SCOPE OF CRIMINAL ENFORCEMENT UNDER 42 U.S.C. § 1320d-6

Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense.

MEMORANDUM OPINION FOR

THE GENERAL COUNSEL
DEPARTMENT OF HEALTH AND HUMAN SERVICES

AND

THE SENIOR COUNSEL
TO THE DEPUTY ATTORNEY GENERAL

You have asked jointly for our opinion concerning the scope of 42 U.S.C. § 1320d-6 (2000), the criminal enforcement provision of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 ("HIPAA"). Specifically, you have asked, first, whether the only persons who may be directly liable under section 1320d-6 are those persons to whom the substantive requirements of the subtitle, as set forth in the regulations promulgated thereunder, apply—i.e., health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors—or whether this provision may also render directly liable other persons, particularly those who obtain protected health information in a manner that causes a person to whom the substantive requirements of the subtitle apply to release the information in violation of that law. We conclude that health plans, health care clearinghouses, those health care providers specified in the statute, and Medicare prescription drug card sponsors may be prosecuted for violations of section 1320d-6. In addition, depending on the facts of a given case, certain directors, officers, and employees of these entities may be liable directly under section 1320d-6, in accordance with general principles of corporate criminal liability, as these principles are developed in the course of particular prosecutions. Other persons may not be liable directly under this provision. The liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability. Second, you have asked whether the "knowingly" element of section 1320d-6 requires only proof of knowledge of the facts that constitute the offense or whether this element also requires proof of knowledge that the conduct was contrary to the statute or regulations. We conclude that "knowingly" refers only to knowledge of the facts that constitute the offense.1

I.

Congress enacted the Administrative Simplification provisions of HIPAA to improve "the efficiency and effectiveness of the health care system" by providing for the "establishment of standards and requirements for the electronic transmission of certain health information." 42 U.S.C. § 1320d note. These provisions added a new "Part C: Administrative Simplification" to Title XI of the Social Security Act and have been codified at 42 U.S.C. §§ 1320d-1320d-8. Part C directs the Secretary of the Department of Health and Human Services ("HHS") to "adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically." Id. § 1320d-2(a)(1); see also id. § 1320d-2(b)(1) (requiring the Secretary to adopt standards concerning unique health identifiers); id. § 1320d-2(c)(1) (same with respect to code sets); id. § 1320d-2(d)(1) (same with respect to security); id. § 1320d-2(e)(1) (same with respect to electronic signatures); id. § 1320d-2(f) (same with respect to transfer of information among health plans). Various provisions of this part further specify the standards to be adopted, the factors the Secretary must consider, the procedures for promulgating the standards, and the timetable for their adoption. Id. §§ 1320d-1 to 1320d-3. Pursuant to this authority, the Secretary has adopted standards and specifications for implementing them. See 45 C.F.R. pts. 160-164 (2004).

Id. § 1320d-1; see also 45 C.F.R. § 160.102(a) (with respect to general administrative requirements "[e]xcept as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to" the entities listed in section 1320d-1); id. § 162.100 (same with respect to additional administrative requirements); id. § 164.104 (same with respect to security and privacy regulations). The regulations refer to each of these three groups of persons as a "covered entity." Id. § 160.103. To this list of persons to whom the standards apply, Congress later added Medicare prescription drug card sponsors. See Medicare Prescription Drug, Improvement and Modernization Act of 2003, Pub. L. No. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 ("For purposes of the program under this section, the operations of an endorsed program are covered functions and a prescription drug card sponsor is a covered entity for purposes of applying part C of title XI and all regulatory provisions promulgated thereunder. . . ."), codified at 42 U.S.C.A. § 1395w-141(h)(6) (West 2004).

