The federal government probably can’t prosecute individuals for violating the law protecting patient records, according to a published report.[@@]

An opinion recently issued by the Department of Justice states criminal penalties for violating medical privacy rules apply to insurance companies and medical providers but not necessarily to their employees. The rules may not even apply to outsiders who steal patient health records, according to a report in the New York Times.

The unpublished opinion was issued by Steven G. Bradbury, principal deputy assistant attorney general in charge of the office of legal counsel of the Department of Justice, the Times said.

Bradbury said standards for medical confidentiality provided under the Health Insurance Portability and Accountability Act apply to “covered entities,” including insurers and health care providers, according to the Times. People who work for those entities, however, are not automatically covered by HIPAA, which imposes a fine of up to $250,000 and 10 years of imprisonment.

The ruling is binding on the executive branch of the government but not necessarily on judges, the Times noted.