For other versions of this document, see http://wikileaks.org/wiki/CRS-RL33989 ------------------------------------------------------------------------------ ¢ ¢ ¢ Prepared for Members and Committees of Congress ¢ ¢ ¢ P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), directed HHS to adopt standards to facilitate the electronic exchange of health information for certain financial and administrative transactions. The HIPAA Privacy Rule was adopted by HHS as the national standard for the protection of individually identifiable health information. It regulates the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically; establishes a set of basic consumer protections; permits any person to file an administrative complaint for violations; and authorizes the imposition of civil or criminal penalties. Enforcement of the Privacy Rule began in 2003. On March 16, 2006, the Final HIPAA Administrative Simplification Enforcement Rule went into effect. The Enforcement Rule has both procedural and substantive provisions, and is applicable to all HIPAA administrative simplification standards. The Enforcement Rule establishes procedures for the imposition of civil money penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification provisions of HIPAA. It also amends existing rules relating to the process for imposition of civil money penalties, and clarifies the investigation process, the bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process. Lawmakers and others are examining the statutory and regulatory framework for enforcement of the HIPAA Administrative Simplification standards, and ways to ensure that agencies use their enforcement authority to the fullest extent under HIPAA to address improper uses and disclosures of protected health information. The privacy and security of health information is also recognized as a critical element of transforming the health care system through the use of health information technology. For further information on this topic, See CRS Report RS22760, Electronic Personal Health Records, by Gina Marie Stevens. This report discusses enforcement of the HIPAA administrative simplification provisions by HHS and DOJ, and provides an overview of the HIPAA Administrative Simplification Enforcement Rule. This report will be updated when warranted. ¢ ¢ Background ..................................................................................................................................... 1 Civil Money Penalties ............................................................................................................... 1 Criminal Penalties ..................................................................................................................... 3 Scope of Criminal Enforcement................................................................................................ 3 The HIPAA Privacy Rule ................................................................................................................ 4 Covered Entities ........................................................................................................................ 5 Protected Health Information.................................................................................................... 5 Uses and Disclosures................................................................................................................. 5 The HIPAA Security Rule ............................................................................................................... 6 The HIPAA Administrative Simplification Enforcement Rule........................................................ 7 Voluntary Cooperation .............................................................................................................. 7 Complaints to the Secretary ...................................................................................................... 7 Compliance Reviews................................................................................................................. 7 Responsibilities of Covered Entities ......................................................................................... 8 Secretarial Action ...................................................................................................................... 8 Affirmative Defenses ................................................................................................................ 8 Civil Money Penalties ............................................................................................................... 9 Criminal Referrals..................................................................................................................... 9 Criminal Enforcement Actions ........................................................................................................ 9 United States v. Gibson ........................................................................................................... 10 United States v. Ramirez.......................................................................................................... 