Various statutes and regulations define these four categories of covered entities. A "prescription drug card sponsor" is "any nongovernmental entity that the Secretary [of HHS] determines to be appropriate to offer an endorsed discount card program," including "a pharmaceutical benefit management company" and "an insurer." 42 U.S.C.A § 1395w-141(h)(1)(A). A "health plan" is "an individual or group plan that provides, or pays the cost of, medical care . . . ." Id. § 1320d(5). A "health care clearinghouse" is an "entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements." Id. § 1320d(2). Finally, a "health care provider" is any "person furnishing health care services or supplies," including a "provider of services" and a "provider of medical or other health services." Id. § 1320d(3). These latter two terms are further defined in 42 U.S.C. § 1395x. A "provider of services" is a "hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, [or] hospice program . . . ." Id. § 1395x(u). And a "provider of medical and other health services" is any person who provides any of a long list of such services, including "physicians' services," "services and supplies . . . furnished as an incident to a physician's professional service, of kinds which are commonly furnished in physicians' offices and are commonly either rendered without charge or included in the physicians' bills," "outpatient physical therapy services," "qualified psychologist services," "clinical social worker services," and certain services "performed by a nurse practitioner or clinical nurse specialist." Id. § 1395x(s). These health care providers only qualify as covered entities if they "transmit[] any health information in electronic form in connection with" certain transactions described in section 1320d-2. Id. § 1320d-1(a)(3). The regulations further define the covered entities. See 45 C.F.R. § 160.103.

These covered entities must comply with the regulations promulgated pursuant to Part C. Section 1320d-4 requires compliance with the regulations within a certain time period by "each person to whom the standard or implementation specification [adopted or established under sections 1320d-1 and 1320d-2] applies." 42 U.S.C. § 1320d-4(b). Failure to comply with the regulations may render the covered entity either civilly or criminally liable.

The statute grants to the Secretary of HHS the authority for civil enforcement of the standards. Section 1320d-5(a) states, "Except as provided in subsection (b) of this section, the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation . . . ." Id. § 1320d-5(a)(1). Subsection (b) provides for three exceptions. First, a civil "penalty may not be imposed . . . with respect to an act if the act constitutes an offense punishable under" the criminal enforcement provision. Id. § 1320d-5(b)(1). Second, a civil "penalty may not be imposed . . . with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision." Id. § 1320d-5(b)(2). Third, a civil "penalty may not be imposed . . . if the failure to comply was due to reasonable cause and not to willful neglect; and the failure to comply is corrected" within a specified period of time. Id. § 1320d-5(b)(3).

The statute prescribes criminal sanctions only for those violations of the standards that involve the disclosure of "unique health identifiers," id. § 1320d-6(a), or of "individually identifiable health information," id., that is, that subset of health information that, inter alia, "identifies the individual" or "with respect to which there is a reasonable basis to believe that the information can be used to identify the individual," id. § 1320d(6). More specifically, section 1320d-6(a) provides:

Id. § 1320d-6(a). Subsection (b) sets forth a tiered penalty scheme. A violation of subsection (a) is punishable generally as a misdemeanor by a fine of not more than $50,000 and/or imprisonment for not more than one year. Id. § 1320d-6(b)(1). Certain aggravating circumstances may make the offense a felony. Subsection (b)(2) provides for a maximum penalty of a $100,000 fine and/or five-year imprisonment for violations committed under false pretenses. Id. § 1320d-6(b)(2). And subsection (b)(3) reserves the statute's highest penalties—a fine of not more than $250,000 and/or imprisonment of not more than ten years—for those offenses committed "with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm." Id. § 1320d-6(b)(3).

II.

A.

We address first which persons may be prosecuted under the criminal enforcement provision, section 1320d-6. Specifically, we address whether section 1320d-6 renders liable only covered entities or whether the provision applies to any person who does an act described in that provision, including, in particular, a person who obtains protected health information in a manner that causes a covered entity to violate the statute or regulations. We conclude that an analysis of liability under section 1320d-6 must begin with covered entities, the only persons to whom the standards apply. If the covered entity is not an individual, general principles of corporate criminal liability will determine the entity's liability and that of individuals within the entity, including directors, officers, and employees. Finally, certain conduct of these individuals and that of other persons outside the covered entity, including of recipients of protected information, may be prosecuted in accordance with principles of aiding and abetting liability and of conspiracy liability.

