Comment: One comment argued that the regulation's reliance upon a "reasonableness" standard criminalizes "unreasonable efforts" without requiring criminal intent or mens rea.
Response: We reject this suggestion because HIPAA clearly provides the criminal intent requirement. Specifically, HIPPA provides that a "person who knowingly and in violation of this part - (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b)." HIPAA section 1177 (emphasis added). Subsection (b) also relies on a knowledge standard in outlining the three levels of criminal sanctions. Thus, Congress, not the Secretary, established the mens rea by including the term "knowingly" in the criminal penalty provisions of HIPAA.