Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense.
June 1, 2005
You have asked jointly for our opinion concerning the scope of 42 U.S.C. § 1320d-6 (2000), the criminal enforcement provision of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 ("HIPAA"). Specifically, you have asked, first, whether the only persons who may be directly liable under section 1320d-6 are those persons to whom the substantive requirements of the subtitle, as set forth in the regulations promulgated thereunder, apply—i.e., health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors—or whether this provision may also render directly liable other persons, particularly those who obtain protected health information in a manner that causes a person to whom the substantive requirements of the subtitle apply to release the information in violation of that law. We conclude that health plans, health care clearinghouses, those health care providers specified in the statute, and Medicare prescription drug card sponsors may be prosecuted for violations of section 1320d-6. In addition, depending on the facts of a given case, certain directors, officers, and employees of these entities may be liable directly under section 1320d-6, in accordance with general principles of corporate criminal liability, as these principles are developed in the course of particular prosecutions. Other persons may not be liable directly under this provision. The liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability. Second, you have asked whether the "knowingly" element of section 1320d-6 requires only proof of knowledge of the facts that constitute the offense or whether this element also requires proof of knowledge that the conduct was contrary to the statute or regulations. We conclude that "knowingly" refers only to knowledge of the facts that constitute the offense.1
I.
Congress enacted the Administrative Simplification provisions of HIPAA to improve "the efficiency and effectiveness of the health care system" by providing for the "establishment of standards and requirements for the electronic transmission of certain health information." 42 U.S.C. § 1320d note. These provisions added a new "Part C: Administrative Simplification" to Title XI of the Social Security Act and have been codified at 42 U.S.C. §§ 1320d-1320d-8. Part C directs the Secretary of the Department of Health and Human Services ("HHS") to "adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically." Id. § 1320d-2(a)(1); see also id. § 1320d-2(b)(1) (requiring the Secretary to adopt standards concerning unique health identifiers); id. § 1320d-2(c)(1) (same with respect to code sets); id. § 1320d-2(d)(1) (same with respect to security); id. § 1320d-2(e)(1) (same with respect to electronic signatures); id. § 1320d-2(f) (same with respect to transfer of information among health plans). Various provisions of this part further specify the standards to be adopted, the factors the Secretary must consider, the procedures for promulgating the standards, and the timetable for their adoption. Id. §§ 1320d-1 to 1320d-3. Pursuant to this authority, the Secretary has adopted standards and specifications for implementing them. See 45 C.F.R. pts. 160-164 (2004).
Section 1320d-1 specifies the persons to whom the standards apply:
Any standard adopted under this part shall apply, in whole and in part, to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(1) of this title.
Id. § 1320d-1; see also 45 C.F.R. § 160.102(a) (with respect to general administrative requirements "[e]xcept as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to" the entities listed in section 1320d-1); id. § 162.100 (same with respect to additional administrative requirements); id. § 164.104 (same with respect to security and privacy regulations). The regulations refer to each of these three groups of persons as a "covered entity." Id. § 160.103. To this list of persons to whom the standards apply, Congress later added Medicare prescription drug card sponsors. See Medicare Prescription Drug, Improvement and Modernization Act of 2003, Pub. L. No. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 ("For purposes of the program under this section, the operations of an endorsed program are covered functions and a prescription drug card sponsor is a covered entity for purposes of applying part C of title XI and all regulatory provisions promulgated thereunder. . . ."), codified at 42 U.S.C.A. § 1395w-141(h)(6) (West 2004).
Various statutes and regulations define these four categories of covered entities. A "prescription drug card sponsor" is "any nongovernmental entity that the Secretary [of HHS] determines to be appropriate to offer an endorsed discount card program," including "a pharmaceutical benefit management company" and "an insurer." 42 U.S.C.A § 1395w-141(h)(1)(A). A "health plan" is "an individual or group plan that provides, or pays the cost of, medical care . . . ." Id. § 1320d(5). A "health care clearinghouse" is an "entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements." Id. § 1320d(2). Finally, a "health care provider" is any "person furnishing health care services or supplies," including a "provider of services" and a "provider of medical or other health services." Id. § 1320d(3). These latter two terms are further defined in 42 U.S.C. § 1395x. A "provider of services" is a "hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, [or] hospice program . . . ." Id. § 1395x(u). And a "provider of medical and other health services" is any person who provides any of a long list of such services, including "physicians' services," "services and supplies . . . furnished as an incident to a physician's professional service, of kinds which are commonly furnished in physicians' offices and are commonly either rendered without charge or included in the physicians' bills," "outpatient physical therapy services," "qualified psychologist services," "clinical social worker services," and certain services "performed by a nurse practitioner or clinical nurse specialist." Id. § 1395x(s). These health care providers only qualify as covered entities if they "transmit[] any health information in electronic form in connection with" certain transactions described in section 1320d-2. Id. § 1320d-1(a)(3). The regulations further define the covered entities. See 45 C.F.R. § 160.103.
