Covered entities and HIPAA: where do employees fit in?

Bruce Schneier thinks that HIPAA, the U.S. medical privacy law has been gutted. The brouhaha is over details regarding an as-of-yet unreleased Department of Justice advisory opinion reported in the New York Times [tedious registration required].

Before buying the idea that the fix is in, read Jeff Drummond's (of HIPAA Blog) first take on it:

There are basically 2 schools of thought here. Washington State's US Attorney (along with my friend AUSA [Assistant US Attorney] Pete Winn) feel that you don't have to be a covered entity to be guilty under HIPAA. There is some precedent to that in federal jurisprudence, that basically goes along the lines that you can't do something through a surrogate that would be illegal for you to do, nor can the surrogate do something through or on behalf of another party if it were illegal for that other party to do it. I think it's a tenuous argument, but I'm not an appellate lawyer (especially not a federal criminal appellate lawyer -- good God, isn't HIPAA boring enough?).

The other school of thought is that HIPAA explicitly applies to covered entities, and to covered entities only. Can a non-covered entity violate a law that does not apply to it? I think this is the better argument... Of course, there's some benefit to covered entities if they can scare their employees with potential jail time for violating the company's HIPAA policies...

As a policy matter, the second school of thought seems fairer to me. And Congress could choose to expand the definition of "covered entities" to all employees of today's covered entities by passing ammended legislation, I would think.

The HIPAA Blog post concludes on a related tangent:

Which brings up another good point: even if HIPAA doesn't apply, State laws might. Other federal laws, such as the identity theft laws, might also apply (remember, the big damage and potential big money in HIPAA breaches isn't the medical information; it's the social security numbers, account numbers, credit card numbers, mothers' maiden names, and other things that allow identity theft or credit card or bank scams).

Which reminds me of a semi-disturbing situation I observed recently when I got strep throat (for the second time in a row) and went to the InstaCare. They were fairly busy that evening; as I recall there were four or five other patients ahead of me to see the doctor. While sitting in the waiting area several additional patients came in. During registration (I guess they weren't in the database already; I only had to give my name and confirm my address), they had to recite all kinds of goodies like their full name, date of birth, SSN, address, phone numbers, etc.

I remember thinking that, if I were an identity thief (which I'm not!), this would be a perfect ueber-low risk location to eavesdrop at and pick up all kinds of identity information. Kind of scary!—though on a much lower scale than banks losing millions of SSNs.


—Michael A. Cleverly

Permanent URL for this post: http://blog.cleverly.com/permalinks/143.html