Earlier this month, the Ninth Circuit Court of Appeals upheld the conviction of Huping Zhou, a former employee of the UCLA Health System, for illegally accessing protected health information in violation of the Health Insurance Portability and Accountability Act (HIPAA).
The decision provides an important clarification of HIPAA rules for health care providers, their employees, and their business associates. Namely: ignorance of the law is not an acceptable defense.
First, the background, from law firm Mintz Levin:
“Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for ‘knowingly’ accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons. According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities. Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination.” (HIPAA Criminal Penalties – Defendant May Be Found Guilty without “Knowledge” That Acts Are Illegal)
On appeal, however, Zhou claimed that he could not have committed a crime because he did not know the law existed. Again, Mintz Levin:
“… Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal.”
The Ninth Circuit rejected this argument. Law firm Davis Wright Tremaine:
“… [the Court found] that, with respect to the criminal HIPAA statute, ‘knowingly’ applies only to the act of obtaining health information (knowledge of the law is irrelevant).” (Ninth Circuit Holds that Knowledge of HIPAA Is Not Necessary for Criminal Conviction)
In plain English? Zhou “knew” he was accessing the health records of colleagues and celebrities, whether or not he knew it was illegal to do so.
Two takeaways for health care providers:
1. Make sure your employees know the law (and the punishment for violating it):
“One potential benefit of this case to covered entities and business associates is that it can be used as a teaching moment, to remind employees that fates even worse than termination (such as criminal prosecution) can result from viewing medical records to satisfy curiosity or for other impermissible reasons.” (Davis Wright Tremaine)
2. Protect your systems from improper and illegal access:
“Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information. Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.” (Mintz Levin)
Follow our new HIPAA law Twitter feed for related news and updates: @HIPAAWatch>>