In the spring of 2010, Huping Zhou, a Chinese immigrant living in California, was fined $2,000 and sentenced to four months in prison after pleading guilty to misdemeanor Health Insurance Portability and Accountability Act (HIPAA) violations.
United States Magistrate Judge Andrew J. Wistrich cited Zhou’s disregard for the privacy of patients at the University of California at Los Angeles as a reason for the sentencing.
In November of 2003, Zhou was informed that he had lost his position as a research assistant with UCLA’s Healthcare System because of “continued serious job deficiencies and poor judgment.” Despite no longer being employed by UCLA, he continued to access private medical records through an electronic password-protected database. His previous supervisor, former co-workers and other high-profile celebrity patients were among those whose privacy Zhou violated over a three-week period in 2003.
As Zhou’s case indicates, the offender’s knowledge of the law is not a factor when it comes to HIPAA violations. Accessing private patient information in ways not sanctioned by HIPAA are violations, period. This also applies to those who have no intent to sell or use the information that they have obtained inappropriately – the act of accessing the records alone, regardless of motive, is criminal.
It is, therefore, crucial for covered entities and business associates to know HIPAA’s privacy laws and how they apply to patient’s protected health information.