    Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6
Covered entities and those persons rendered accountable by general principles of corporate criminal
  liability may be prosecuted directly under 42 U.S.C. § 1320d-6, and the knowingly element of the
  offense set forth in that provision requires only proof of knowledge of the facts that constitute the
  offense.

                                                                                        June 1, 2005

                MEMORANDUM OPINION FOR THE GENERAL COUNSEL
              OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES
           AND THE SENIOR COUNSEL TO THE DEPUTY ATTORNEY GENERAL

   You have asked jointly for our opinion concerning the scope of 42 U.S.C.
§ 1320d-6 (2000), the criminal enforcement provision of the Administrative
Simplification subtitle of the Health Insurance Portability and Accountability Act
of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (“HIPAA”). Specifically, you have
asked, first, whether the only persons who may be directly liable under section
1320d-6 are those persons to whom the substantive requirements of the subtitle, as
set forth in the regulations promulgated thereunder, apply—i.e., health plans,
health care clearinghouses, certain health care providers, and Medicare prescrip-
tion drug card sponsors—or whether this provision may also render directly liable
other persons, particularly those who obtain protected health information in a
manner that causes a person to whom the substantive requirements of the subtitle
apply to release the information in violation of that law. We conclude that health
plans, health care clearinghouses, those health care providers specified in the
statute, and Medicare prescription drug card sponsors may be prosecuted for
violations of section 1320d-6. In addition, depending on the facts of a given case,
certain directors, officers, and employees of these entities may be liable directly
under section 1320d-6, in accordance with general principles of corporate criminal
liability, as these principles are developed in the course of particular prosecutions.
Other persons may not be liable directly under this provision. The liability of
persons for conduct that may not be prosecuted directly under section 1320d-6 will
be determined by principles of aiding and abetting liability and of conspiracy
liability. Second, you have asked whether the “knowingly” element of section
1320d-6 requires only proof of knowledge of the facts that constitute the offense
or whether this element also requires proof of knowledge that the conduct was
contrary to the statute or regulations. We conclude that “knowingly” refers only to
knowledge of the facts that constitute the offense. 1

    1
      In reaching the conclusions discussed below, we have considered the views expressed in your
submissions concerning the questions you have asked. See Letter for Jack L. Goldsmith III, Assistant
Attorney General, Office of Legal Counsel, from Paul B. Murphy, Associate Deputy Attorney General,
Re: Request for Office of Legal Counsel Opinion on the Scope of the Criminal Medical Records
Privacy Statute, 42 U.S.C. § 1320d-6 (Jan. 16, 2004); Letter for Jack L. Goldsmith III, Assistant




                                                  76
                 Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


                                                I.

   Congress enacted the Administrative Simplification provisions of HIPAA to
improve “the efficiency and effectiveness of the health care system” by providing
for the “establishment of standards and requirements for the electronic transmis-
sion of certain health information.” 42 U.S.C. § 1320d note (2000). These
provisions added a new “Part C: Administrative Simplification” to title XI of the
Social Security Act and have been codified at 42 U.S.C. §§ 1320d–1320d-8
(2000). Part C directs the Secretary of the Department of Health and Human
Services (“HHS”) to “adopt standards for transactions, and data elements for such
transactions, to enable health information to be exchanged electronically.” Id.
§ 1320d-2(a)(1); see also id. § 1320d-2(b)(1) (requiring the Secretary to adopt
standards concerning unique health identifiers); id. § 1320d-2(c)(1) (same with
respect to code sets); id. § 1320d-2(d)(1) (same with respect to security); id.
§ 1320d-2(e)(1) (same with respect to electronic signatures); id. § 1320d-2(f)
(same with respect to transfer of information among health plans). Various
provisions of this part further specify the standards to be adopted, the factors the
Secretary must consider, the procedures for promulgating the standards, and the
timetable for their adoption. Id. §§ 1320d-1–1320d-3. Pursuant to this authority,
the Secretary has adopted standards and specifications for implementing them. See
45 C.F.R. pts. 160–164 (2004).


Attorney General, Office of Legal Counsel, from Alex M. Azar II, General Counsel, Department of
Health and Human Services, Re: Request by the Office of Legal Counsel for HHS Views on 42 U.S.C.
§ 1320d-6 (Mar. 18, 2004); Memorandum for Jack L. Goldsmith III, Assistant Attorney General, Office
of Legal Counsel, from Christopher A. Wray, Assistant Attorney General, Criminal Division, Re:
Criminal Division Position on the Scope of the Criminal Medical Records Privacy Statute, 42 U.S.C.
§ 1320d-6 (May 27, 2004) (attaching Memorandum for File, from Ian C. Smith DeWaal, Senior
Counsel, Criminal Division, Re: CRM response to HHS-OGC Letter (May 20, 2004)); Letter for Dan
Levin, Acting Assistant Attorney General, Office of Legal Counsel, from Alex M. Azar II, General
Counsel, Department of Health and Human Services (Aug. 6, 2004); E-mail for John C. Demers,
Attorney-Adviser, Office of Legal Counsel, from Ian C. Smith DeWaal, Senior Counsel, Criminal
Division, Re: 42 U.S.C. 1320d-6 (Nov. 15, 2004) (with attachment); Letter for John C. Demers,
Attorney-Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy General Counsel,
Department of Health and Human Services (Dec. 21, 2004); Letter for John C. Demers, Attorney-
Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy General Counsel, Department of
Health and Human Services, Re: Scope of Enforcement Under 42 U.S.C. § 1320d-6; Draft Opinion of
December 17, 2004—Request for Comments (Dec. 23, 2004); Memorandum for File, from Ian C. Smith
DeWaal, Senior Counsel, Criminal Division, Re: Comments on the Revised OLC Draft Opinion on the
HIPAA Criminal Medical Privacy Statute (transmitted Feb. 18, 2005); Memorandum for Steven G.
Bradbury, Principal Deputy Assistant Attorney General, Office of Legal Counsel, from John McKay,
United States Attorney for the Western District of Washington, Re: Scope of Criminal Prosecutions
under HIPAA (Mar. 17, 2005); Memorandum for Steven G. Bradbury, Principal Deputy Assistant
Attorney General, Office of Legal Counsel, from Michael Sullivan, United States Attorney for the
District of Massachusetts, Re: Scope of Criminal Prosecutions under HIPAA (Mar. 20, 2005); Letter
for John C. Demers, Attorney-Adviser, Office of Legal Counsel, from Paula M. Stannard, Deputy
General Counsel, Department of Health and Human Services, Re: Scope of 42 U.S.C. § 1320d-6 (May
5, 2005). We appreciate the thoroughness and thoughtfulness of these submissions.