We begin with the language of the statute. See Liparota v. United States, 471 U.S. 419, 424 (1985) ("The definition of the elements of a criminal offense is entrusted to the legislature, particularly in the case of federal crimes, which are solely the creatures of statute."). Section 1320d-6(a) states that:

42 U.S.C. § 1320d-6(a). Because Congress enacted the Administrative Simplification provisions for the express purpose of facilitating the use of health identifiers and the acquisition and disclosure of health information, an act listed in subsections (a)(1) to (a)(3) must be done "in violation of this part" in order to constitute a criminal offense. The phrase "this part" refers to "Part C – Administrative Simplification," codified at sections 1320d to 1320d-8. Section 1320d-1(a) makes clear that the standards promulgated under Part C apply only to covered entities: "Applicability. Any standard adopted under this part shall apply, in whole or in part, to the following persons: (1) A health plan. (2) A health care clearinghouse. (3) [Certain] health care provider[s.]" Id. § 1320d-1(a); see also 45 C.F.R. § 160.102(a); id. § 162.100; id. § 164.104; Exec. Order No. 13,181, 65 F.R. 81,321 (Dec. 20, 2000), reprinted in 42 U.S.C. § 1320d-2 note ("HIPPA applies only to 'covered entities,' such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information . . . ."). Congress expanded this list to include Medicare prescription drug card sponsors "for purposes of applying part C['s]" Administrative Simplification provisions. 42 U.S.C.A. § 1395w-141(h)(6). And these provisions require only "each person to whom the standard or implementation specification applies"—i.e., the covered entities—to comply with it. Id. § 1320d-4(b). Because Part C makes the standards applicable only to covered entities and because it mandates compliance only by covered entities, only a covered entity may do one of the three listed acts "in violation of this part." Other persons cannot violate Part C directly because the part simply does not apply to them. When the covered entity is not an individual, principles of corporate criminal liability discussed infra will determine when a covered entity has violated Part C and when these violations can be attributed to individuals in the entity.2

That the statute criminalizes the "obtain[ing]" of individually identifiable health information in violation of Part C, id. § 1320d-6(a)(2), in addition to its disclosure, does not convince us that our reading of section 1320d-6 according to its plain terms is incorrect. It could be argued that, by including a distinct prohibition on obtaining health information, the law was intended to reach the acquisition of health information by a person who is not a covered entity but who "obtains" it from such an entity in a manner that causes the entity to violate Part C. Id. Further examining the statute and the regulations, however, reveals that the inclusion of section 1320d-6(a)(2) merely reflects the fact that the statute and the regulations limit the acquisition, as well as the disclosure and use, of information by covered entities. Those sections of the statute authorizing the Secretary of HHS to promulgate regulations speak broadly of adopting standards, inter alia, "for transactions," "providing for a standard unique health identifier," and concerning "security." See id. § 1320d-2. They do not speak only of regulations governing the "use" and "disclosure" of information; the language used in these provisions easily encompasses the acquisition of information.3 Pursuant to this authority, the Secretary has promulgated regulations governing the acquisition of certain information by a covered entity. See, e.g., 45 C.F.R. § 164.500(b)(1) ("When a health care clearinghouse creates or receives protected health information . . . .") (emphasis added); id. § 164.502(b)(1) ("When using or disclosing protected health information or when requesting protected health information from another covered entity . . . .") (emphasis added); id. § 164.514(d)(4)(i) ("A covered entity must limit any request for protected health information to that which is reasonably necessary . . . .") (emphasis added). Failure to comply with these regulations may render a covered entity liable for "obtain[ing] individually identifiable health information" "in violation of this part." 42 U.S.C. § 1320d-6(a)(2).4