10 United States v. Ferrer and Machado ..................................................................................... 10 HIPAA Enforcement Activity.........................................................................................................11 Author Contact Information .......................................................................................................... 13 ¢ ¢ In 1996, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 to "improve portability and continuity of health insurance coverage in the group and individual markets."2 Congress enacted HIPAA to guarantee the availability and renewability of health insurance coverage and limit the use of pre-existing condition restrictions. HIPAA also included tax provisions related to health insurance and administrative simplification provisions requiring issuance of national standards to facilitate the electronic transmission of health information. Part C of HIPAA3 requires "the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."4 Such standards are required to be consistent with the objective of reducing the administrative costs of providing and paying for health care. These Administrative Simplification provisions require the Secretary of HHS to adopt national standards to facilitate the electronic exchange of information for certain financial and administrative transactions; select or establish code sets for data elements; protect the privacy of individually identifiable health information; maintain administrative, technical, and physical safeguards for the security of health information; provide unique health identifiers for individuals, employers, health plans, and health care providers; and to adopt procedures for the use of electronic signatures.5 Health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically are required to use standardized data elements and comply with the national standards and regulations promulgated pursuant to Part C.6 Failure to comply with the regulations may subject the covered entity to civil or criminal penalties. This report provides an overview of the statutory and regulatory enforcement scheme (under the recently issued Final Enforcement Rule) for the Administrative Simplification provisions of HIPAA. In addition, it summarizes recent enforcement actions by HHS and DOJ. ¢ Under HIPAA, the Secretary is required to impose a civil monetary penalty (CMP) on any person failing to comply with the Administrative Simplification provisions in Part C.7 The maximum 1 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq. 2 H.Rept. 104-496, at 1, 66-67, reprinted in 1996 U.S.C.C.A.N. 1865, 1865-66. 3 42 U.S.C. §§ 1320d--1320d-8. 4 110 Stat. 2021. 5 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards for transactions and code sets, privacy, security, and employer identifiers. See Administrative Simplification Under HIPAA: National Standards for Transactions, Privacy and Security, at http://www.hhs.gov/news/press/2002pres/hipaa.html. 6 42 U.S.C. § 1320d-4(b) Requires compliance with the regulations within a certain time period by "each person to whom the standard or implementation specification [adopted or established under sections 1320d-1 and 1320d-2] applies." 7 42 U.S.C. § 1320d-5(a). ¢ ¢ civil money penalty (i.e., the fine) for a violation of an administrative simplification provision is $100 per violation and up to $25,000 for all violations of an identical requirement or prohibition during a calendar year.8 A number of procedural requirements that are relevant to the imposition of CMP's for violations of the Administrative Simplification standards9 are incorporated by reference in HIPAA from the general civil money penalty provision in 42 U.S.C. § 1320a-7a.10 The Secretary may not initiate a CMP action "later than six years after the date" of the occurrence that forms the basis for the CMP action.11 The Secretary may initiate a CMP by serving notice in a manner authorized by Rule 4 of the Federal Rules of Civil Procedure (Commencement of Action). The Secretary must give written notice to the person on whom he wishes to impose a CMP and an opportunity for a determination to made "on the record after a hearing at which the person is entitled to be represented by counsel, to present witnesses, and to cross-examine witnesses against the person."12 Judicial review of the Secretary's determination and the issuance and enforcement of subpoenas is available in the United States Court of Appeals.13 A CMP may not be imposed with respect to an act that constitutes criminal disclosure of individually identifiable information14 "if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provisions";15 or if "the failure to comply was due to reasonable cause and not to willful neglect" and is corrected within 30 days after learning of the violation.16 The Secretary may provide technical assistance during such period. A CMP may be reduced or waived "to the extent that the payment of such penalty would be excessive relative to the compliance failure involved."17 Three specific affirmative defenses bar the imposition of civil money penalties: (1) the act is a criminal offense under HIPAA's criminal penalty provision--wrongful disclosure of individually identifiable health information; (2) the covered entity did not have actual or constructive knowledge of the violation; and (3) the failure to comply was due to reasonable cause and not to willful neglect, and the failure to comply was corrected during a 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.18 The Office of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule.19 OCR has said that any civil penalties imposed will only affect covered entities; in other words, a 8 42 U.S.C. § 1320d-5(a)(1). 