                                                77
                 Opinions of the Office of Legal Counsel in Volume 29


   Section 1320d-1 specifies the persons to whom the standards apply:

       Any standard adopted under this part shall apply, in whole and in
       part, to the following persons:

          (1) A health plan.

          (2) A health care clearinghouse.

          (3) A health care provider who transmits any health information
          in electronic form in connection with a transaction referred to in
          section 1320d-2(a)(1) of this title.

See also 45 C.F.R. § 160.102(a) (with respect to general administrative require-
ments, “[e]xcept as otherwise provided, the standards, requirements, and imple-
mentation specifications adopted under this subchapter apply to” the entities listed
in section 1320d-1); id. § 162.100 (same with respect to additional administrative
requirements); id. § 164.104 (same with respect to security and privacy regula-
tions). The regulations refer to each of these three groups of persons as a “covered
entity.” Id. § 160.103. To this list of persons to whom the standards apply,
Congress later added Medicare prescription drug card sponsors. Medicare
Prescription Drug, Improvement and Modernization Act of 2003, Pub. L. No. 108-
173, § 101(a)(2), 117 Stat. 2071, 2144 (“For purposes of the program under this
section, the operations of an endorsed program are covered functions and a
prescription drug card sponsor is a covered entity for purposes of applying part C
of title XI and all regulatory provisions promulgated thereunder. . . .”) (codified at
42 U.S.C. § 1395w-141(h)(6)(A) (Supp. III 2004)).
   Various statutes and regulations define these four categories of covered entities.
A “prescription drug card sponsor” is “any nongovernmental entity that the
Secretary [of HHS] determines to be appropriate to offer an endorsed discount
card program” including “a pharmaceutical benefit management company” and
“an insurer.” 42 U.S.C. § 1395w-141(h)(1)(A)(i), (iii) (Supp. III 2004). A “health
plan” is “an individual or group plan that provides, or pays the cost of, medical
care.” Id. § 1320d(5) (2000). A “health care clearinghouse” is an “entity that
processes or facilitates the processing of nonstandard data elements of health
information into standard data elements.” Id. § 1320d(2). Finally, a “health care
provider” is any “person furnishing health care services or supplies,” including a
“provider of services” and a “provider of medical or other health services.” Id.
§ 1320d(3). These latter two terms are further defined in 42 U.S.C. § 1395x
(2000). A “provider of services” is a “hospital, critical access hospital, skilled
nursing facility, comprehensive outpatient rehabilitation facility, home health
agency, [or] hospice program . . . .” Id. § 1395x(u). And a “provider of medical
and other health services” is any person who provides any of a long list of such
services, including “physicians’ services,” “services and supplies . . . furnished as



                                         78
               Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


an incident to a physician’s professional service, of kinds which are commonly
furnished in physicians’ offices and are commonly either rendered without charge
or included in the physicians’ bills,” “outpatient physical therapy services,”
“qualified psychologist services,” “clinical social worker services,” and certain
services “performed by a nurse practitioner or clinical nurse specialist.” Id.
§ 1395x(s). These health care providers only qualify as covered entities if they
“transmit[] any health information in electronic form in connection with” certain
transactions described in section 1320d-2. Id. § 1320d-1(a)(3). The regulations
further define the covered entities. See 45 C.F.R. § 160.103.
   These covered entities must comply with the regulations promulgated pursuant
to Part C. Section 1320d-4 requires compliance with the regulations within a
certain time period by “each person to whom the standard or implementation
specification [adopted or established under sections 1320d-1 and 1320d-2]
applies.” 42 U.S.C. § 1320d-4(b). Failure to comply with the regulations may
render the covered entity either civilly or criminally liable.
   The statute grants to the Secretary of HHS the authority for civil enforcement
of the standards. Section 1320d-5(a) states, “Except as provided in subsection (b)
of this section, the Secretary shall impose on any person who violates a provision
of this part a penalty of not more than $100 for each such violation . . . .” Id.
§ 1320d-5(a)(1). Subsection (b) provides for three exceptions. First, a civil
“penalty may not be imposed . . . with respect to an act if the act constitutes an
offense punishable under” the criminal enforcement provision. Id. § 1320d-
5(b)(1). Second, a civil “penalty may not be imposed . . . with respect to a
provision of this part if it is established to the satisfaction of the Secretary that the
person liable for the penalty did not know, and by exercising reasonable diligence
would not have known, that such person violated the provision.” Id. § 1320d-
5(b)(2). Third, a civil “penalty may not be imposed . . . if the failure to comply
was due to reasonable cause and not to willful neglect; and the failure to comply is
corrected” within a specified period of time. Id. § 1320d-5(b)(3).
   The statute prescribes criminal sanctions only for those violations of the stan-
dards that involve the disclosure of “unique health identifiers,” id. § 1320d-6(a), or
of “individually identifiable health information,” id., that is, that subset of health
information that, inter alia, “identifies the individual” or “with respect to which
there is a reasonable basis to believe that the information can be used to identify
the individual,” id. § 1320d(6). More specifically, section 1320d-6(a) provides:

