Individuals who access protected health information without
authorization may be found guilty of a misdemeanor even if they
lack knowledge that their actions are illegal.
On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court
information that charged Huping Zhou, a former research assistant
at the University of California at Los Angeles Health System
("UHS"), with violating Section 1320d-6 (the
"Wrongful Disclosure Section") of the Health Insurance
Portability and Accountability Act (HIPAA). The section provides
that any person who "knowingly and in violation of this
part...obtains individually identifiable health information
relating to an individual" is subject to a misdemeanor
punishable by a fine of not more than $50,000 and/or imprisonment
for not more than one year.
Zhou was charged under subsection (a)(2) of the Wrongful
Disclosure Section for "knowingly" accessing
patients' medical records with no permitted justification after
he was terminated from UHS for performance-related reasons.
According to a 2010 statement, Zhou illegally accessed patient
records 323 times during a three-week period, including those of
his immediate supervisor, co-workers, and well-known celebrities.
Zhou admitted in his plea agreement to accessing patient records on
four specific occasions after his termination. Zhou was the first
individual convicted of, and incarcerated for, misdemeanor HIPAA
offenses for accessing confidential patient records without a valid
reason or authorization.
On appeal, Zhou argued that a defendant cannot be guilty of
violating HIPAA if he did not know that obtaining the protected
health information was illegal. The court rejected his argument,
finding that it "contradicts the plain language of
HIPAA." The court held that the word "and" clearly
provides that there are two elements of a Wrongful Disclosure
Section violation: 1) knowingly obtaining individually identifiable
health information relating to an individual; and 2) obtaining that
information in violation of HIPAA.
The court stated that "the term 'knowingly' applies
only to the act of obtaining the health information" and that
the defendant need only know that he obtained individually
identifiable health information relating to an individual in order
to be found guilty of violating the statute.
Every provider must develop and implement policies designed to
ensure that terminated employees cannot access the provider's
systems, including those with protected health information.
Referencing this case in the course of employee training will
further drive the point home and reinforce the importance of
preventing the unauthorized access of protected health
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Centers for Medicare & Medicaid Services (CMS) recently announced revisions to its State Operations Manual that change the complaint survey investigation process and typical timeline for resolution.
On April 5, 2013, the Internal Revenue Service officially issued proposed regulations addressing the requirement under Section 501(r)(3) of the Internal Revenue Code that tax-exempt hospitals conduct community health needs assessments.
The U.S. Supreme Court heard oral arguments last month in the matter of Association for Molecular Pathology v. Myriad Genetics, a curious case that does not bode well for America’s biotechnology industry and could overturn 30 years of U.S. patent policy.
Earlier this month, the Lobbying and Advocacy Group’s Medicare Reimbursement and Health Policy Director, Anna Schwamlein Howard, partnered with Drinker Biddle attorneys Jeremy Shapiro-Barr and Douglas Swill on a client alert.