In the spring of 2010, Huping Zhou, a Chinese immigrant living in California, was fined $2,000 and sentenced to four months in prison after pleading guilty to misdemeanor Health Insurance Portability and Accountability Act (HIPAA) violations.
United States Magistrate Judge Andrew J. Wistrich cited Zhou’s disregard for the privacy of patients at the University of California at Los Angeles as a reason for the sentencing.
In November of 2003, Zhou was informed that he had lost his position as a research assistant with UCLA’s Healthcare System because of “continued serious job deficiencies and poor judgment.” Despite no longer being employed by UCLA, he continued to access private medical records through an electronic password-protected database. His previous supervisor, former co-workers and other high-profile celebrity patients were among those whose privacy Zhou violated over a three-week period in 2003.
Although Zhou did not attempt to sell or disclose health information gleaned from the records, his actions were still in violation of HIPAA privacy laws. Zhou claimed that he was unaware that accessing confidential electronic protected health information (ePHI) was illegal, but HIPAA’s privacy policy does not apply only to those who know that this kind of access is prohibited. The law applies to all “who knowingly obtain individually identifiable health information relating to an individual.”
As Zhou’s case indicates, the offender’s knowledge of the law is not a factor when it comes to HIPAA violations. Accessing private patient information in ways not sanctioned by HIPAA are violations, period. This also applies to those who have no intent to sell or use the information that they have obtained inappropriately – the act of accessing the records alone, regardless of motive, is criminal.
It is, therefore, crucial for covered entities and business associates to know HIPAA’s privacy laws and how they apply to patient’s protected health information.