       A person who knowingly and in violation of this part—

          (1) uses or causes to be used a unique health identifier;

          (2) obtains individually identifiable health information relating to
          an individual; or




                                           79
                 Opinions of the Office of Legal Counsel in Volume 29


         (3) discloses individually identifiable health information to anoth-
         er person,

      shall be punished as provided in subsection (b) of this section.

Subsection (b) sets forth a tiered penalty scheme. A violation of subsection (a) is
punishable generally as a misdemeanor by a fine of not more than $50,000 and/or
imprisonment for not more than one year. Id. § 1320d-6(b)(1). Certain aggravating
circumstances may make the offense a felony. Subsection (b)(2) provides for a
maximum penalty of a $100,000 fine and/or five-year imprisonment for violations
committed under false pretenses. Id. § 1320d-6(b)(2). And subsection (b)(3)
reserves the statute’s highest penalties—a fine of not more than $250,000 and/or
imprisonment of not more than ten years—for those offenses committed “with
intent to sell, transfer, or use individually identifiable health information for
commercial advantage, personal gain, or malicious harm.” Id. § 1320d-6(b)(3).

                                         II.

                                         A.

   We address first which persons may be prosecuted under the criminal en-
forcement provision, section 1320d-6. Specifically, we address whether section
1320d-6 renders liable only covered entities or whether the provision applies to
any person who does an act described in that provision, including, in particular,
a person who obtains protected health information in a manner that causes a
covered entity to violate the statute or regulations. We conclude that an analysis
of liability under section 1320d-6 must begin with covered entities, the only
persons to whom the standards apply. If the covered entity is not an individual,
general principles of corporate criminal liability will determine the entity’s
liability and that of individuals within the entity, including directors, officers,
and employees. Finally, certain conduct of these individuals and that of other
persons outside the covered entity, including of recipients of protected infor-
mation, may be prosecuted in accordance with principles of aiding and abetting
liability and of conspiracy liability.
   We begin with the language of the statute. See Liparota v. United States, 471
U.S. 419, 424 (1985) (“The definition of the elements of a criminal offense is
entrusted to the legislature, particularly in the case of federal crimes, which are
solely the creatures of statute.”). Section 1320d-6(a) states that:

      A person who knowingly and in violation of this part—

         (1) uses or causes to be used a unique health identifier;




                                         80
                Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


           (2) obtains individually identifiable health information relating to
           an individual; or

           (3) discloses individually identifiable health information to anoth-
           er person,

       shall be punished as provided in subsection (b) of this section.

Because Congress enacted the Administrative Simplification provisions for the
express purpose of facilitating the use of health identifiers and the acquisition and
disclosure of health information, an act listed in subsections (a)(1) to (a)(3) must
be done “in violation of this part” in order to constitute a criminal offense. The
phrase “this part” refers to “Part C—Administrative Simplification,” codified at
sections 1320d to 1320d-8. Section 1320d-1(a) makes clear that the standards
promulgated under Part C apply only to covered entities: “Applicability. Any
standard adopted under this part shall apply, in whole or in part, to the following
persons: (1) A health plan. (2) A health care clearinghouse. (3) [Certain] health
care provider[s] . . . .” Id. § 1320d-1(a); see also 45 C.F.R. § 160.102(a); id.
§ 162.100; id. § 164.104; Exec. Order No. 13,181, 65 Fed. Reg. 81,321 (Dec. 20,
2000), reprinted in 42 U.S.C. § 1320d-2 note (“HIPAA applies only to ‘covered
entities,’ such as health care plans, providers, and clearinghouses. HIPAA
regulations therefore do not apply to other organizations and individuals that gain
access to protected health information . . . .”). Congress expanded this list to
include Medicare prescription drug card sponsors “for purposes of applying part
C[’s]” Administrative Simplification provisions. 42 U.S.C. § 1395w-141(h)(6)(A).
And these provisions require only “each person to whom the standard or imple-
mentation specification applies”—i.e., the covered entities—to comply with it. Id.
§ 1320d-4(b). Because Part C makes the standards applicable only to covered
entities and because it mandates compliance only by covered entities, only a
covered entity may do one of the three listed acts “in violation of this part.” Other
persons cannot violate Part C directly because the part simply does not apply to
them. When the covered entity is not an individual, principles of corporate
criminal liability discussed infra will determine when a covered entity has violated
Part C and when these violations can be attributed to individuals in the entity. 2
   That the statute criminalizes the “obtain[ing]” of individually identifiable health
information in violation of Part C, id. § 1320d-6(a)(2), in addition to its disclosure,
does not convince us that our reading of section 1320d-6 according to its plain
terms is incorrect. It could be argued that, by including a distinct prohibition on
obtaining health information, the law was intended to reach the acquisition of
health information by a person who is not a covered entity but who “obtains” it


   2
     We express no opinion in this memorandum as to whether any particular person or entity may
qualify as a covered entity for purposes of liability under sections 1320d-5 or 1320d-6.