These covered entities must comply with the regulations promulgated pursuant to Part C. Section 1320d-4 requires compliance with the regulations within a certain time period by "each person to whom the standard or implementation specification [adopted or established under sections 1320d-1 and 1320d-2] applies." 42 U.S.C. § 1320d-4(b). Failure to comply with the regulations may render the covered entity either civilly or criminally liable.
The statute grants to the Secretary of HHS the authority for civil enforcement of the standards. Section 1320d-5(a) states, "Except as provided in subsection (b) of this section, the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation . . . ." Id. § 1320d-5(a)(1). Subsection (b) provides for three exceptions. First, a civil "penalty may not be imposed . . . with respect to an act if the act constitutes an offense punishable under" the criminal enforcement provision. Id. § 1320d-5(b)(1). Second, a civil "penalty may not be imposed . . . with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision." Id. § 1320d-5(b)(2). Third, a civil "penalty may not be imposed . . . if the failure to comply was due to reasonable cause and not to willful neglect; and the failure to comply is corrected" within a specified period of time. Id. § 1320d-5(b)(3).
The statute prescribes criminal sanctions only for those violations of the standards that involve the disclosure of "unique health identifiers," id. § 1320d-6(a), or of "individually identifiable health information," id., that is, that subset of health information that, inter alia, "identifies the individual" or "with respect to which there is a reasonable basis to believe that the information can be used to identify the individual," id. § 1320d(6). More specifically, section 1320d-6(a) provides:
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section.
Id. § 1320d-6(a). Subsection (b) sets forth a tiered penalty scheme. A violation of subsection (a) is punishable generally as a misdemeanor by a fine of not more than $50,000 and/or imprisonment for not more than one year. Id. § 1320d-6(b)(1). Certain aggravating circumstances may make the offense a felony. Subsection (b)(2) provides for a maximum penalty of a $100,000 fine and/or five-year imprisonment for violations committed under false pretenses. Id. § 1320d-6(b)(2). And subsection (b)(3) reserves the statute's highest penalties—a fine of not more than $250,000 and/or imprisonment of not more than ten years—for those offenses committed "with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm." Id. § 1320d-6(b)(3).
II.
A.
We address first which persons may be prosecuted under the criminal enforcement provision, section 1320d-6. Specifically, we address whether section 1320d-6 renders liable only covered entities or whether the provision applies to any person who does an act described in that provision, including, in particular, a person who obtains protected health information in a manner that causes a covered entity to violate the statute or regulations. We conclude that an analysis of liability under section 1320d-6 must begin with covered entities, the only persons to whom the standards apply. If the covered entity is not an individual, general principles of corporate criminal liability will determine the entity's liability and that of individuals within the entity, including directors, officers, and employees. Finally, certain conduct of these individuals and that of other persons outside the covered entity, including of recipients of protected information, may be prosecuted in accordance with principles of aiding and abetting liability and of conspiracy liability.
We begin with the language of the statute. See Liparota v. United States, 471 U.S. 419, 424 (1985) ("The definition of the elements of a criminal offense is entrusted to the legislature, particularly in the case of federal crimes, which are solely the creatures of statute."). Section 1320d-6(a) states that:
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual;
or
(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section.
42 U.S.C. § 1320d-6(a). Because Congress enacted the Administrative Simplification provisions for the express purpose of facilitating the use of health identifiers and the acquisition and disclosure of health information, an act listed in subsections (a)(1) to (a)(3) must be done "in violation of this part" in order to constitute a criminal offense. The phrase "this part" refers to "Part C – Administrative Simplification," codified at sections 1320d to 1320d-8. Section 1320d-1(a) makes clear that the standards promulgated under Part C apply only to covered entities: "Applicability. Any standard adopted under this part shall apply, in whole or in part, to the following persons: (1) A health plan. (2) A health care clearinghouse. (3) [Certain] health care provider[s.]" Id. § 1320d-1(a); see also 45 C.F.R. § 160.102(a); id. § 162.100; id. § 164.104; Exec. Order No. 13,181, 65 F.R. 81,321 (Dec. 20, 2000), reprinted in 42 U.S.C. § 1320d-2 note ("HIPPA applies only to 'covered entities,' such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information . . . ."). Congress expanded this list to include Medicare prescription drug card sponsors "for purposes of applying part C['s]" Administrative Simplification provisions. 42 U.S.C.A. § 1395w-141(h)(6). And these provisions require only "each person to whom the standard or implementation specification applies"—i.e., the covered entities—to comply with it. Id. § 1320d-4(b). Because Part C makes the standards applicable only to covered entities and because it mandates compliance only by covered entities, only a covered entity may do one of the three listed acts "in violation of this part." Other persons cannot violate Part C directly because the part simply does not apply to them. When the covered entity is not an individual, principles of corporate criminal liability discussed infra will determine when a covered entity has violated Part C and when these violations can be attributed to individuals in the entity.2
