Some people who criminally violate the law protecting the privacy of medical records may not be subject to government prosecution, a new Justice Department ruling says.

The ruling asserts that individuals who work for an entity covered by the law are not automatically covered by the Health Insurance Portability and Accountability Act of 1996 and may not be subject to criminal penalties. While these penalties apply to insurers, doctors, hospitals and other providers, employees or outsiders who steal personal health data may be out of the bounds regarding penalties or disciplinary measures.

The Justice Department said that federal regulations apply just to “covered entities.” Only these entities can be prosecuted for criminal violations. Here’s an example: If a hospital criminally violates the law that hospital will be prosecuted. However, a hospital clerk who commits the same act would not be liable because he or she is not considered a covered entity.