                                              81
                      Opinions of the Office of Legal Counsel in Volume 29


from such an entity in a manner that causes the entity to violate Part C. Id. Further
examining the statute and the regulations, however, reveals that the inclusion of
section 1320d-6(a)(2) merely reflects the fact that the statute and the regulations
limit the acquisition, as well as the disclosure and use, of information by covered
entities. Those sections of the statute authorizing the Secretary of HHS to promul-
gate regulations speak broadly of adopting standards, inter alia, “for transactions,”
“providing for a standard unique health identifier,” and concerning “security.” Id.
§ 1320d-2(a)(1)(A), (b)(1), (d). They do not speak only of regulations governing
the “use” and “disclosure” of information; the language used in these provisions
easily encompasses the acquisition of information. 3 Pursuant to this authority, the
Secretary has promulgated regulations governing the acquisition of certain
information by a covered entity. See, e.g., 45 C.F.R. § 164.500(b)(1) (“When a
health care clearinghouse creates or receives protected health information . . . .”)
(emphasis added); id. § 164.502(b)(1) (“When using or disclosing protected health
information or when requesting protected health information from another
covered entity . . . .”) (emphasis added); id. § 164.514(d)(4)(i) (“A covered entity
must limit any request for protected health information to that which is reasonably
necessary . . . .”) (emphasis added). Failure to comply with these regulations may
render a covered entity liable for “obtain[ing] individually identifiable health
information” “in violation of this part.” 42 U.S.C. § 1320d-6(a)(2). 4
   The difference between the language used in the civil enforcement provision
and that used in the criminal enforcement provision does not support a broader
reading of section 1320d-6. The civil enforcement provision makes liable “any

    3
      The only statutory section cast in terms of “use” and “disclosure” is the requirement that the
Secretary submit to Congress “recommendations on standards with respect to the privacy of individual-
ly identifiable health information . . . address[ing] at least . . . the uses and disclosures of such informa-
tion.” Id. § 1320d-2 note. But as discussed above, this quoted language is not found in the main
provisions of HIPAA that grant the Secretary authority to promulgate regulations; those provisions use
broader terminology that easily includes the authority to regulate the acquisition of information. See id.
§ 1320d-2. Instead, this section solicited recommendations for further legislation concerning health
privacy, facilitated congressional oversight of the privacy rules the Secretary developed, and required
the Secretary to issue such rules if Congress did not act on the recommendations within a certain time
period; it is not a restriction of the authority given elsewhere in the statute. See infra note 12. And on its
face this provision does not purport to describe the extent of the Secretary’s authority, as it requires the
privacy recommendations to address “at least” the “uses” and “disclosures” of covered information. Id.
§ 1320d-2 note (emphasis added); see also id. (same with respect to the privacy regulations). Finally, a
rule “address[ing]” the “disclosure” of information may well regulate the acquisition of information by
a covered entity because obtaining information generally involves the “disclosure” of it by another
person. The provision’s use of the noun “disclosure,” therefore, does not help to answer the question
before us.
    4
      Nor does the inclusion of “causes to be used” as well as “use” in section 1320d-6(a)(1) compel us
to conclude—contrary to the plain language of the statute—that the provision renders liable entities that
are not covered by the regulations but that “cause” a covered entity to “use” unique health identifiers in
violation of the part. This language is better read to cover those instances in which a covered entity
causes, in violation of the part, another person to use a unique health identifier, but where the covered
entity itself did not use the identifier in an unauthorized manner.




                                                     82
                  Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


person who violates a provision of this part.” Id. § 1320d-5(a)(1). The criminal
enforcement provision makes it a crime to do certain acts “knowingly and in
violation of this part.” Id. § 1320d-6(a). To be sure, the statute must be read as a
whole and variations in the language of closely related provisions should be given
effect if possible. See Bryan v. United States, 524 U.S. 184, 191–93 (1998)
(interpreting the requirement that an act be done “willfully” in one subsection of
the statute by reference to the “knowingly” requirement contained in other
subsections of the same statute). Here, however, the difference in phrasing used in
the two provisions does not constitute a basis for concluding that section 1320d-6
reaches persons who are not, or are not part of, a covered entity. Section 1320d-6’s
use of “in violation of,” as opposed to “who violates,” reflects only the difference
in the scope of the conduct proscribed by the two sections. Section 1320d-5 is
phrased as it is—“any person who violates a provision of this part”—because a
violation of any of the standards subjects the violator to civil penalties. 42 U.S.C.
§ 1320d-5(a)(1). In contrast, criminal punishment is restricted to those violations
of the standards—specified in subsections (a)(1) to (a)(3) of section 1320d-6(a)—
that involve the improper use, acquisition, or disclosure of individually identifiable
health information or unique health identifiers. Section 1320d-6(a) makes liable a
person who “uses or causes to be used,” “obtains,” or “discloses” such health
information. Having described the prohibited acts using present tense verbs, the
provision could not retain the “violates this part” formulation; instead, it uses “in
violation of this part” to make clear that only those uses, acquisitions, and
disclosures in a manner contrary to the regulations are illegal. The difference in
language between section 1320d-5 and section 1320d-6 is thus best understood as
nothing more than a grammatical accommodation resulting from the need to
describe the acts for which section 1320d-6 prescribes criminal liability. 5
   Although we conclude that Part C applies only to covered entities, we do not
read the term “person” at the beginning of section 1320d-6 to mean “covered
entity.” Such a reading would not only be contrary to the language of that
provision but also create tension with other parts of the statute that appear to use
the term broadly, see, e.g., id. § 1320d-6(a)(3) (prohibiting “disclos[ures] to
another person”), and with the Dictionary Act, codified at 1 U.S.C. § 1 (2000),
which sets forth a presumptively broad definition of person wherever the term is