That the statute criminalizes the "obtain[ing]" of individually identifiable health information in violation of Part C, id. § 1320d-6(a)(2), in addition to its disclosure, does not convince us that our reading of section 1320d-6 according to its plain terms is incorrect. It could be argued that, by including a distinct prohibition on obtaining health information, the law was intended to reach the acquisition of health information by a person who is not a covered entity but who "obtains" it from such an entity in a manner that causes the entity to violate Part C. Id. Further examining the statute and the regulations, however, reveals that the inclusion of section 1320d-6(a)(2) merely reflects the fact that the statute and the regulations limit the acquisition, as well as the disclosure and use, of information by covered entities. Those sections of the statute authorizing the Secretary of HHS to promulgate regulations speak broadly of adopting standards, inter alia, "for transactions," "providing for a standard unique health identifier," and concerning "security." See id. § 1320d-2. They do not speak only of regulations governing the "use" and "disclosure" of information; the language used in these provisions easily encompasses the acquisition of information.3 Pursuant to this authority, the Secretary has promulgated regulations governing the acquisition of certain information by a covered entity. See, e.g., 45 C.F.R. § 164.500(b)(1) ("When a health care clearinghouse creates or receives protected health information . . . .") (emphasis added); id. § 164.502(b)(1) ("When using or disclosing protected health information or when requesting protected health information from another covered entity . . . .") (emphasis added); id. § 164.514(d)(4)(i) ("A covered entity must limit any request for protected health information to that which is reasonably necessary . . . .") (emphasis added). Failure to comply with these regulations may render a covered entity liable for "obtain[ing] individually identifiable health information" "in violation of this part." 42 U.S.C. § 1320d-6(a)(2).4
The difference between the language used in the civil enforcement provision and that used in the criminal enforcement provision does not support a broader reading of section 1320d-6. The civil enforcement provision makes liable "any person who violates a provision of this part." Id. § 1320d-5(a)(1). The criminal enforcement provision makes it a crime to do certain acts "knowingly and in violation of this part." Id. § 1320d-6(a). To be sure, the statute must be read as a whole and variations in the language of closely related provisions should be given effect if possible. See Bryan v. United States, 524 U.S. 184, 191-93 (1998) (interpreting the requirement that an act be done "willfully" in one subsection of the statute by reference to the "knowingly" requirement contained in other subsections of the same statute). Here, however, the difference in phrasing used in the two provisions does not constitute a basis for concluding that section 1320d-6 reaches persons who are not, or are not part of, a covered entity. Section 1320d-6's use of "in violation of," as opposed to "who violates," reflects only the difference in the scope of the conduct proscribed by the two sections. Section 1320d-5 is phrased as it is—"any person who violates a provision of this part"—because a violation of any of the standards subjects the violator to civil penalties. See 42 U.S.C. § 1320d-5(a). In contrast, criminal punishment is restricted to those violations of the standards—specified in subsections (a)(1) to (a)(3)—that involve the improper use, acquisition, or disclosure of individually identifiable health information or unique health identifiers. See id. § 1320d-6(a). Section 1320d-6(a) makes liable a person who "uses or causes to be used," "obtains," or "discloses" such health information. Id. Having described the prohibited acts using present tense verbs, the provision could not retain the "violates this part" formulation; instead, it uses "in violation of this part" to make clear that only those uses, acquisitions, and disclosures in a manner contrary to the regulations are illegal. The difference in language between section 1320d-5 and section 1320d-6 is thus best understood as nothing more than a grammatical accommodation resulting from the need to describe the acts for which section 1320d-6 prescribes criminal liability.5
Although we conclude that Part C applies only to covered entities, we do not read the term "person" at the beginning of section 1320d-6 to mean "covered entity." Such a reading would not only be contrary to the language of that provision but also create tension with other parts of the statute that appear to use the term broadly, see, e.g., id. § 1320d-6(a)(3) (prohibiting "disclos[ures] to another person"), and with the Dictionary Act, codified at 1 U.S.C. § 1 (2000), which sets forth a presumptively broad definition of person wherever the term is used in the United States Code,6 a definition presumptively applicable here because the defined terms specific to Part C do not include the term "person." See 42 U.S.C. § 1320d. We conclude only that the phrase "in violation of this part" restricts the universe of persons who may be prosecuted directly. Section 1320d-6 provides criminal penalties for "person[s]" who perform the listed acts "knowingly" and "in violation of this part." Id. § 1320d-6. The "in violation of this part" limitation on the scope of liability—like the "knowingly" requirement—is distinct from the definition of "person." It describes that subset of persons who may be held liable, provided that the other elements of the offense are also satisfied. Under this reading of the statute, section 1320d-6(a)(3) continues to make "covered entities" liable for disclosure to any "person."