9 42 U.S.C. § 1320d-5(a)(2). 10 Except for the subsections addressing the imposition of civil money penalties for improperly filed claims, payments to induce a reduction or limitation of services, and the recovery and use of funds. 11 42 U.S.C. § 1320a-7a(c)(1). 12 42 U.S.C. § 1320a-7a(c)(2). 13 42 U.S.C. § 1320a-7a(e). 14 42 U.S.C. § 1320d-5(b)(1). 15 42 U.S.C. § 1320d-5(b)(2). 16 42 U.S.C. § 1320d-5(b)(3). 17 42 U.S.C. § 1320d-5(b)(4). 18 42 U.S.C. § 1320d-5(b)(1)--(4). 19 65 Fed. Reg. 82381. ¢ ¢ member of a workforce who is not a covered entity appears not to be subject to civil sanctions by OCR. HIPAA establishes criminal penalties for any person who knowingly and in violation of the Administrative Simplification provisions of HIPAA uses a unique health identifier or obtains or discloses individually identifiable health information.20 Enhanced criminal penalties may be imposed if the offense is committed under false pretenses, with intent to sell the information or reap other personal gain. The penalties include (1) a fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is "under false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.21 These penalties do not affect any other penalties that may be imposed by other federal programs. In 2005, the Justice Department Office of Legal Counsel (OLC) addressed which persons may be prosecuted under HIPAA.22 Based on its reading of the plain terms of the statute, the privacy regulations, and Executive Order 13,141 (To Protect the Privacy of Protected Health Information in Oversight Investigations), OLC concluded that only a covered entity could be criminally liable "in violation of this part."23 Because Part C applies only to covered entities and mandates 20 42 U.S.C. § 1320d-6(a). Wrongful disclosure of individually identifiable health information (a) Offense A person who knowingly and in violation of this part-- (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section. (b) Penalties A person described in subsection (a) of this section shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. 42 U.S.C. § 1320d-6. 21 42 U.S.C. § 1320d-6(b). 22 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005 at http://www.justice.gov/olc/hipaa_final.htm. 23 OLC's opinion limiting direct liability under the HIPAA criminal statute to covered entities was widely criticized. Critics believed that such an interpretation would result in weak enforcement of the HIPAA standards. See Robert Pear, Ruling Limits Prosecutions of People Who Violate Law on Medical Records, New York Times (June 7, 2005); Peter P. (continued...) ¢ ¢ compliance only by covered entities, OLC concluded that direct liability for violations of section 1320d-6 was limited to covered entities (health plans, health care clearinghouses, those health care providers specified in the statute, and Medicare prescription drug card sponsors); and depending on the facts of a given case, certain directors, officers, and employees of these entities may be liable directly under section 1320d-6, based on general principles of corporate criminal liability.24 Other persons who obtain protected health information in a manner that causes a covered entity to release the information in violation of HIPAA, including recipients of protected information, may not be liable directly. The liability of persons for conduct that may not be prosecuted directly under section 1320d-6 is to be determined by principles of aiding and abetting liability under 18 U.S.C. § 225 and of conspiracy liability under 18 U.S.C. § 371.26 OLC also noted that such conduct may also be punishable under other federal laws, such as the identity theft under 18 U.S.C. § 102827 and fraudulent access of a computer under 18 U.S.C. § 1030.28 The Office of Legal Counsel also considered what the "knowingly" element of the offense requires and concluded that the "knowingly" element is best read, consistent with its ordinary meaning, to require only proof of knowledge of the facts that constitute the offense.29 ¢ To carry out the requirements of Part C, the HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164, was adopted as the national standard for the protection of individually identifiable health information.30 Enforcement of the Privacy Rule began on April 14, 2003, except that for small (...continued) Swire, Justice Department Opinion Undermines Protection of Medical Privacy, Center for American Progress (June 7, 2005), at http://www.americanprogress.org/issues/2005/06/b743281.html; Peter A. Winn, Who Is Subject to Criminal Prosecution under HIPAA?, at http://www.abanet.org/health/01_interest_groups/01_media/WinnABA_2005-11.pdf. 24 According to OLC under general principles of corporate criminal liability, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf. 25 § 2. Principals (a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal. (b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal. 26 § 371. Conspiracy to commit offense or to defraud United States If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both. If, however, the offense, the commission of which is the object of the conspiracy, is a misdemeanor only, the punishment for such conspiracy shall not exceed the maximum punishment provided for such misdemeanor. 