ABA Health eSource


	Oct 2004 Volume 1 Number 2

Interview with Susan Loitz, Assistant U.S. Attorney
by Alan S. Goldberg

Continued

Alan S. Goldberg: Good morning Susan and thank you for allowing us to interview you. The American Bar Association Health Law Section eSource appreciates your taking the time to share your thoughts with us today. Having been at the U.S. Attorney's office since 1997, surely you have had lots of experience in criminal prosecutions and settlements, some of which may have well been more trying than others. Susan, would you share with us the reason you became a lawyer -- did you always want to be a prosecutor? And before Susan replies, let's be clear: nothing Susan tells us is being communicated for or in behalf of the U.S. Attorney's Office or the Department of Justice or the United States of America, and this interview is for educational purposes only.

Susan Loitz: Thank you. Around the table with my family when I was younger, we were always debating and discussing issues, and perhaps I was drawn to the law because I enjoyed that. Now, I appreciate legal practice, and particularly criminal work, because it is so multi-disciplinary. In addition to legal principles, you have to appreciate human nature, as well as learn facts about so many different subjects. In private practice, I learned a lot about particular businesses, from banking to fishing. Now, doing health care law, I get to learn about medical specialties from podiatry to neurosurgery. I enjoy the challenge of having to make judgments over time as investigations develop, as well as to having to think quickly on my feet when in court.

ASG: I note that you have had much experience in health care litigation in particular during your tenure with the U.S. Attorney's office. What spurred your interest in health care investigations and prosecutions, Susan, please?

SL: I was hired in 1997 by the U.S. Attorney's Office, to do health care fraud cases, and have really learned to enjoyed the practice from the outset. Before being a prosecutor, I had experience with commercial bankruptcy cases in which I sometimes had to deal with allegations of fraud and lying, and attempts to hide or transfer assets, and learned that I really enjoyed digging to get to get to the bottom of things.

ASG: The Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996, and more particularly, the privacy rule promulgated thereunder, has been a controversial area of health law. The Office for Civil Rights has received over 8,000 complaints alleging violations of the privacy rule in some manner. No civil penalties have yet been imposed by OCR and OCR has said that any civil penalties that are imposed will only affect HIPAA covered entities; in other words, a member of a workforce who is not a covered entity appears not to be subject to civil sanctions by OCR. And yet, in United States of American v. Richard W. Gibson, your office prosecuted an individual who appears not to be a covered entity. It appears from the public pleadings and the media reports that the defendant was a member of a covered entity's workforce and, while seemingly not subject to OCR's civil sanctions, is nevertheless being subjected to criminal sanctions. Would you share with us, please, more background information about this case?

SL: First of all, my practice is focused on criminal prosecutions, and I don't typically handle matters that would involve only civil monetary penalties. In connection with the criminal HIPAA statute, whether Mr. Gibson was or was not a covered entity under HIPAA was not of great concern to me, although I note that he is a phlebotomist who was employed by a covered entity. Mr. Gibson had direct contact with patients, and one of them had come to Seattle from outside of the State of Washington in order to receive treatment from the Seattle Cancer Care Alliance, where Mr. Gibson worked. The patient found out that someone had stolen his identity, specifically his name, Social Security number, and date of birth, and used that information to get credit cards in his name. This clearly was unlawful identity theft, but it was also a violation of HIPAA's criminal provisions since the information had been collected from him because he was a patient. With the help of a local television station and local police authorities, Mr. Gibson was identified as the alleged perpetrator. In fact, the television station broadcast a video of Mr. Gibson allegedly using one of the illegally obtained cards, and fellow-employees of Mr. Gibson turned him in. Once it was known that the person identified was a health care worker, our office and the FBI asked to take over the case from the local authorities. We could have charged Mr. Gibson with unlawful identity theft, but the health care connection made it more important that a HIPAA crime should be charged. In my assessment, the sentencing range would not have been any smaller or larger if he had been charged with identity theft alone, or along with the HIPAA violation. By charging him with HIPAA, we brought attention to the most troubling aspect of the case....that a vulnerable cancer patient was taken advantage of by someone who he had looked to care for him, not to harm him. We also brought attention to the HIPAA criminal statute itself, and perhaps this will raise awareness and help deter future crimes.