We have considered other laws using the phrase "in violation of." None of these laws supports the view that, as used in 42 U.S.C. § 1320d-6, the phrase should be read more expansively than we conclude. For instance, several of these laws apply to the public generally, and, accordingly, do not shed light on whether section 1320d-6 allows direct prosecutions of persons other than those to whom the substantive requirements of HIPAA's Part C apply. See, e.g., 18 U.S.C. § 547 (2000) ("Whoever receives or deposits merchandise in any building upon the boundary line between the United States and any foreign country, or carries merchandise through the same, in violation of law . . . .") (emphasis added); 18 U.S.C.A. § 1590 (West Supp. 2004) ("Whoever knowingly recruits, harbors, transports, provides, or obtains by any means, any person for labor or services in violation of this chapter . . . .") (emphasis added). And the phrasing of other laws makes it clear that "in violation of" describes an item involved in the prohibited act, as opposed to the act itself. For instance, 18 U.S.C. § 2113(c) (2000) penalizes "[w]hoever receives . . . property . . . which has been taken . . . in violation of subsection (b) . . . ." Id. In this case, the placement of the phrase "in violation of" following the word "which" makes plain that the phrase describes only the property, a reading confirmed by the provision's use of the passive "has been taken." Id.; see also 18 U.S.C. § 1170(b) (2000) ("Whoever knowingly sells, purchases, uses for profit, or transports for sale or profit any Native American cultural items obtained in violation of the Native American Grave Protection and Repatriation Act . . . .") (emphasis added). In contrast, the phrase "in violation of" in section 1320d-6 does not modify the type of health care information involved in the offense; rather, it relates directly to the acts prohibited by the provision (i.e., "uses or causes to be used," "obtains," or "discloses"). Finally, we have reviewed the cases interpreting these and other potentially analogous provisions and have found none that would cause us to read section 1320d-6 in any way other than in accordance with its plain meaning.7
We conclude, therefore, that an assessment of liability under section 1320d-6 must begin with covered entities. The statute and regulations determine which individuals and entities qualify as a "covered entity." See 42 U.S.C. § 1320d; id. § 1395w-141(h)(1); id. § 1395x; 45 C.F.R. § 160.103.8 A health care provider, is any "person furnishing health care services or supplies," and will be either an individual or an entity. 42 U.S.C. § 1320d(3); see also id. § 1395x. In contrast, a "health care clearinghouse," "health plan," and Medicare "prescription drug card sponsor" will virtually never be an individual. See id. § 1320d(2) & (5); id. § 1395w-141(h)(1)(A). When the covered entity is not an individual, principles of corporate criminal liability will determine the entity's liability and the potential liability of particular individuals who act for the entity. Although we do not elaborate these principles here, in general, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf. See Kathleen F. Brickley, Corporate Criminal Liability §§ 3-4 (2d ed. 1992). In addition, we recognize that, at least in limited circumstances, the criminal liability of the entity has been attributed to individuals in managerial roles, including, at times, to individuals with no direct involvement in the offense. See id. § 5.9 Consistent with these general principles, it may be that such individuals in particular cases may be prosecuted directly under section 1320d-6.
Other conduct that may not be prosecuted under section 1320d-6 directly may be prosecuted according to principles either of aiding and abetting liability or of conspiracy liability.10 The aiding and abetting statute renders "punishable as a principal" anyone who "commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission" and anyone who "willfully causes an act to be done which if directly performed by him or another would be an offense against the United States." 18 U.S.C. § 2 (2000). And the conspiracy statute prescribes punishment "if two or more persons conspire . . . to commit any offense against the United States . . . and one or more of such persons do any act to effect the object of the conspiracy." 18 U.S.C. § 371 (2000).11 Further discussion of corporate criminal liability, aiding and abetting liability, and conspiracy liability in the absence of a specific factual context would be unfruitful, particularly because the contours of these legal principles may vary by jurisdiction. Accordingly, we leave the scope of criminal liability under these principles for consideration in the ordinary course of prosecutions.12
B.
We address next whether the "knowingly" element of the offense set forth in 42 U.S.C. § 1320d-6 requires the Government to prove only knowledge of the facts that constitute the offense or whether this element also requires proof that the defendant knew that the act violated the law. We conclude that the "knowingly" element is best read, consistent with its ordinary meaning, to require only proof of knowledge of the facts that constitute the offense.
We begin again with the text of 42 U.S.C. § 1320d-6(a). See Liparota, 471 U.S. at 424.
A person who knowingly and in violation of this part—
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual;
or
(3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section.
42 U.S.C. § 1320d-6(a). A plain reading of the text indicates that a person need not know that commission of an act described in subsections (a)(1) to (a)(3) violates the law in order to satisfy the "knowingly" element of the offense. Section 1320d-6 makes the requirements that the act be done "knowingly" and that it be done "in violation of this part" two distinct requirements. Id. § 1320d-6. These two elements do not modify each other; rather, they independently modify "uses or causes to be used," "obtains," and "discloses." For example, defendants will be guilty of an offense if they both "knowingly" "disclose[] individually identifiable health information" and they "in violation of this part" "disclose[] individually identifiable health information." The view that the statute requires proof of knowledge of the law effectively reads "knowingly" to refer to the "violation of this part." But this reading is contrary to the plain language of the statute, which sets forth these terms as two separate elements each independently modifying the third element, i.e., one of the listed acts. Accordingly, to incur criminal liability, a defendant need have knowledge only of those facts that constitute the offense.
Our reading of the "knowingly" element of the offense comports with the usual understanding of the term. The Supreme Court has stated that "unless the text of the statute dictates a different result, the term 'knowingly' merely requires proof of knowledge of the facts that constitute the offense." Bryan, 524 U.S. at 193 (footnote omitted) ("[T]he term 'knowingly' does not necessarily have any reference to a culpable state of mind or to knowledge of the law."). As set forth above, the text of section 1320d-6 does not "dictate[] a different result." Bryan, 524 U.S. at 193. In fact, its text dictates an interpretation consistent with the ordinary understanding of "knowingly" as referring only to "knowledge of the facts that constitute the offense." Id.
The plain meaning of the "knowingly" element of section 1320d-6 must control, "at least where the disposition required by the text is not absurd." Hartford Underwriters Ins. Co. v. Union Planters Bank, N.A., 530 U.S. 1, 6 (2000). We consider whether our reading of the criminal provision is absurd in light of the possible exception to civil liability for reasonable ignorance of the law. Sections 1320d-5 and 1320d-6 operate in a complementary fashion, covering mutually exclusive conduct. See 42 U.S.C § 1320d-5(b)(1) (excepting from civil penalties an act that "constitutes an offense punishable under section 1320d-6 of this title.").13 The civil enforcement section provides, "A penalty may not be imposed . . . if . . . the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision." Id. § 1320d-5(b)(2). Section 1320d-5 therefore may be read to premise civil liability on knowledge that the act in question violated the applicable standard, not just on knowledge that the particular act occurred.14 If civil sanctions (of fines up to $100) may be avoided by establishing reasonable ignorance of the law, it might at first blush appear to be an absurd result to conclude that the significantly more serious criminal punishments (of fines up to $250,000 and imprisonment of up to ten years) may not be similarly excused.
The absurd results canon of construction is "rarely invoke[d] . . . to override unambiguous legislation." Barnhart v. Sigmon Coal Co., Inc., 534 U.S. 438, 459 (2002); Public Citizen v. U.S. Dep't of Justice, 491 U.S. 440, 470-71 (1989) (Kennedy, J., concurring) (noting that the canon is limited "to situations where the result of applying the plain language would be, in a genuine sense, absurd, i.e., where it is quite impossible that Congress could have intended the result, and where the alleged absurdity is so clear as to be obvious to most anyone."). Applying the usual definition of "knowingly" here does not yield an absurd result, and certainly not one so absurd that it would cause us to read the statute contrary to its plain meaning. The argument that the statute should not be read so as to impose criminal punishment on the basis of a lesser degree of intent than that required for civil sanction would be more compelling if sections 1320d-5 and 1320d-6 covered the same acts. But they do not. See 42 U.S.C. § 1320d-5(b)(1). Civil sanctions may be imposed for violations of a wide variety of regulations. For these violations, the statute provides a maximum $100 fine and sets forth certain exceptions to liability. See id. § 1320d-5 ("General penalty for failure to comply with requirements and standards").15 In contrast, of all the possible violations of the regulations, section 1320d-6 carves out a limited set and subjects them to criminal punishment. Such punishment is reserved for violations involving "unique health identifiers" and "individually identifiable health information." See id. § 1320d-6 ("Wrongful disclosure of individually identifiable health information"). Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals. In light of this concern, there is nothing obviously absurd about the statute's allowing a defense of reasonable ignorance of the law for those regulatory violations subject to civil penalty, but withholding this defense with respect to those violations that threaten the privacy of individuals. Accordingly, even reading section 1320d-6 in light of section 1320d-5(b)'s exception to civil liability for reasonable ignorance of the law gives us no reason to doubt that the plain and ordinary meaning of the "knowingly" element of section 1320d-6 is the correct one.
Nor is it proper to apply here the exception to the usual meaning of "knowingly" exemplified by Liparota. See 471 U.S. at 424-28. Liparota is the case cited by the Supreme Court in Bryan as an example of the exception to the rule—when "the text of the statute dictates a different result"—that "knowingly" refers to the facts that constitute the offense and not to the law. 524 U.S. at 193 & n.15. In Liparota, the Supreme Court held that a statute forbidding fraudulent use of food stamps required proof of knowledge that the use was unauthorized. See 471 U.S. at 433. The statute in that case read: "whoever knowingly uses, transfers, acquires, alters, or possesses coupons or authorization cards in any manner not authorized by this chapter or the regulations issued pursuant to this chapter" shall be guilty of a criminal offense. See id. at 420-21 n.1 (quoting 7 U.S.C. § 2024(b)(1)). This language is at least ambiguous; "knowingly" may modify, for example, either only the verb "uses" or it may modify the entire verbal phrase "uses . . . in any manner not authorized." Id.; see id. at 424 (The "interpretations proffered by both parties accord with congressional intent . . . . [T]he words themselves provide little guidance. Either interpretation would accord with ordinary usage."); id. at 424 n.7 (referring to the statutory language and noting that "[o]ne treatise has aptly summed up the ambiguity in an analogous situation.") (emphasis added). But see Bryan, 524 U.S. at 193 n.15 (citations omitted) (In Liparota, "we concluded that both the term 'knowing' . . . and the term 'knowingly' . . . literally referred to knowledge of the law as well as knowledge of the relevant facts."). The Supreme Court then considered the presumption that criminal statutes contain a mens rea element,16 applied the rule of lenity, and rested its interpretation, in large part, on the concern that the contrary reading would "criminalize a broad range of apparently innocent conduct." See Liparota, 471 U.S. at 426-27.
Here, the "knowingly" element of section 1320d-6 is not ambiguous, see supra; thus, it would be inappropriate to resort to the rule of lenity. See Chapman v. United States, 500 U.S. 453, 463 (1991) ("The rule of lenity . . . is not applicable unless there is a grievous ambiguity or uncertainty in the language and structure of the Act . . . .") (citation and quotation omitted). Moreover, our interpretation of "knowingly" does not dispense with the mens rea requirement of section 1320d-6 and create a strict liability offense; satisfaction of the "knowingly" element will still require proof that the defendant knew the facts that constitute the offense. See Staples v. United States, 511 U.S. 600, 622 n.3 (1994) (Ginsburg, J., concurring) (quotations and citations omitted) ("The mens rea presumption requires knowledge only of the facts that make the defendant's conduct illegal, lest it conflict with the related presumption, deeply rooted in the American legal system, that, ordinarily, ignorance of the law or a mistake of law is no defense to criminal prosecution."). Finally, the concern expressed in Liparota about criminalizing a broad swath of seemingly innocent conduct is less present here. The statute in Liparota criminalized the unauthorized use of food stamps by any participant in the program, as well as by any person who might come in possession of these stamps. See 471 U.S. at 426-27. In contrast, section 1320d-6, as we conclude above, applies directly to covered entities. These covered entities—health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors—are likely well aware that the health care business they conduct is heavily regulated by HIPAA and other laws. To the extent that some concern remains, it is insufficient to override the plain meaning of the statute. Accordingly, Liparota provides no support for giving "knowingly" in section 1320d-6 a meaning different from its usual understanding as referring only to knowledge of the facts that constitute the offense.
* * *
For the foregoing reasons, we conclude that covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6 and that the "knowingly" element of the offense set forth in that provision requires only proof of knowledge of the facts that constitute the offense.
STEVEN G. BRADBURY
Principal Deputy Assistant Attorney General
Office of Legal Counsel
1 In reaching the conclusions discussed below, we have considered the views expressed in your submissions concerning the questions you have asked. See Letter for Jack L. Goldsmith III, Assistant Attorney General, Office of Legal Counsel, from Paul B. Murphy, Associate Deputy Attorney General, Re: Request for Office of Legal Counsel Opinion on the Scope of the Criminal Medical Records Privacy Statute, 42 U.S.C. § 1320d-6 (Jan. 16, 2004); Letter for Jack L. Goldsmith III, Assistant Attorney General, Office of Legal Counsel, from Alex M. Azar II, General Counsel, Department of Health and Human Services, Re: Request by the Office of Legal Counsel for HHS Views on 42 U.S.C. § 1320d-6 (Mar. 18, 2004); Memorandum for Jack L. Goldsmith III, Assistant Attorney General, Office of Legal Counsel, from Christopher A. Wray, Assistant Attorney General, Criminal Division, Re: Criminal Division Position on the Scope of the Criminal Medical Records Privacy Statute, 42 U.S.C. § 1320d-6 (May 27, 2004), attaching Memorandum for File from Ian C. Smith DeWaal, Senior Counsel, Criminal Division, Re: CRM response to HHS-OGC Letter (May 20, 2004); Letter for Dan Levin, Acting Assistant Attorney General, Office of Legal Counsel, from Alex M. Azar II, General Counsel, Department of Health and Human Services (Aug. 6, 2004); Electronic mail with attachment for John C. Demers, Attorney-Adviser, Office of Legal Counsel, from Ian C. Smith DeWaal, Senior Counsel, Criminal Division, Re: 42 U.S.C. 1320d-6 (Nov. 15, 2004); Letter for John C. Demers, Attorney-Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy General Counsel, Department of Health and Human Services (Dec. 21, 2004); Letter for John C. Demers, Attorney-Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy General Counsel, Department of Health and Human Services, Re: Scope of Enforcement Under 42 U.S.C. § 1320d-6; Draft Opinion of December 17, 2004 – Request for Comments (Dec. 23, 2004); Memorandum for File from Ian C. Smith DeWaal, Senior Counsel, Criminal Division, Re: Comments on the Revised OLC Draft Opinion on the HIPAA Criminal Medical Privacy Statute (transmitted February 18, 2005); Memorandum for Steven G. Bradbury, Principal Deputy Assistant Attorney General, Office of Legal Counsel, from John McKay, United States Attorney for the Western District of Washington, Re: Scope of Criminal Prosecutions under HIPAA (Mar. 17, 2005); Memorandum for Steven G. Bradbury, Principal Deputy Assistant Attorney General, Office of Legal Counsel, from Michael Sullivan, United States Attorney for the District of Massachusetts, Re: Scope of Criminal Prosecutions under HIPAA (Mar. 20, 2005); Letter for John C. Demers, Attorney-Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy General Counsel, Department of Health and Human Services, Re: Scope of 42 U.S.C. § 1320d-6 (May 5, 2005). We appreciate the thoroughness and thoughtfulness of these submissions.
2 We express no opinion in this memorandum as to whether any particular person or entity may qualify as a covered entity for purposes of liability under sections 1320d-5 or 1320d-6.
3 The only statutory section cast in terms of "use" and "disclosure" is the requirement that the Secretary submit to Congress "recommendations on standards with respect to the privacy of individually identifiable health information . . . address[ing] at least . . . the uses and disclosures of such information . . . ." Id. § 1320d-2 note. But as discussed above, this quoted language is not found in the main provisions of HIPAA that grant the Secretary authority to promulgate regulations; those provisions use broader terminology that easily includes the authority to regulate the acquisition of information. See id. § 1320d-2. Instead, this section solicited recommendations for further legislation concerning health privacy, facilitated congressional oversight of the privacy rules the Secretary developed, and required the Secretary to issue such rules if Congress did not act on the recommendations within a certain time period; it is not a restriction of the authority given elsewhere in the statute. See infra n. 12. And on its face this provision does not purport to describe the extent of the Secretary's authority, as it requires the privacy recommendations to address "at least" the "uses" and "disclosures" of covered information. Id. § 1320d-2 note (emphasis added); see also id. (same with respect to the privacy regulations). Finally, a rule "address[ing]" the "disclosure" of information may well regulate the acquisition of information by a covered entity because obtaining information generally involves the "disclosure" of it by another person. The provision's use of the noun "disclosure," therefore, does not help to answer the question before us.
4 Nor does the inclusion of "causes to be used" as well as "use" in section 1320d-6(a)(1) compel us to conclude—contrary to the plain language of the statute—that the provision renders liable entities that are not covered by the regulations but that "cause" a covered entity to "use" unique health identifiers in violation of the part. This language is better read to cover those instances in which a covered entity causes, in violation of the part, another person to use a unique health identifier, but where the covered entity itself did not use the identifier in an unauthorized manner.
5 At most, the difference in phrasing between section 1320d-5 and section 1320d-6 would render the statute ambiguous. If that were the case, it might be appropriate to apply the rule of lenity and conclude that the statute is best read not to subject to direct prosecution persons other than covered entities and those rendered liable by general principles of corporate criminal liability. See Rewis v. United States, 401 U.S. 808, 812 (1971) ("[A]mbiguity concerning the ambit of criminal statutes should be resolved in favor of lenity."). But as the language of the statute unambiguously compels the same result, we do not apply the rule of lenity here. See Chapman v. United States, 500 U.S. 453, 463 (1991) ("The rule of lenity . . . is not applicable unless there is a grievous ambiguity or uncertainty in the language and structure of the Act . . . .") (citation and quotation omitted).
6 "In determining the meaning of any Act of Congress, unless the context indicates otherwise— the word[] person[] . . . include[s] corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals." 1 U.S.C. § 1.
7 Consistent with our reading of 42 U.S.C. § 1320d-6, the Sixth Circuit has held that the Video Privacy Protection Act's ("VPPA") creation of a cause of action for "[a]ny person aggrieved by any act of a person in violation of this section," 18 U.S.C. § 2710(c)(1) (2000), allows suits against only video tape service providers and not against all persons. See Daniel v. Cantrell, 375 F.3d 377, 382-84 (6th Cir. 2004). In that case, the plaintiff had sued several persons who were not video tape service providers, alleging that they had violated the privacy right in his video rental records given him by the statute. Similar to section 1320d-6, the VPPA cause of action provision refers to acts of "a person in violation of this section." 18 U.S.C. § 2710(c)(1). The court reasoned that because the operative provision of the VPPA provides that "[a] video tape service provider who knowingly discloses . . . personally identifiable information . . . shall be liable," id. § 2710(b), only such providers could be "in violation of" the statute. See Daniel, 375 F.3d at 383-84. Accordingly, despite the use of the broad term "person" in section 2710(c)(1), only video tape service providers may be sued under that section. See 375 F.3d at 383-84.