27 See CRS Report RL31919, Federal Laws Related to Identity Theft, by Gina Marie Stevens. 28 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle. 29 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005, at http://www.justice.gov/olc/hipaa_final.htm. 30 The Privacy Rule went into effect on April 14, 2001. On August 14, 2002, HHS published a modified Privacy Rule. 67 Fed. Reg. 53181 available at http://www.hhs.gov/ocr/hipaa/finalreg.html. ¢ ¢ health plans with annual receipts of $5 million or less enforcement began April 2004. The Office of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule.31 The Centers for Medicare and Medicaid Services (CMS) has delegated authority to enforce the non-privacy HIPAA standards, including the Security Rule.32 Because of the explicit language of HIPAA, the Privacy Rule applies only to a specified set of "covered entities": (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit information in electronic form in connection with standard transactions governed by the Administrative Simplification provisions.33 Medicare prescription drug sponsors were added to the list of "covered entities" in 2003.34 Excluded from the definition of covered entities are employees of covered entities. Business associates of covered entities are subject to certain aspects of the Privacy Rule.35 The Privacy Rule applies to protected health information that is individually identifiable health information "created or received by a health care provider, health plan, or health care clearinghouse" that "[r]elates to the ... health or condition of an individual" or to the provision of or payment for health care.36 The HIPAA Privacy Rule37 governs the use and disclosure of protected health information by HIPAA-covered entities (health plans, health care providers, and health care clearinghouses) The Rule requires a covered entity to obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.38 A covered entity is required to disclose protected health information in two situations: (1) to individuals when they request access to or an accounting of disclosures of their protected health information; and (2) to HHS for compliance review or enforcement action. The HIPAA Privacy Rule permits use and disclosure of 31 The Secretary of Health and Human Services recently delegated to the Director of OCR the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy Rule. 72 Fed. Reg. 18,999 (April 16, 2007). 32 68 Fed. Reg. 60694. 33 42 U.S.C. §§ 1320d-1(a)(1)-(3) ("Any standard adopted under this part shall apply, in whole or in part, to the following persons: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(1) of this title."). 34 42 U.S.C. § 1320d-1(a); 45 C.F.R. §§ 164.104(a)(1)-(3). The Medicare Prescription Drug Improvement and Modernization Act of 2003, P.L. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 (2003), codified at 42 U.S.C. § 1395w- 14(h)(6). 35 45 C.F.R. § 164.530(e)(2)(ii)(A). 36 45 C.F.R. § 160.103. 37 45 C.F.R. § 160 and 164. 38 45 C.F.R. § 164.508. ¢ ¢ protected health information, without an individual's authorization or consent, for 12 national priority purposes.39 ¢ Regulations governing security standards under HIPAA require health care covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; to protect against any reasonably anticipated threats or hazards to the security or integrity of such information, as well as protect against any unauthorzed uses or disclosures of such information.40 The Centers for Medicare and Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Standard.41 The Security Rule applies only to protected health information in electronic form (EPHI), and requires a covered entity to ensure the confidentiality, integrity, and availability of all EPHI the covered entity creates, receives, maintains, or transmits. Covered entities must protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and ensure compliance by its workforce.42 The Security Rule allows covered entities to consider such factors as the cost of a particular security measure, the size of the covered entity involved, the complexity of the approach, the technical infrastructure and other security capabilities in place, and the nature and scope of potential security risks. The Rule establishes "standards" in three categories--administrative, physical, and technical--that covered entities must meet, accompanied by implementation specifications for each standard. The Security Rule requires covered entities to enter into