievous ambiguity or
uncertainty in the language and structure of the Act . . . .") (citation and
quotation omitted). Moreover, our interpretation of "knowingly" does not
dispense with the mens rea requirement of section 1320d-6 and create a
strict liability offense; satisfaction of the "knowingly" element will still
require proof that the defendant knew the facts that constitute the offense.
See Staples v. United States, 511 U.S. 600, 622 n.3 (1994) (Ginsburg, J.,
concurring) (quotations and citations omitted) ("The mens rea presumption
requires knowledge only of the facts that make the defendant's conduct illegal,
lest it conflict with the related presumption, deeply rooted in the American
legal system, that, ordinarily, ignorance of the law or a mistake of law is no
defense to criminal prosecution."). Finally, the concern expressed in
Liparota about criminalizing a broad swath of seemingly innocent conduct
is less present here. The statute in Liparota criminalized the
unauthorized use of food stamps by any participant in the program, as well as by
any person who might come in possession of these stamps. See 471 U.S. at
426-27. In contrast, section 1320d-6, as we conclude above, applies directly to
covered entities. These covered entities—health plans, health care
clearinghouses, certain health care providers, and Medicare prescription drug
card sponsors—are likely well aware that the health care business they conduct
is heavily regulated by HIPAA and other laws. To the extent that some concern
remains, it is insufficient to override the plain meaning of the statute.
Accordingly, Liparota provides no support for giving "knowingly" in
section 1320d-6 a meaning different from its usual understanding as referring
only to knowledge of the facts that constitute the offense.
* * *
For the foregoing reasons, we conclude that covered entities and those
persons rendered accountable by general principles of corporate criminal
liability may be prosecuted directly under 42 U.S.C. § 1320d-6 and that the
"knowingly" element of the offense set forth in that provision requires only
proof of knowledge of the facts that constitute the offense.
| Enforcement Actions Ensure Patients Receive Timely Access to their Records, at a Reasonable Cost Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access provision. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. “These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA ...read more |
| Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Health Care Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the ...read more |
| Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives? No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information ...read more |
| Dentist Revises Process to Safeguard Medical Alert PHI Covered Entity: Health Care Provider Issue: Safeguards, Minimum Necessary An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating ...read more |
|
December 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
11/12/22 Must a covered entity inform individuals in advance of any fees that may be charged when the individuals request a copy of their PHI?
Blog Archives
November 2022 (54)
Blog Labels
Telehealth (1)
HIPAA (2)
HIPAA Enforcement (3)
Covered Entity (40)
EHR Fraud (1)
BAA (3)
PPP Fraud (1)
Data Breach (1)
ePHI (2)
|