The difference between the language used in the civil enforcement provision and that used in the criminal enforcement provision does not support a broader reading of section 1320d-6. The civil enforcement provision makes liable "any person who violates a provision of this part." Id. § 1320d-5(a)(1). The criminal enforcement provision makes it a crime to do certain acts "knowingly and in violation of this part." Id. § 1320d-6(a). To be sure, the statute must be read as a whole and variations in the language of closely related provisions should be given effect if possible. See Bryan v. United States, 524 U.S. 184, 191-93 (1998) (interpreting the requirement that an act be done "willfully" in one subsection of the statute by reference to the "knowingly" requirement contained in other subsections of the same statute). Here, however, the difference in phrasing used in the two provisions does not constitute a basis for concluding that section 1320d-6 reaches persons who are not, or are not part of, a covered entity. Section 1320d-6's use of "in violation of," as opposed to "who violates," reflects only the difference in the scope of the conduct proscribed by the two sections. Section 1320d-5 is phrased as it is—"any person who violates a provision of this part"—because a violation of any of the standards subjects the violator to civil penalties. See 42 U.S.C. § 1320d-5(a). In contrast, criminal punishment is restricted to those violations of the standards—specified in subsections (a)(1) to (a)(3)—that involve the improper use, acquisition, or disclosure of individually identifiable health information or unique health identifiers. See id. § 1320d-6(a). Section 1320d-6(a) makes liable a person who "uses or causes to be used," "obtains," or "discloses" such health information. Id. Having described the prohibited acts using present tense verbs, the provision could not retain the "violates this part" formulation; instead, it uses "in violation of this part" to make clear that only those uses, acquisitions, and disclosures in a manner contrary to the regulations are illegal. The difference in language between section 1320d-5 and section 1320d-6 is thus best understood as nothing more than a grammatical accommodation resulting from the need to describe the acts for which section 1320d-6 prescribes criminal liability.5

Although we conclude that Part C applies only to covered entities, we do not read the term "person" at the beginning of section 1320d-6 to mean "covered entity." Such a reading would not only be contrary to the language of that provision but also create tension with other parts of the statute that appear to use the term broadly, see, e.g., id. § 1320d-6(a)(3) (prohibiting "disclos[ures] to another person"), and with the Dictionary Act, codified at 1 U.S.C. § 1 (2000), which sets forth a presumptively broad definition of person wherever the term is used in the United States Code,6 a definition presumptively applicable here because the defined terms specific to Part C do not include the term "person." See 42 U.S.C. § 1320d. We conclude only that the phrase "in violation of this part" restricts the universe of persons who may be prosecuted directly. Section 1320d-6 provides criminal penalties for "person[s]" who perform the listed acts "knowingly" and "in violation of this part." Id. § 1320d-6. The "in violation of this part" limitation on the scope of liability—like the "knowingly" requirement—is distinct from the definition of "person." It describes that subset of persons who may be held liable, provided that the other elements of the offense are also satisfied. Under this reading of the statute, section 1320d-6(a)(3) continues to make "covered entities" liable for disclosure to any "person."

