The Justice Department has decided that most health care employees can't be prosecuted for stealing personal data under the Health Insurance Portability and Accountability Act (HIPAA), a privacy law intended to protect medical information.

According to a June 1 memo singed by the Justice Department's Office of Legal Counsel, hospitals, insurers, doctors and other health care providers that bill for their services are subject to criminal prosecution under the law. "But a hospital clerk, for example, and other employees cannot face criminal penalties because the law doesn't apply to them," according to the memo.

The new interpretation has been criticised by privacy law experts and at least one federal prosecutor who managed the one conviction under HIPAA to date.

Robert Gellman, a consultant on privacy and information policy, said the memo leaves the bulk of the health care work force outside that interpretation.

"In terms of the misuse of records, it's not health care professionals who are the likely problems," Gellman said. "This didn't seem to be such a big issue just a few months ago, when they had the prosecution. I find it puzzling."

Last August, U.S. Attorney John McKay's office obtained a guilty plea from a medical technician in Seattle in the one case that reached a final judgment under HIPAA to date. The technician admited he stole the identity of a cancer patient and used the information to obtain credit cards in the patient's name. The technician then bought $9,100 worth of jewelry, video games and a barbecue grill using the cards. He was was sentenced to 16 months in prison.