Legal experts say that as long as HIPAA-covered entities play by the rules, they might be spared from prosecution for an employee’s alleged illegal actions.
When HIPAA privacy rules went into effect in 2003, doctors, hospitals and other “covered entities” wondered if the government would go after them for violations made by their employees. A Justice Dept. memo issued June 2005 seemed to make it clear that would be the case.
But as the department began prosecuting the third criminal case involving privacy breaches, its tactics indicate the government isn’t sticking completely with that stance, some legal experts say.