We have considered other laws using the phrase "in violation of." None of these laws supports the view that, as used in 42 U.S.C. § 1320d-6, the phrase should be read more expansively than we conclude. For instance, several of these laws apply to the public generally, and, accordingly, do not shed light on whether section 1320d-6 allows direct prosecutions of persons other than those to whom the substantive requirements of HIPAA's Part C apply. See, e.g., 18 U.S.C. § 547 (2000) ("Whoever receives or deposits merchandise in any building upon the boundary line between the United States and any foreign country, or carries merchandise through the same, in violation of law . . . .") (emphasis added); 18 U.S.C.A. § 1590 (West Supp. 2004) ("Whoever knowingly recruits, harbors, transports, provides, or obtains by any means, any person for labor or services in violation of this chapter . . . .") (emphasis added). And the phrasing of other laws makes it clear that "in violation of" describes an item involved in the prohibited act, as opposed to the act itself. For instance, 18 U.S.C. § 2113(c) (2000) penalizes "[w]hoever receives . . . property . . . which has been taken . . . in violation of subsection (b) . . . ." Id. In this case, the placement of the phrase "in violation of" following the word "which" makes plain that the phrase describes only the property, a reading confirmed by the provision's use of the passive "has been taken." Id.; see also 18 U.S.C. § 1170(b) (2000) ("Whoever knowingly sells, purchases, uses for profit, or transports for sale or profit any Native American cultural items obtained in violation of the Native American Grave Protection and Repatriation Act . . . .") (emphasis added). In contrast, the phrase "in violation of" in section 1320d-6 does not modify the type of health care information involved in the offense; rather, it relates directly to the acts prohibited by the provision (i.e., "uses or causes to be used," "obtains," or "discloses"). Finally, we have reviewed the cases interpreting these and other potentially analogous provisions and have found none that would cause us to read section 1320d-6 in any way other than in accordance with its plain meaning.7

We conclude, therefore, that an assessment of liability under section 1320d-6 must begin with covered entities. The statute and regulations determine which individuals and entities qualify as a "covered entity." See 42 U.S.C. § 1320d; id. § 1395w-141(h)(1); id. § 1395x; 45 C.F.R. § 160.103.8 A health care provider, is any "person furnishing health care services or supplies," and will be either an individual or an entity. 42 U.S.C. § 1320d(3); see also id. § 1395x. In contrast, a "health care clearinghouse," "health plan," and Medicare "prescription drug card sponsor" will virtually never be an individual. See id. § 1320d(2) & (5); id. § 1395w-141(h)(1)(A). When the covered entity is not an individual, principles of corporate criminal liability will determine the entity's liability and the potential liability of particular individuals who act for the entity. Although we do not elaborate these principles here, in general, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf. See Kathleen F. Brickley, Corporate Criminal Liability §§ 3-4 (2d ed. 1992). In addition, we recognize that, at least in limited circumstances, the criminal liability of the entity has been attributed to individuals in managerial roles, including, at times, to individuals with no direct involvement in the offense. See id. § 5.9 Consistent with these general principles, it may be that such individuals in particular cases may be prosecuted directly under section 1320d-6.

Other conduct that may not be prosecuted under section 1320d-6 directly may be prosecuted according to principles either of aiding and abetting liability or of conspiracy liability.10 The aiding and abetting statute renders "punishable as a principal" anyone who "commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission" and anyone who "willfully causes an act to be done which if directly performed by him or another would be an offense against the United States." 18 U.S.C. § 2 (2000). And the conspiracy statute prescribes punishment "if two or more persons conspire . . . to commit any offense against the United States . . . and one or more of such persons do any act to effect the object of the conspiracy." 18 U.S.C. § 371 (2000).11 Further discussion of corporate criminal liability, aiding and abetting liability, and conspiracy liability in the absence of a specific factual context would be unfruitful, particularly because the contours of these legal principles may vary by jurisdiction. Accordingly, we leave the scope of criminal liability under these principles for consideration in the ordinary course of prosecutions.12

B.

We address next whether the "knowingly" element of the offense set forth in 42 U.S.C. § 1320d-6 requires the Government to prove only knowledge of the facts that constitute the offense or whether this element also requires proof that the defendant knew that the act violated the law. We conclude that the "knowingly" element is best read, consistent with its ordinary meaning, to require only proof of knowledge of the facts that constitute the offense.

We begin again with the text of 42 U.S.C. § 1320d-6(a). See Liparota, 471 U.S. at 424.