    5
      At most, the difference in phrasing between section 1320d-5 and section 1320d-6 would render
the statute ambiguous. If that were the case, it might be appropriate to apply the rule of lenity and
conclude that the statute is best read not to subject to direct prosecution persons other than covered
entities and those rendered liable by general principles of corporate criminal liability. See Rewis v.
United States, 401 U.S. 808, 812 (1971) (“[A]mbiguity concerning the ambit of criminal statutes
should be resolved in favor of lenity.”). But as the language of the statute unambiguously compels the
same result, we do not apply the rule of lenity here. See Chapman v. United States, 500 U.S. 453, 463
(1991) (“The rule of lenity . . . is not applicable unless there is a grievous ambiguity or uncertainty in
the language and structure of the Act . . . .”) (citation and quotation omitted).




                                                   83
                      Opinions of the Office of Legal Counsel in Volume 29


used in the United States Code, 6 a definition presumptively applicable here
because the defined terms specific to Part C do not include the term “person.” See
42 U.S.C. § 1320d. We conclude only that the phrase “in violation of this part”
restricts the universe of persons who may be prosecuted directly. Section 1320d-6
provides criminal penalties for “person[s]” who perform the listed acts “knowing-
ly” and “in violation of this part.” Id. § 1320d-6. The “in violation of this part”
limitation on the scope of liability—like the “knowingly” requirement—is distinct
from the definition of “person.” It describes that subset of persons who may be
held liable, provided that the other elements of the offense are also satisfied. Under
this reading of the statute, section 1320d-6(a)(3) continues to make “covered
entities” liable for disclosure to any “person.”
   We have considered other laws using the phrase “in violation of.” None of
these laws supports the view that, as used in 42 U.S.C. § 1320d-6, the phrase
should be read more expansively than we conclude. For instance, several of these
laws apply to the public generally, and, accordingly, do not shed light on whether
section 1320d-6 allows direct prosecutions of persons other than those to whom
the substantive requirements of HIPAA’s Part C apply. See, e.g., 18 U.S.C. § 547
(2000) (“Whoever receives or deposits merchandise in any building upon the
boundary line between the United States and any foreign country, or carries
merchandise through the same, in violation of law . . . .”) (emphasis added); 18
U.S.C. § 1590 (2000) (“Whoever knowingly recruits, harbors, transports, provides,
or obtains by any means, any person for labor or services in violation of this
chapter . . . .”) (emphasis added). And the phrasing of other laws makes it clear
that “in violation of” describes an item involved in the prohibited act, as opposed
to the act itself. For instance, 18 U.S.C. § 2113(c) (2000) penalizes “[w]hoever
receives . . . property . . . which has been taken . . . in violation of subsection
(b) . . . .” Id. In this case, the placement of the phrase “in violation of” following
the word “which” makes plain that the phrase describes only the property, a
reading confirmed by the provision’s use of the passive “has been taken.” Id.; see
also 18 U.S.C. § 1170(b) (2000) (“Whoever knowingly sells, purchases, uses for
profit, or transports for sale or profit any Native American cultural items obtained
in violation of the Native American Grave Protection and Repatriation Act . . . .”)
(emphasis added). In contrast, the phrase “in violation of” in section 1320d-6 does
not modify the type of health care information involved in the offense; rather, it
relates directly to the acts prohibited by the provision (i.e., “uses or causes to be
used,” “obtains,” or “discloses”). Finally, we have reviewed the cases interpreting
these and other potentially analogous provisions and have found none that would




   6
      “In determining the meaning of any Act of Congress, unless the context indicates otherwise— the
word[] person[] . . . include[s] corporations, companies, associations, firms, partnerships, societies, and
joint stock companies, as well as individuals.” 1 U.S.C. § 1.




                                                    84
                  Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


cause us to read section 1320d-6 in any way other than in accordance with its plain
meaning. 7
   We conclude, therefore, that an assessment of liability under section 1320d-6
must begin with covered entities. The statute and regulations determine which
individuals and entities qualify as a “covered entity.” See 42 U.S.C. § 1320d; id.
§ 1395w-141(h)(1); id. § 1395x; 45 C.F.R. § 160.103. 8 A health care provider is
any “person furnishing health care services or supplies,” and will be either an
individual or an entity. 42 U.S.C. § 1320d(3); see also id. § 1395x. In contrast, a
“health care clearinghouse,” “health plan,” and Medicare “prescription drug card
sponsor” will virtually never be an individual. See id. § 1320d(2) & (5); id.
§ 1395w-141(h)(1)(A). When the covered entity is not an individual, principles of
corporate criminal liability will determine the entity’s liability and the potential
liability of particular individuals who act for the entity. Although we do not
elaborate these principles here, in general, the conduct of an entity’s agents may be
imputed to the entity when the agents act within the scope of their employment,
and the criminal intent of agents may be imputed to the entity when the agents act
on its behalf. See Kathleen F. Brickley, Corporate Criminal Liability §§ 3–4 (2d
ed. 1992). In addition, we recognize that, at least in limited circumstances, the
criminal liability of the entity has been attributed to individuals in managerial
roles, including, at times, to individuals with no direct involvement in the offense.
See id. § 5. 9 Consistent with these general principles, it may be that such individu-
als in particular cases may be prosecuted directly under section 1320d-6.


