The trend in increased enforcement of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) continues. (See
previous coverage of the uptick in Office for Civil Rights
enforcement.) The 9th U.S. Circuit Court of Appeals recently ruled that HIPAA allows
criminal conviction of a defendant who claimed he did not know his
actions were illegal. The court ruled that prosecutors only have to
prove the defendant knew he was accessing individually identifiable
health information without authorization. Additionally significant
is the fact that the criminal sanctions in this case were imposed
on a former employee of a covered entity.
In 2003, Huping Zhou was fired for performance issues from his
position at the UCLA Health System as a research assistant in
rheumatology. According to prosecutors, in the three weeks after
his dismissal, Zhou accessed hundreds of personal health records
with Protected Health Information (PHI) on the UCLA system
— including those of his previous supervisor, co-workers
and a number of celebrities — all without authorization.
Prosecutors were able convict Zhou for four of these instances of
unauthorized access of PHI under the criminal provisions of HIPAA.
Zhou was sentenced to four months in prison, followed by a year of
supervised release, in addition to a monetary fine of $2,000.
Zhou appealed his conviction to the 9th Circuit, arguing that
the criminal provisions of HIPAA require that he knew he was
breaking the law in order to be convicted. The misdemeanor criminal
penalty applies to anyone who "knowingly and in violation of
[HIPAA] ... obtains individually identifiable health information
relating to an individual." Zhou argued that
"knowingly" modified violation of HIPAA, such that the
prosecution was required to prove that he knew his actions were
illegal. The 9th Circuit disagreed, noting:
If the statute did not contain "and," then Zhou's
argument might be more persuasive. However, we cannot ignore
"and" because its presence often dramatically alters the
meaning of a phrase. Without "and," the Second Amendment
would guarantee "the right of the people to keep bear
arms," Leo Tolstoy would have published "War Peace,"
and James Taylor would have confusingly crooned about "Fire
United States v. Zhou, No. 10-50231, slip op. at 5046
(9th Cir. May 10, 2012).
The 9th Circuit's ruling signals a continuation of a trend
toward more aggressive interpretation, enforcement, and prosecution
of HIPAA violations. It is now clear that violations of HIPAA
— even by individuals who are unaware they have violated
the law, and by former employees — can result in criminal
sanctions, including jail time, in the largest federal circuit in
the nation. All those with access to PHI should be aware of
HIPAA's requirements, and employees should be trained to ensure
that they do not inadvertently expose themselves — and
their employers — to liability under the law.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
The Centers for Medicare & Medicaid Services and the Department of Health and Human Services Office of Inspector General have recently published parallel proposed rules revising, respectively, the Stark exception and Anti-Kickback safe harbor concerning electronic health record items and services.
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The news from the Office of the National Coordinator for Health IT (ONC) about the revocation of the electronic health record (EHR) certifications of two EHR products that had previously been certified will have tremendous ramifications not only on the EHR vendor losing its certifications, but generally on providers and vendors as well.