agreements with business associates who create, receive, maintain or transmit EPHI on their behalf. Under such agreements, the business associate must: implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's electronic protected health information; ensure that its agents and subcontractors to whom it provides the information do the same; and report to the covered entity any security incident of which it becomes aware. The contract must also authorize termination if the covered entity determines that the business associate has violated a material term. A covered entity is not liable for violations by the business associate unless the covered entity knew that the business associate was engaged in a practice or pattern of activity that violated HIPAA, and the covered entity failed to take corrective action. 39 45 C.F.R. 164.512. 40 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164. 41 See generally, Centers for Medicare and Medicaid Services, Security Materials at http://www.cms.hhs.gov/ EducationMaterials/04_SecurityMaterials.asp#TopOfPage. 42 45 C.F.R. § 164.306(a). ¢ ¢ On February 16, 2006, HHS published the Final Enforcement Rule, with both procedural and substantive provisions, applicable to all HIPAA administrative simplification standards in Part C.43 The final rule went into effect March 16, 2006. The following discussion summarizes the main provisions of the Enforcement rule. ¢ With respect to ascertaining compliance with and enforcement of the administrative simplification provisions, the Secretary of HHS is to seek the voluntary cooperation of covered entities. Enforcement and other activities to facilitate compliance include the provision of technical assistance, responding to questions, providing interpretations and guidance, responding to state requests for preemption determinations, and investigating complaints and conducting compliance reviews. ¢ The Privacy Rule permits any person to file an administrative complaint for violations.44 It did not create a private right of action for individuals to sue to remedy privacy violations.45 Individuals must direct their complaints to the HHS Office for Civil Rights (OCR) or to the covered entity.46 An individual may file a compliant with the Secretary if the individual believes that the covered entity is not complying with the administrative simplification provisions.47 Complaints to the Secretary may be filed only with respect to alleged violations occurring on or after April 14, 2003. The Secretary's investigation may include a review of the policies, procedures, or practices of the covered entity, and of the circumstances regarding the alleged acts or omissions.48 The Secretary is also authorized to conduct compliance reviews.49 According to OCR, it is conducting Privacy Rule compliance reviews only where compelling and unusual circumstances demand.50 43 71 Fed. Reg. 8390, 45 CFR § 160.300 et seq. 44 45 CFR § 160.306. 45 Several federal district courts have held that HIPAA did not create a privately enforceable right of action, and one federal appellate court has also recently upheld that finding. See Acara v. Banks, 470 F.3d 569 (5th Cir. 2006). 46 OCR maintains a website with information on the regulation, including guidance at http://www.hhs.gov/ocr/hipaa/. HHS also issued a 20-page "Summary of the HIPAA Privacy Rule," at http://www.hhs.gov/ocr/privacysummary.pdf. 47 45 CFR § 160.306. 48 The Secretary has delegated to the Office for Civil Rights (OCR) the authority to receive and investigate complaints as they may relate to the Privacy Rule. 65 Fed. Reg. at 82,474, 82,487. 49 45 CFR § 160.308. ¢ ¢ Covered entities are required to provide records and compliance reports to the Secretary to determine compliance, and to cooperate with complaint investigations and compliance reviews.51 In cases where no violation is found, the Secretary is to inform the covered entity and the complainant in writing. In cases where an investigation or compliance review has indicated noncompliance, the Secretary is to inform the covered entity and the complainant in writing, and attempt to resolve the matter informally.52 If the Secretary determines that the matter cannot be resolved informally, the Secretary may issue written findings documenting the noncompliance. The covered entity has 30 days to respond to the Secretary's findings and must be given an opportunity to submit written evidence of any mitigating factors or affirmative defenses, as it proceeds to the civil monetary penalty phase. Finally, the Rule includes a provision that prohibits covered entities from threatening, intimidating, coercing, discriminating against, or taking any other retaliatory action against anyone who complains to HHS or otherwise assists or cooperates in the HIPAA enforcement process.53 Actions must be brought by the Secretary within six years from the date of the violation. Three specific affirmative defenses would bar the imposition of civil money penalties: (1) the violation is a criminal offense under HIPAA--wrongful disclosure of individually identifiable health information; (2) the covered Entity did not have actual or constructive knowledge of the violation; or (3) the failure to comply was due to reasonable cause and not to willful neglect, and was corrected during a 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.54 With respect to the first two defenses, the Secretary may waive the civil money penalty if it would be excessive in relation to the violation. (...continued) 50 U.S. Department of Health and Human Services, Fiscal Year 2008, Office for Civil Rights, Justification of Estimates for Appropriations Committees, p. 37, at http://www.hhs.gov/ocr/CJFY2008.pdf. For more recent information on the activities of OCR, see, Fiscal Year 2009 Justification of Estimates for Appropriations Committees at http://www.hhs.gov/ocr/CJ2009.pdf. 51 45 CFR § 160.310. 