42 U.S.C. § 1320d-6(a). A plain reading of the text indicates that a person need not know that commission of an act described in subsections (a)(1) to (a)(3) violates the law in order to satisfy the "knowingly" element of the offense. Section 1320d-6 makes the requirements that the act be done "knowingly" and that it be done "in violation of this part" two distinct requirements. Id. § 1320d-6. These two elements do not modify each other; rather, they independently modify "uses or causes to be used," "obtains," and "discloses." For example, defendants will be guilty of an offense if they both "knowingly" "disclose[] individually identifiable health information" and they "in violation of this part" "disclose[] individually identifiable health information." The view that the statute requires proof of knowledge of the law effectively reads "knowingly" to refer to the "violation of this part." But this reading is contrary to the plain language of the statute, which sets forth these terms as two separate elements each independently modifying the third element, i.e., one of the listed acts. Accordingly, to incur criminal liability, a defendant need have knowledge only of those facts that constitute the offense.

Our reading of the "knowingly" element of the offense comports with the usual understanding of the term. The Supreme Court has stated that "unless the text of the statute dictates a different result, the term 'knowingly' merely requires proof of knowledge of the facts that constitute the offense." Bryan, 524 U.S. at 193 (footnote omitted) ("[T]he term 'knowingly' does not necessarily have any reference to a culpable state of mind or to knowledge of the law."). As set forth above, the text of section 1320d-6 does not "dictate[] a different result." Bryan, 524 U.S. at 193. In fact, its text dictates an interpretation consistent with the ordinary understanding of "knowingly" as referring only to "knowledge of the facts that constitute the offense." Id.

The plain meaning of the "knowingly" element of section 1320d-6 must control, "at least where the disposition required by the text is not absurd." Hartford Underwriters Ins. Co. v. Union Planters Bank, N.A., 530 U.S. 1, 6 (2000). We consider whether our reading of the criminal provision is absurd in light of the possible exception to civil liability for reasonable ignorance of the law. Sections 1320d-5 and 1320d-6 operate in a complementary fashion, covering mutually exclusive conduct. See 42 U.S.C § 1320d-5(b)(1) (excepting from civil penalties an act that "constitutes an offense punishable under section 1320d-6 of this title.").13 The civil enforcement section provides, "A penalty may not be imposed . . . if . . . the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision." Id. § 1320d-5(b)(2). Section 1320d-5 therefore may be read to premise civil liability on knowledge that the act in question violated the applicable standard, not just on knowledge that the particular act occurred.14 If civil sanctions (of fines up to $100) may be avoided by establishing reasonable ignorance of the law, it might at first blush appear to be an absurd result to conclude that the significantly more serious criminal punishments (of fines up to $250,000 and imprisonment of up to ten years) may not be similarly excused.

The absurd results canon of construction is "rarely invoke[d] . . . to override unambiguous legislation." Barnhart v. Sigmon Coal Co., Inc., 534 U.S. 438, 459 (2002); Public Citizen v. U.S. Dep't of Justice, 491 U.S. 440, 470-71 (1989) (Kennedy, J., concurring) (noting that the canon is limited "to situations where the result of applying the plain language would be, in a genuine sense, absurd, i.e., where it is quite impossible that Congress could have intended the result, and where the alleged absurdity is so clear as to be obvious to most anyone."). Applying the usual definition of "knowingly" here does not yield an absurd result, and certainly not one so absurd that it would cause us to read the statute contrary to its plain meaning. The argument that the statute should not be read so as to impose criminal punishment on the basis of a lesser degree of intent than that required for civil sanction would be more compelling if sections 1320d-5 and 1320d-6 covered the same acts. But they do not. See 42 U.S.C. § 1320d-5(b)(1). Civil sanctions may be imposed for violations of a wide variety of regulations. For these violations, the statute provides a maximum $100 fine and sets forth certain exceptions to liability. See id. § 1320d-5 ("General penalty for failure to comply with requirements and standards").15 In contrast, of all the possible violations of the regulations, section 1320d-6 carves out a limited set and subjects them to criminal punishment. Such punishment is reserved for violations involving "unique health identifiers" and "individually identifiable health information." See id. § 1320d-6 ("Wrongful disclosure of individually identifiable health information"). Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals. In light of this concern, there is nothing obviously absurd about the statute's allowing a defense of reasonable ignorance of the law for those regulatory violations subject to civil penalty, but withholding this defense with respect to those violations that threaten the privacy of individuals. Accordingly, even reading section 1320d-6 in light of section 1320d-5(b)'s exception to civil liability for reasonable ignorance of the law gives us no reason to doubt that the plain and ordinary meaning of the "knowingly" element of section 1320d-6 is the correct one.

