Ruling limits HIPAA prosecutions

A new Justice Department ruling concludes that the government cannot prosecute in many cases in which privacy laws protecting patient medical records are broken. The new interpretation of the law, which is binding for federal agencies, concludes that existing privacy regulations cover healthcare providers but do not apply when employees act on their own. The ruling means the government will not be able to file criminal cases against individuals under the Health Insurance Portability and Accountability Act (HIPAA). If an employee, for example, steals patient medical records for personal gain or posts them on the Internet (as has happened in several recent cases), the government will not be able to prosecute.

Experts on privacy law expressed surprise yesterday when the news was made public. "Under this decision, a tremendous amount of conduct that is clearly wrong will fall outside the criminal penalties of the statute," notes Robert Gellman, an authority on privacy and information policy.

- see this story from The New York Times