52 45 CFR § 160.312. Presumably it was pursuant to this authority that HHS entered into the resolution agreement with Providence Health & Services. 53 45 CFR § 160.316. 54 45 CFR § 160.410. ¢ ¢ ¢ The Enforcement rule provides that the "Secretary will impose a civil money penalty upon a covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision."55 The Secretary is required to provide notice of a proposed penalty to the covered entity, including the respondent a right to request a hearing within 90 days before an Administrative Law Judge.56 If the respondent fails to request a hearing, the Enforcement Rule states that "the Secretary will impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5."57 Once a penalty has become final, the Secretary is obligated to notify the public, state, and local medical and professional organizations; state agencies administering health care programs; utilization and quality peer review organizations; and state and local licensing agencies and organizations. To determine the number of "violations" to compute the amount of the civil penalty, the Secretary is to base the decision upon the nature of the covered entity's obligation to act or not under the violated provision.58 The Rule also provides that HHS may consider the following aggravating or mitigating factors when determining the amount of the penalty: the nature of the violation; the circumstances under which the violation occurred; the degree of culpability; any history of prior compliance, including violations; the financial condition of the covered entity; and such "other matters as justice may require."59 The Secretary is authorized to settle any issue or case or to compromise any penalty. HHS refers to the DOJ for criminal investigation appropriate cases involving the knowing disclosure or obtaining of individually identifiable health information in violation of the Privacy Rule. Criminal convictions have been obtained in three cases involving employees of covered entities who improperly obtained protected health information. Two of the HIPAA criminal cases were brought after the OLC legal opinion limiting direct liability for violations to covered entities.60 55 45 CFR § 160.402. 56 Provision is also made for an administrative appeal of the ALJ's decision to the HHS Departmental Appeals Board, and judicial review of the Board's final decision. 57 45 CFR § 160.422. 58 45 CFR § 160.406. 59 45 CFR § 160.408. 60 Atlantic Information Services, Inc., HIPAA Criminal Cases Against Individuals Proceed Despite DOJ Memo, at http://www.aishealth.com/Compliance/Hipaa/RPP_HIPAA_Cases_Proceed.html ¢ ¢ The first case prosecuted by a U.S. Attorney's Office under the HIPAA criminal statute involved a Seattle phlebotomist employed at a cancer center who was sentenced to 16 months in prison and 3 years of supervised release in 2004 for stealing credit card information from a cancer patient, charging $9,000 worth of merchandise on it, and using that information to get credit cards in the defendant's name.61 The defendant was ordered to pay restitution in the amount of $15,000. The U.S. attorney's office in Seattle chose to prosecute the identity theft as a criminal HIPAA violation because the information had been collected from a patient,62 instead of prosecuting the defendant for identity theft.63 Specifically, the defendant was charged with and pled guilty to the wrongful disclosure of individually identifiable health information for economic gain in violation of 42 U.S.C. § 1320d-6(a)(3) and (b)(3). It is notable that the defendant was not a covered entity but a member of the covered entities workforce not acting within the scope of his employment. The OLC legal opinion was issued after the defendant's conviction. £ In 2006, a Texas woman employed in the office of a doctor who had a contract to provide physicals and medical treatment to FBI agents was convicted of selling an FBI agent's medical records for $500.64 The defendant pled guilty to the federal felony offense of wrongfully using a unique health identifier intending to sell individually identifiable health information for personal gain, 42 U.S.C. § 1320d-6(a)(1) and (b)(3), and of violating 18 U.S.C. §2.65 She was sentenced to six months in jail and four months of home confinement to be followed by a two-year term of supervised release.66 The defendant was also ordered to pay a criminal money penalty of $100. Two aggravating factors were found by the court. First, the defendant had sold the confidential medical record, and second, the record belonged to a federal agent. The defendant was an employee of a medical clinic and improperly obtained Medicare information and other patient information for more than 1,100 clinic patients and sold that information to the owner of a medical claims business for $5 to $10 each. The information was 61 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004). 