Nor is it proper to apply here the exception to the usual meaning of "knowingly" exemplified by Liparota. See 471 U.S. at 424-28. Liparota is the case cited by the Supreme Court in Bryan as an example of the exception to the rule—when "the text of the statute dictates a different result"—that "knowingly" refers to the facts that constitute the offense and not to the law. 524 U.S. at 193 & n.15. In Liparota, the Supreme Court held that a statute forbidding fraudulent use of food stamps required proof of knowledge that the use was unauthorized. See 471 U.S. at 433. The statute in that case read: "whoever knowingly uses, transfers, acquires, alters, or possesses coupons or authorization cards in any manner not authorized by this chapter or the regulations issued pursuant to this chapter" shall be guilty of a criminal offense. See id. at 420-21 n.1 (quoting 7 U.S.C. § 2024(b)(1)). This language is at least ambiguous; "knowingly" may modify, for example, either only the verb "uses" or it may modify the entire verbal phrase "uses . . . in any manner not authorized." Id.; see id. at 424 (The "interpretations proffered by both parties accord with congressional intent . . . . [T]he words themselves provide little guidance. Either interpretation would accord with ordinary usage."); id. at 424 n.7 (referring to the statutory language and noting that "[o]ne treatise has aptly summed up the ambiguity in an analogous situation.") (emphasis added). But see Bryan, 524 U.S. at 193 n.15 (citations omitted) (In Liparota, "we concluded that both the term 'knowing' . . . and the term 'knowingly' . . . literally referred to knowledge of the law as well as knowledge of the relevant facts."). The Supreme Court then considered the presumption that criminal statutes contain a mens rea element,16 applied the rule of lenity, and rested its interpretation, in large part, on the concern that the contrary reading would "criminalize a broad range of apparently innocent conduct." See Liparota, 471 U.S. at 426-27.

Here, the "knowingly" element of section 1320d-6 is not ambiguous, see supra; thus, it would be inappropriate to resort to the rule of lenity. See Chapman v. United States, 500 U.S. 453, 463 (1991) ("The rule of lenity . . . is not applicable unless there is a grievous ambiguity or uncertainty in the language and structure of the Act . . . .") (citation and quotation omitted). Moreover, our interpretation of "knowingly" does not dispense with the mens rea requirement of section 1320d-6 and create a strict liability offense; satisfaction of the "knowingly" element will still require proof that the defendant knew the facts that constitute the offense. See Staples v. United States, 511 U.S. 600, 622 n.3 (1994) (Ginsburg, J., concurring) (quotations and citations omitted) ("The mens rea presumption requires knowledge only of the facts that make the defendant's conduct illegal, lest it conflict with the related presumption, deeply rooted in the American legal system, that, ordinarily, ignorance of the law or a mistake of law is no defense to criminal prosecution."). Finally, the concern expressed in Liparota about criminalizing a broad swath of seemingly innocent conduct is less present here. The statute in Liparota criminalized the unauthorized use of food stamps by any participant in the program, as well as by any person who might come in possession of these stamps. See 471 U.S. at 426-27. In contrast, section 1320d-6, as we conclude above, applies directly to covered entities. These covered entities—health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors—are likely well aware that the health care business they conduct is heavily regulated by HIPAA and other laws. To the extent that some concern remains, it is insufficient to override the plain meaning of the statute. Accordingly, Liparota provides no support for giving "knowingly" in section 1320d-6 a meaning different from its usual understanding as referring only to knowledge of the facts that constitute the offense.

* * *

For the foregoing reasons, we conclude that covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6 and that the "knowingly" element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense.