Wrongful disclosure of individually identifiable health information

(a) Offense

A person who knowingly and in violation of this part –(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person,

shall be punished as provided by subsection (b) of this section. …

42 U.S.C. §1320d-6(a) [1]

[Our friend G. Sallust called the other day to ask one of his penetrating questions. “I’m mad as Hell,” he said “and I’d like you to find the law that’s supposed to protects us from hackers who steal our medical stuff. Isn’t there some statute, HUHUP or something like that, to protect us? Please find out ASAP.” Note that he said “please.” That’s unusual.

To understand the question you need to know more about the questioner. G. gets his healthcare courtesy of a Government agency. Basically he reports to one of their facilities whenever he needs something, and the people there [hopefully] take care of it.  Lately he’s noticed that internet cafes, etc. are beginning to pop up wherever he goes, including in government facilities, and when they’re available, he uses them to access the web. The problem is that when he searches for a connection, his computer tells him that some are “secure,” and others are not. Generally he has no access to “secure” connections because he lacks the required passwords. The computer also tells him that outsiders may be able to track his activity on “unsecure” connections.

Now, G. doesn’t really know whether “secure” connections really are – secure, that is – but he’s reasonably certain that the “unsecure” ones really aren’t. So what happens when he uses an iffy connection to tap into his medical records? These are kept in a closely-guarded highly secure network all of their own. That’s one question. The other one is: why would the agency that built said network then sponsor, or encourage its patients to hook up with an unsecure connection? Remember, an internet cafe is sponsored and/ or hosted by the facility he visits. And third, but not least, who’s liable if somebody snags G’s records out of the air while he’s working with them?

This is yet another subject where I’m not an expert. G does that regularly, i.e. asks me about areas where I have no experience. But I can read, so sometimes I come up with an answer or two. But please, please dear reader; don’t mistake anything that follows for legal advice! If you have questions about your personal situation, hire a competent lawyer and ask him [or her] for advice. I’m not in that business.]

With that said, let’s move on to G’s questions. He’s limited himself to medical records, and that’s a good thing. Lots of data is being stolen around the world, and no doubt there are lots of ways to prosecute the thieves, depending on the facts. But medical records are in a class by themselves, mostly because they’re protected by the Health Insurance Portability and Accountability Act of 1996 [HIPAA].[2]

Covered Entities

Take another look at the quote that begins this piece. HIPPA protects “individually identified” health information generated by “covered entities.” Use an individual’s unique health identifier, or obtain his or her identifiable health information, or disclose personal information to someone else, and you’re in trouble.[3] Patients, on the other hand, generally have the right to release their information to others. In our example G doesn’t want to do that.

A “covered entity” is a health plan, a health plan clearinghouse, or a health care provider who transmits health information in electronic form.[4] Medical care provided by government agencies, say to veterans or active duty military, also qualifies as a “health plan” under HIPAA.[5] G. Sallust’s records are exactly the kind HIPAA is supposed to protect, and anyone who steals them could be in trouble, if caught. Any “person” who discloses them “in violation of” the statute could be punished.

So let’s look at that. Suppose the Sallust records get out. Is G partly responsible because he was negligent, i.e., used an unsecured connection? Probably not. We like to blame the victim these days, but still we don’t excuse the burglar who burgles an unlocked house, or the car thief who drives off in an unlocked car. Both still are crimes. Why should the theft of medical data be treated differently?

Is there another way to limit the universe of people who might possibly violate HIPAA? Back when it was enacted, in 1996, attention was focused primarily on the “covered entities,” i.e., on groups that have and transmit medical data about individuals.[6] Were they the only ones regulated? That was argued for some time, but things changed in 2006 when HIPAA was amended to include as defendants people who might obtain or disclose such information “without authorization.” [7] Presumably this group is much broader than medical providers, possibly including the janitor who absconds with paperwork in the night, a doctor who speaks out of turn or, I think, even a hacker who lifts data files via an unsecured internet connection.[8]

Criminal Penalties

HIPAA provides both civil and criminal penalties for its violation. Civil penalties may be imposed by HHS; but criminal penalties are controlled by the Department of Justice. Criminal penalties run up a scale per the statute. A person who “knowingly obtains or discloses individually identifiable health information” may face a criminal penalty of

  • up to $50,000 and up to one-year imprisonment, or
  • if the wrongful conduct involves false pretenses, up to $100,000 and 5 years imprisonment, or
  • if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm, up to $250,000 and 10 years imprisonment.[9]

That’s kind of interesting, isn’t it? If somebody distributes your “individually identifiable health information” simply to cause malicious harm, that could be worth a $250 thousand fine and/or 10 years in the pokey. Politicians beware, and campaign managers too! There may be limits even to opposition research.


Let’s take another look at the three questions we started with. Can one compromise a private network by accessing it through an unsecured wireless connection? I would think the answer is “yes.” Once you make your online activity visible to others, there’s no reason why the files, etc. that you send and receive would be invisible to hackers looking over your electronic shoulder. Feel free to correct me if you think I’m wrong. We’re all looking for the truth, right?

OK, let’s move on to Question 2. Why in the world would any medical group, Government or not, develop a secure records system and then encourage patients to connect with it via unsecured wireless? Is there any legitimate reason for that? I can’t really think of one. Should we just “follow the money” to see who’s benefitting? Rogue employees, hacker syndicates or who else? And finally, there’s Question 3. Who’s liable if someone snags patient records through a potentially giant security breach? Probably not the patients; at worst they’re dupes. The people who do the snatch, or trade in the records are the real culprits. They’re using someone else’s medical records “without authorization;” and they may have co-conspirators and accessories to their operation.

Let the record reflect: I don’t have direct evidence of criminality in the situations – real or hypothetical – we’ve discussed. I’m just saying, somebody should look at the possibilities.


[1] Note that this is a criminal provision, but not codified in Title 18. The official version is available, for free, from the Government Publishing Office at https://www.gpo.gov/  . You also can get an unofficial version from LII, hosted by the Cornell University Law School.

[2] For 42 U.S.C. §1320d-6(a), see Pub. Law 104-191, 110 Stat. 2029 (August 21. 1996), as amended.

[3] See 42 U.S.C. §1320d-6(a).

[4] See 45 CFR §160.103, Definitions, available at https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec160-103.pdf

[5] Id.

[6] See, e.g., the discussion in AIS Health, DOJ Steps Up Enforcement with Indictment of “Loose Lips” Doctor, Hospital Visitor (July 15, 2011), available at http://aishealth.com/archive/hipaa0711-01F  For a lengthy summary of HIPAA privacy, see HHS.gov, Health Information Privacy, Summary of the HIPAA Privacy Rule,  available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

[7] See 42 U.S.C. §1320d-6(a), second sentence: “‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b) (3)) and the individual obtained or disclosed such information without authorization.’”

[8] See, e.g., the discussion in AIS Health, DOJ Steps Up Enforcement with Indictment of “Loose Lips” Doctor, Hospital Visitor (July 15, 2011), available at http://aishealth.com/archive/hipaa0711-01F

[9] See 42 U.S.C. §1320d-6(b). See also HHS, HHS.gov, Health Information Privacy, at Criminal Penalties (no page #), available at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html