    7
      Consistent with our reading of 42 U.S.C. § 1320d-6, the Sixth Circuit has held that the Video
Privacy Protection Act’s (“VPPA”) creation of a cause of action for “[a]ny person aggrieved by any act
of a person in violation of this section,” 18 U.S.C. § 2710(c)(1) (2000), allows suits against only video
tape service providers and not against all persons. See Daniel v. Cantrell, 375 F.3d 377, 382–84 (6th
Cir. 2004). In that case, the plaintiff had sued several persons who were not video tape service
providers, alleging that they had violated the privacy right in his video rental records given him by the
statute. Similar to section 1320d-6, the VPPA cause of action provision refers to acts of “a person in
violation of this section.” 18 U.S.C. § 2710(c)(1). The court reasoned that because the operative
provision of the VPPA provides that “[a] video tape service provider who knowingly discloses . . .
personally identifiable information . . . shall be liable,” id. § 2710(b), only such providers could be “in
violation of” the statute. Daniel, 375 F.3d at 383–84. Accordingly, despite the use of the broad term
“person” in section 2710(c)(1), only video tape service providers may be sued under that section.
    8
      The statute and regulations do not limit the actions for which a covered entity may be held liable
to those activities that render the person a covered entity. Once a person is a covered entity, he must
“comply with [an applicable] standard or specification,” 42 U.S.C. § 1320d-4(b)(1)(A) and “may not
use or disclose protected health information, except as permitted or required by” the regulations, 45
C.F.R. § 164.502. Thus, a physician who is a covered entity in part because he transmits certain health
care information electronically must not disclose such protected information, either electronically or
otherwise, except as authorized by the regulations. And a physician who is a covered entity must
comply with the standards with respect to protected information concerning both his own patients and
those patients he is not treating.
    9
      “Many regulatory statutes . . . make corporate officials vulnerable to prosecution for criminal
conduct in which they did not personally participate and about which they had no personal knowledge.”
Id. § 5.01; see also United States v. Jorgensen, 144 F.3d 550, 559–60 (8th Cir. 1998) (applying the




                                                    85
                      Opinions of the Office of Legal Counsel in Volume 29


   Other conduct that may not be prosecuted under section 1320d-6 directly may
be prosecuted according to principles either of aiding and abetting liability or of
conspiracy liability. 10 The aiding and abetting statute renders “punishable as a
principal” anyone who “commits an offense against the United States or aids,
abets, counsels, commands, induces or procures its commission” and anyone who
“willfully causes an act to be done which if directly performed by him or another
would be an offense against the United States.” 18 U.S.C. § 2 (2000). And the
conspiracy statute prescribes punishment “if two or more persons conspire . . . to
commit any offense against the United States . . . and one or more of such persons
do any act to effect the object of the conspiracy.” 18 U.S.C. § 371 (2000). 11 Further
discussion of corporate criminal liability, aiding and abetting liability, and
conspiracy liability in the absence of a specific factual context would be unfruitful,
particularly because the contours of these legal principles may vary by jurisdic-
tion. Accordingly, we leave the scope of criminal liability under these principles
for consideration in the ordinary course of prosecutions. 12

                                                     B.

   We address next whether the “knowingly” element of the offense set forth in 42
U.S.C. § 1320d-6 requires the government to prove only knowledge of the facts
that constitute the offense or whether this element also requires proof that the
defendant knew that the act violated the law. We conclude that the “knowingly”

principle that “a corporate officer who is in a responsible relationship to an activity within a company
that violates provisions of . . . federal . . . laws . . . can be held criminally responsible even though that
officer did not personally engage in that activity” in the context of a statute that required proof of
“intent to defraud” when the defendant possessed the requisite intent) (quotations and citations
omitted).
    10
       Depending on the specific facts and circumstances, such conduct may also be punishable under
other federal laws. See, e.g., 18 U.S.C. § 1028 (2000 & Supp. III 2004) (identity theft); id. § 1030
(2000 & Supp. III 2004) (fraudulent access of a computer).
    11
       For instance, an individual who is not a covered entity who aids or conspires with a covered
entity in the use of protected health information in a manner not authorized by the regulations (e.g., to
establish a fraudulent billing scheme) could be charged under section 2 or section 371 of title 18.
    12
       We note that conduct punishable under section 1320d-6 may also be punishable under state law
and render a person liable in tort. See generally Peter A. Winn, Confidentiality in Cyberspace: The
HIPAA Privacy Rules and the Common Law, 33 Rutgers L.J. 617 (2002). When Congress enacted
HIPAA, it was concerned that state statutory and common law provided inadequate and uneven
protection for health information. Congress sought to create a nationwide floor for such protection. See
Preamble, Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule
Preamble”), 65 Fed. Reg. 82,462, 82,463–64 (Dec. 28, 2000). Thus, HIPAA’s privacy rules preempt
only those contrary state laws that are less stringent than the applicable federal privacy rules. See 42
U.S.C. § 1320d-7(a)(2)(B); 45 C.F.R. § 160.203(b) (“A standard, requirement, or implementation
specification . . . that is contrary to a provision of State law preempts the provision of State law . . .
except if . . . [t]he provision of State law relates to the privacy of individually identifiable health
information and is more stringent than” the federal standard.). All other criminal and civil liability for
breaches of a duty concerning the privacy of health information that existed prior to HIPAA remains
after its passage.




                                                     86
               Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


element is best read, consistent with its ordinary meaning, to require only proof of
knowledge of the facts that constitute the offense.
    We begin again with the text of 42 U.S.C. § 1320d-6(a). See Liparota, 471 U.S.
at 424.