62 See ABA Health eSource, Interview with Susan Loitz, Assistant U.S. Attorney (October 2004), at http://www.abanet.org/health/esource/vol1no2/loitz.html. 63 See Atlantic Consulting Services, Inc., Synergy Between the Identity Theft Issue And Privacy, Security Grows Stronger, at http://www.aishealth.com/Compliance/Hipaa/RPP_identity_patient_ID_theft.html. (Noting that "Identity theft is now the number one financial crime in the country, and health care organizations are prime targets because of their vast reservoirs of personal data, such as Social Security numbers.") 64 United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006). 65 § 2. Principals (a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal. (b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal. 66 U.S. Department of Justice, Alamo, Texas Woman Convicted of Selling FBI Agent's Medical Record Sentenced, at http://www.usdoj.gov/usao/txs/releases/March2006/060307-Ramirez.pdf. ¢ ¢ then used by medical providers to fraudulently bill Medicare for services not rendered and equipment not supplied, resulting in a $7 million fraud to Medicare and the payment of approximately $2.5 million to providers and suppliers.67 The defendants were charged with conspiracy in violation of 18 U.S.C. § 371, with computer fraud in violation of 18 U.S.C. § 1030(a)(4)and (c)(3)(A), wrongful disclosure of individually identifiable health information in violation of 42 U.S.C. § 1320d-6(a)(2) and (b)(3), and aggravated identity theft in violation of 18 U.S.C. § 1028A(a)(2). Because the clinic-employer was a cooperating witness and the defendant was acting outside the scope of her lawful employment, the clinic was not charged. In January 2007, Florida defendant Machado pled guilty to conspiracy to commit computer fraud, conspiracy to commit identity theft and conspiracy to wrongfully disclose individually identifiable health information.68 The defendant testified against her co-defendant. The defendant was sentenced on April 27, 2007, and faced a maximum of 5 years imprisonment, $250,000 fine, and possible restitution. Defendant Machado was sentenced to 3 years probation, including 6 months of home confinement, and also ordered to pay restitution in the amount of $2,505,883. Co-defendant Ferrer, owner of the medical claims business, was convicted by a jury of all eight counts (one count of conspiring to defraud the United States, one count of computer fraud, one count of wrongful disclosure of individually identifiable health information, and five counts of aggravated identity theft).69 Defendant Ferrer was also sentenced on April 27, 2007, and faced a maximum statutory term of imprisonment of 5 years on the conspiracy count; a maximum statutory term of imprisonment of 5 years on the computer fraud count; a maximum statutory term of imprisonment of 10 years on the wrongful disclosure of individually identifiable health information count; and a maximum statutory term of imprisonment of 2 years on each count of aggravated identity theft. Ferrer was sentenced to 87 months in prison, 3 years of supervised release, and ordered to pay restiution in the amount of $2,505,883. According to DOJ, this is the first HIPAA violation case that has gone to trial.70 The two other cases resulted in guilty pleas. ¢ According to recently released data from HHS, from April 2003, when enforcement of the Privacy Rule began, to May 31, 2008, approximately 36,374 health information privacy complaints were filed with HHS.71 In 19,997 cases, HHS did not find enforcement authority under HIPAA.72 HHS found authority to investigate and resolve 6,392 cases. In those cases, HHS 67 The United States Attorney's Office Southern District of Florida, Cleveland Clinic Employee Pleads Guilty to Superseding Fraud Indictment, January 11, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/070111-03.html. 68 United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006). 