ASG: The publicity about this case indicates that the information allegedly misused consisted of the name, date of birth, and social security number of a patient of the defendant's employer. Why is this information, which was apparently not "attached" to health information, such as diagnostic or injury information, considered to be individually identifiable health information? Were you treating the information as demographic information?

SL: The information clearly had been collected by the Seattle Cancer Alliance because the patient was being treated there, and so it was demographic information covered by HIPAA. Knowingly using that information for an improper purpose is a crime under HIPAA. Interestingly, Mr. Gibson, after being fired, applied for unemployment compensation and Mr. Gibson told the hearing officer that the patient's information was on a piece of paper lying on the floor in a rest room at the Cancer Center. The administrative law judge indicated he did not believe that explanation, and rather believed that Mr. Gibson had obtained the information from the patient's confidential files. Mr. Gibson was denied unemployment compensation.

ASG: Because this is the first publicly known criminal prosecution under HIPAA's privacy rule, many are concerned about whether this approach indicates a Department of Justice overall approach to considering any individual or entity -- whether or not a covered entity under HIPAA - as being subject to criminal prosecution; is that what is going on, please?

SL: This was not a close call, by any means. We felt that Mr. Gibson clearly violated the HIPAA criminal statute. He knew what he was doing; he did what he intended to do; he was caught in the act of improperly disclosing the patient information; and so we prosecuted him under HIPAA. We could also have prosecuted him under other laws, but HIPAA seemed to be the best approach. We worked with the FBI and local police on this case, and, because we believed this would be the first charge under HIPAA, we advised the Department of Justice before we brought charges. But the prosecution decision was made here in Seattle in the U.S. Attorney's Office. The defendant's employer cooperated completely with us in the investigation, and we did not believe that the employer had culpability for Mr. Gibson's conduct. We did review the patient protection policies and procedures of the employer, and we were satisfied that there was no fault with the employer.

ASG: One of the elements of the crime is "knowingly" and another, for the most serious penalties, is "intent" but unlike the antifraud and other laws, "willful" is not a part of the crime. How are you construing these elements generally please?

SL: We had no problem in concluding that Mr. Gibson knowingly disclosed the protected information for an improper purpose, and further that he acted for personal gain, thereby clearly making it a felony HIPAA offense.

ASG: Some have suggested that regardless whether a person under HIPAA may be a non-covered entity for prosecution purposes, the federal government may use anticonspiracy and antiobstruction of justice and antiaiding and abetting statutes to reach non-covered entities. Would that work for you, Susan?

SL: Because Mr. Gibson acted alone, we did not consider the federal conspiracy statute, but we could if there are two or more coconspirators involved, and we can also use the federal statutes dealing with obstruction of justice and aiding and abetting, if the facts and elements are there. In this case, the defendant has admitted what he has done in open court and in a written plea agreement, which now will be presented to the U.S. district judge, who can either accept or reject the proposed resolution of 10-16 months set forth in the plea agreement. If the plea agreement is accepted, under the U.S. Sentencing Commission Sentencing Guidelines, the defendant will be incarcerated and also could be subjected to a criminal fine by the court. And so far as I know, this is the first case prosecuted by a U.S. Attorney's Office under the HIPAA criminal statute.

ASG: Susan, what advice would you give attorneys in order to enhance their ability further to sensitize clients to potential violations of HIPAA and investigations and prosecutions -- have you any stay out of jail free suggestions?

SL: It is good to take a step back from the details of this case, and to look at your entire procedures with an eye on the purposes of the law in mind: to protect patient information from being used or disclosed for an improper purpose. Clients should be encouraged to deal with problems as they arise and not to let them pass without proper attention. Learn from your own mistakes and those of others, and don't delay making corrections to any holes that you discover in your procedures. And impose appropriate discipline if you discover that an employee has ignored your policies and procedures.

ASG: Many thanks for your thoughtful tips and ideas, Susan. This has been a very informative and helpful opportunity to learn from you. We are appreciative and now much wiser, for sure. Thank you very much.