       A person who knowingly and in violation of this part—

          (1) uses or causes to be used a unique health identifier;

          (2) obtains individually identifiable health information relating to
          an individual; or

          (3) discloses individually identifiable health information to anoth-
          er person, shall be punished as provided in subsection (b) of this
          section.

42 U.S.C. § 1320d-6(a). A plain reading of the text indicates that a person need not
know that commission of an act described in subsections (a)(1) to (a)(3) violates the
law in order to satisfy the “knowingly” element of the offense. Section 1320d-6
makes the requirements that the act be done “knowingly” and that it be done “in
violation of this part” two distinct requirements. These two elements do not modify
each other; rather, they independently modify “uses or causes to be used,” “obtains,”
and “discloses.” For example, defendants will be guilty of an offense if they both
“knowingly” “disclose[] individually identifiable health information” and they “in
violation of this part” “disclose[] individually identifiable health information.” The
view that the statute requires proof of knowledge of the law effectively reads
“knowingly” to refer to the “violation of this part.” But this reading is contrary to the
plain language of the statute, which sets forth these terms as two separate elements
each independently modifying the third element, i.e., one of the listed acts. Accord-
ingly, to incur criminal liability, a defendant need have knowledge only of those
facts that constitute the offense.
   Our reading of the “knowingly” element of the offense comports with the usual
understanding of the term. The Supreme Court has stated that “unless the text of
the statute dictates a different result, the term ‘knowingly’ merely requires proof of
knowledge of the facts that constitute the offense.” Bryan, 524 U.S. at 193
(footnote omitted) (“[T]he term ‘knowingly’ does not necessarily have any
reference to a culpable state of mind or to knowledge of the law.”). As set forth
above, the text of section 1320d-6 does not “dictate[] a different result.” Bryan,
524 U.S. at 193. In fact, its text dictates an interpretation consistent with the
ordinary understanding of “knowingly” as referring only to “knowledge of the
facts that constitute the offense.” Id.
   The plain meaning of the “knowingly” element of section 1320d-6 must con-
trol, “at least where the disposition required by the text is not absurd.” Hartford
Underwriters Ins. Co. v. Union Planters Bank, N.A., 530 U.S. 1, 6 (2000). We



                                           87
                     Opinions of the Office of Legal Counsel in Volume 29


consider whether our reading of the criminal provision is absurd in light of the
possible exception to civil liability for reasonable ignorance of the law. Sections
1320d-5 and 1320d-6 operate in a complementary fashion, covering mutually
exclusive conduct. See 42 U.S.C § 1320d-5(b)(1) (excepting from civil penalties
an act that “constitutes an offense punishable under section 1320d-6 of this
title.”). 13 The civil enforcement section provides, “A penalty may not be im-
posed . . . if . . . the person liable for the penalty did not know, and by exercising
reasonable diligence would not have known, that such person violated the
provision.” Id. § 1320d-5(b)(2). Section 1320d-5 therefore may be read to premise
civil liability on knowledge that the act in question violated the applicable
standard, not just on knowledge that the particular act occurred. 14 If civil sanctions
(of fines up to $100) may be avoided by establishing reasonable ignorance of the
law, it might at first blush appear to be an absurd result to conclude that the
significantly more serious criminal punishments (of fines up to $250,000 and
imprisonment of up to ten years) may not be similarly excused.
    The absurd results canon of construction is “rarely invoke[d] . . . to override
unambiguous legislation.” Barnhart v. Sigmon Coal Co., 534 U.S. 438, 459
(2002); Public Citizen v. Dep’t of Justice, 491 U.S. 440, 470–71 (1989) (Kennedy,
J., concurring) (noting that the canon is limited “to situations where the result of
applying the plain language would be, in a genuine sense, absurd, i.e., where it is
quite impossible that Congress could have intended the result, and where the
alleged absurdity is so clear as to be obvious to most anyone.”). Applying the
usual definition of “knowingly” here does not yield an absurd result, and certainly
not one so absurd that it would cause us to read the statute contrary to its plain
meaning. The argument that the statute should not be read so as to impose criminal
punishment on the basis of a lesser degree of intent than that required for civil
sanction would be more compelling if sections 1320d-5 and 1320d-6 covered the
same acts. But they do not. See 42 U.S.C. § 1320d-5(b)(1). Civil sanctions may be
imposed for violations of a wide variety of regulations. For these violations, the
statute provides a maximum $100 fine and sets forth certain exceptions to liability.
Id. § 1320d-5 (“General penalty for failure to comply with requirements and
standards”). 15 In contrast, of all the possible violations of the regulations, section

    13
       Thus, the Secretary may not impose civil sanctions for the commission of an act that subjects a
person to the possibility of criminal prosecution, regardless of whether the person is in fact punished
criminally.
    14
       This is not the only possible reading of section 1320d-5(b)(2). This paragraph is headed “Non-
compliance not discovered,” and the language of the provision—“the person liable for the penalty did
not know, and by exercising reasonable diligence would not have known, that such person violated the
provision”—could be read to refer to ignorance of the facts that constitute the violation, rather than
ignorance of the law. But to answer the questions you have asked, we need not decide which reading is
better.
    15
       In addition to the exception noted above, section 1320d-5(b) contains another defense to liability
where “(i) the failure to comply was due to reasonable cause and not to willful neglect; and (ii) the
failure to comply is corrected during the 30-day period beginning on the first date the person liable for