8 The statute and regulations do not limit the actions for which a covered entity may be held liable to those activities that render the person a covered entity. Once a person is a covered entity, he must "comply with [an applicable] standard or specification," 42 U.S.C. § 1320d-4(b)(1)(A) and "may not use or disclose protected health information, except as permitted or required by" the regulations, 45 C.F.R. § 164.502. Thus, a physician who is a covered entity in part because he transmits certain health care information electronically must not disclose such protected information, either electronically or otherwise, except as authorized by the regulations. And a physician who is a covered entity must comply with the standards with respect to protected information concerning both his own patients and those patients he is not treating.
9 "Many regulatory statutes . . . make corporate officials vulnerable to prosecution for criminal conduct in which they did not personally participate and about which they had no personal knowledge." Id. § 5.01; see also United States v. Jorgensen, 144 F.3d 550, 559-60 (8th Cir. 1998) (applying the principle that "a corporate officer who is in a responsible relationship to an activity within a company that violates provisions of . . . federal . . . laws . . . can be held criminally responsible even though that officer did not personally engage in that activity" in the context of a statute that required proof of "intent to defraud" when the defendant possessed the requisite intent) (quotations and citations omitted).
10 Depending on the specific facts and circumstances, such conduct may also be punishable under other federal laws. See, e.g., 18 U.S.C. § 1028 (2000 & West Supp. 2004) (identity theft); id. § 1030 (2000 & West Supp. 2004) (fraudulent access of a computer).
11 For instance, an individual who is not a covered entity who aids or conspires with a covered entity in the use of protected health information in a manner not authorized by the regulations (e.g., to establish a fraudulent billing scheme) could be charged under section 2 or section 371 of title 18.
12 We note that conduct punishable under section 1320d-6 may also be punishable under state law and render a person liable in tort. See generally Peter A. Winn, Confidentiality in Cyberspace: The HIPAA Privacy Rules and the Common Law, 33 Rutgers L.J. 617 (2002). When Congress enacted HIPAA, it was concerned that state statutory and common law provided inadequate and uneven protection for health information. Congress sought to create a nationwide floor for such protection. See Preamble, Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule Preamble"), 65 Fed. Reg. 82,462, 82,463-64 (Dec. 28, 2000). Thus, HIPAA's privacy rules preempt only those contrary state laws that are less stringent than the applicable federal privacy rules. See 42 U.S.C. § 1320d-7(a)(2)(B); 45 C.F.R. § 160.203 ("A standard, requirement, or implementation specification . . . that is contrary to a provision of State law preempts the provision of State law . . . except if . . . (b) [t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than" the federal standard.). All other criminal and civil liability for breaches of a duty concerning the privacy of health information that existed prior to HIPAA remains after its passage.
Although HIPAA charged the Secretary with promulgating transactional and security standards and defined the entities that would be subject to these standards, Congress did not intend the law to be its last word on the matter of health information privacy. Unable to resolve disagreements among members over the proper privacy safeguards, Congress instructed the Secretary, in HIPAA, to submit "detailed recommendations on standards with respect to the privacy of individually identifiable health information." 42 U.S.C. § 1320d-2 note; see Winn, supra, at 639-40 ("The Rules themselves were the product of a circuitous method devised by Congress when enacting HIPAA to break a legislative deadlock over the issue of national health privacy standards."). And Congress instructed the Secretary to issue regulations concerning such privacy standards if "legislation governing [these] standards" was not enacted by a certain date. 42 U.S.C. § 1320d-2 note. When Congress did not meet the self-imposed deadline to expand privacy protections, the Secretary promulgated the privacy regulations. See Privacy Rule Preamble, 65 Fed. Reg. at 82,469-70. These rules are, by necessity, based on the authority found in the existing HIPAA legislation, which states that "any standard adopted under this part shall apply, in whole or in part, to" the covered entities, 42 U.S.C. § 1320d-1(a), and mandates compliance by "each person to whom the standard or implementation specification applies," id. § 1320d-4(b). Congress, of course, remains free to expand these protections and the liability of persons other than covered entities.
13 Thus, the Secretary may not impose civil sanctions for the commission of an act that subjects a person to the possibility of criminal prosecution, regardless of whether the person is in fact punished criminally.
14 This is not the only possible reading of subsection 1320d-5(b)(2). This subsection is headed "Noncompliance not discovered," and the language of the provision—"the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision"—could be read to refer to ignorance of the facts that constitute the violation, rather than ignorance of the law. 42 U.S.C. § 1320d-5(b)(2). But to answer the questions you have asked, we need not decide which reading is better.
15 In addition to the exception noted above, section 1320d-5(b) contains another defense to liability where "(i) the failure to comply was due to reasonable cause and not to willful neglect; and (ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred." Id. § 1320d-5(b)(3).
16 "[C]riminal offenses requiring no mens rea have a 'generally disfavored status.'" Liparota, 471 U.S. at 426 (quoting United States v. United States Gypsum Co., 438 U.S. 422, 438 (1978)); Staples v. United States, 511 U.S. 600, 606 (1994) ("[S]ome indication of congressional intent, express or implied, is required to dispense with mens rea as an element of a crime.").