69 The United States Attorney's Office Southern District of Florida, Naples Man Convicted In Cleveland Clinic Identity Theft and Medicare Fraud Case, January 24, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/070124-02.html. 70 Id. 71 U.S. Department of Health and Human Services, Compliance and Enforcement: Privacy Rule Enforcement Highlights, at http://www.hhs.gov/ocr/privacy/enforcement/05312008.html. 72 Id. Either because of lack of jurisdiction (the violation occurred prior to the effective date of the Rule or the entity was not subject to the Privacy Rule); the complaint was untimely, withdrawn, or not pursued by the complainant; or the activity being complained of did not violate the Privacy Rule. ¢ ¢ obtained changes in the investigated entity's privacy practices or other corrective actions.73 HHS found no violation of the Privacy Rule in 3,156 cases.74 Almost 6,800 cases remain unresolved. According to HHS, the compliance issues most frequently investigated were for impermissible use or disclosure of protected health information, lack of adequate safeguards for protected health information, lack of patient access to his or her protected health information, the disclosure of more information than is minimally necessary to satisfy a particular request for information, and failure to have an individual's authorization for a disclosure that requires one.75 The covered entities most commonly required to take corrective action by HHS, in order of frequency, include private practices, general hospitals, outpatient facilities, health plans, and pharmacies.76 According to its enforcement website, HHS did not report any civil penalties during the five-year period of 2003-2008.77 HHS reported that more than 435 cases were referred by HHS to DOJ for criminal investigation of knowing disclosure or access to protected health information in violation of the Privacy Rule. An additional 247 cases were referred to the Centers for Medicare and Medicaid Services (CMS) for investigation of cases that involve a potential violation of the HIPAA Security Rule. Although information on criminal convictions was not reported by HHS, criminal convictions were obtained in three cases involving employees of covered entities who improperly obtained protected health information.78 Concerns have been raised by some that the HIPAA Privacy Rule is being underenforced by the U.S. Departments of Health and Human Services (HHS) and Justice (DOJ).79 Privacy advocates have been critical of HHS' enforcement of the HIPAA Privacy Rule which has focused on technical assistance and voluntary cooperation fo the covered entity with HHS. According to HHS, several factors contribute to the number of enforcement actions taken by it for violations of the HIPAA Privacy Rule. First is HHS's preference for voluntary compliance, corrective action, and/or resolution agreement.80 Second, HIPAA applies only to certain groups, defined as covered entities, health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically. HIPAA does not cover all types of entities that maintain personal health information (e.g., life insurers, employers, workers compensation carriers, schools and school districts, state agencies such as child protective service agencies, law enforcement agencies, and municipal offices).81 Third, HIPAA does not cover of all types of 73 Id. 74 Id. 75 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By Issue, at http://www.hhs.gov/ocr/privacy/enforcement/casebyissue.html. 76 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By Covered Entity, at http://www.hhs.gov/ocr/privacy/enforcement/casebyentity.html. 77 The U.S. Department of Health and Human Services (HHS) recently announced an enhanced website to make it easier to get information about how the Department enforces health information privacy rights and standards. HHS Launches New Web site on HIPAA Privacy Compliance and Enforcement, April 20, 2007, at http://www.hhs.gov/ocr/ privacy/enforcement/announcement.html. 78 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004); United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006); United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006). 79 Rob Stein, "Medical Privacy Law Nets No Fines," The Washington Post, June 5, 2006 at A01. 80 U.S. Deptartment of Health and Human Services, Compliance and Enforcement: How OCR Enforces the HIPAA Privacy Rule, at http://www.hhs.gov/ocr/privacy/enforcement/hipaarule.html. ¢ ¢ health transactions. Fourth, the statute does not create a private right of action, but rather public enforcement by HHS and DOJ. Fifth, the complained-of activity might not be a violation of the Privacy Rule. In July 2008, the first time since the Privacy Rule went into effect in 2003, HHS required a resolution agreement from a covered entity (a contract signed by HHS and the covered entity) for violations of the HIPAA Privacy and Security Rules.82 HHS entered into a resolution agreement with Providence Health & Services requiring the covered entity to pay $100,000 and to implement a corrective action plan to safeguard identifiable electronic patient information to settle potential violations of the HIPAA Privacy and Security Rules. In this case the violations involved the loss of backup tapes and theft of laptops containing individually identifiable health information. Gina Marie Stevens Legislative Attorney gstevens@crs.loc.gov, 7-2581 (...continued) 81 HHS's approach to the regulation of the privacy of health information "is also significantly informed by the limited jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health information, but not many key stakeholders who receive that health information from a covered entity." 65 Fed. Reg. 82462, 82471 (2000). 82 See, Resolution Agreement HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information, at http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL33989