                                                   88
                 Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6


1320d-6 carves out a limited set and subjects them to criminal punishment. Such
punishment is reserved for violations involving “unique health identifiers” and
“individually identifiable health information.” Id. § 1320d-6 (“Wrongful disclo-
sure of individually identifiable health information”). Thus, the statute reflects a
heightened concern for violations that intrude upon the medical privacy of
individuals. In light of this concern, there is nothing obviously absurd about the
statute’s allowing a defense of reasonable ignorance of the law for those regula-
tory violations subject to civil penalty, but withholding this defense with respect to
those violations that threaten the privacy of individuals. Accordingly, even reading
section 1320d-6 in light of section 1320d-5(b)’s exception to civil liability for
reasonable ignorance of the law gives us no reason to doubt that the plain and
ordinary meaning of the “knowingly” element of section 1320d-6 is the correct
one.
    Nor is it proper to apply here the exception to the usual meaning of “knowing-
ly” exemplified by Liparota. See id., 471 U.S. at 424–28. Liparota is the case cited
by the Supreme Court in Bryan as an example of the exception to the rule—when
“the text of the statute dictates a different result”—that “knowingly” refers to the
facts that constitute the offense and not to the law. Bryan, 524 U.S. at 193 & n.15.
In Liparota, the Supreme Court held that a statute forbidding fraudulent use of
food stamps required proof of knowledge that the use was unauthorized. 471 U.S.
at 433. The statute in that case read: “whoever knowingly uses, transfers, acquires,
alters, or possesses coupons or authorization cards in any manner not authorized
by this chapter or the regulations issued pursuant to this chapter” shall be guilty of
a criminal offense. Id. at 420–21 n.1 (quoting 7 U.S.C. § 2024(b)(1)). This
language is at least ambiguous; “knowingly” may modify, for example, either only
the verb “uses” or it may modify the entire verbal phrase “uses . . . in any manner
not authorized.” Id.; see id. at 424 (The “interpretations proffered by both parties
accord with congressional intent . . . . [T]he words themselves provide little
guidance. Either interpretation would accord with ordinary usage.”); id. at 424 n.7
(referring to the statutory language and noting that “[o]ne treatise has aptly
summed up the ambiguity in an analogous situation”) (emphasis added). But see
Bryan, 524 U.S. at 193 n.15 (citations omitted) (in Liparota, “we concluded that
both the term ‘knowing’ . . . and the term ‘knowingly’ . . . literally referred to
knowledge of the law as well as knowledge of the relevant facts”). The Supreme
Court then considered the presumption that criminal statutes contain a mens rea
element, 16 applied the rule of lenity, and rested its interpretation, in large part, on


the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply
occurred.” Id. § 1320d-5(b)(3).
    16
       “[C]riminal offenses requiring no mens rea have a ‘generally disfavored status.’” Liparota, 471
U.S. at 426 (quoting United States v. U.S. Gypsum Co., 438 U.S. 422, 438 (1978)); Staples v. United
States, 511 U.S. 600, 606 (1994) (“[S]ome indication of congressional intent, express or implied, is
required to dispense with mens rea as an element of a crime.”).




                                                 89
                 Opinions of the Office of Legal Counsel in Volume 29


the concern that the contrary reading would “criminalize a broad range of appar-
ently innocent conduct.” Liparota, 471 U.S. at 426–27.
    Here, the “knowingly” element of section 1320d-6 is not ambiguous; thus, it
would be inappropriate to resort to the rule of lenity. See Chapman v. United
States, 500 U.S. 453, 463 (1991) (“The rule of lenity . . . is not applicable unless
there is a grievous ambiguity or uncertainty in the language and structure of the
Act . . . .”) (citation and quotation omitted). Moreover, our interpretation of
“knowingly” does not dispense with the mens rea requirement of section 1320d-6
and create a strict liability offense; satisfaction of the “knowingly” element will
still require proof that the defendant knew the facts that constitute the offense. See
Staples v. United States, 511 U.S. 600, 622 n.3 (1994) (Ginsburg, J., concurring)
(“The mens rea presumption requires knowledge only of the facts that make the
defendant’s conduct illegal, lest it conflict with the related presumption, deeply
rooted in the American legal system, that, ordinarily, ignorance of the law or a
mistake of law is no defense to criminal prosecution.”) (quotations and citations
omitted). Finally, the concern expressed in Liparota about criminalizing a broad
swath of seemingly innocent conduct is less present here. The statute in Liparota
criminalized the unauthorized use of food stamps by any participant in the
program, as well as by any person who might come in possession of these stamps.
471 U.S. at 426–27. In contrast, section 1320d-6, as we conclude above, applies
directly to covered entities. These covered entities—health plans, health care
clearinghouses, certain health care providers, and Medicare prescription drug card
sponsors—are likely well aware that the health care business they conduct is
heavily regulated by HIPAA and other laws. To the extent that some concern
remains, it is insufficient to override the plain meaning of the statute. Accordingly,
Liparota provides no support for giving “knowingly” in section 1320d-6 a
meaning different from its usual understanding as referring only to knowledge of
the facts that constitute the offense.

                                         III.

   For the foregoing reasons, we conclude that covered entities and those persons
rendered accountable by general principles of corporate criminal liability may be
prosecuted directly under 42 U.S.C. § 1320d-6 and that the “knowingly” element
of the offense set forth in that provision requires only proof of knowledge of the
facts that constitute the offense.

                                             STEVEN G. BRADBURY
                                     Principal Deputy Assistant Attorney General
                                               Office of Legal Counsel




                                         90
