HIPAA Criminal Penalties – Defendant May Be Found Guilty without “Knowledge” That Acts Are Illegal

Article By:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

posted on: Wednesday, May 23, 2012

Administrative & Regulatory / Consumer Protection / Criminal Law / Business Crimes / Health Law & Managed Care / Litigation / Trial Practice

9th Circuit (incl. bankruptcy)

: Printer-friendly; Email this Article; Download PDF; Reprints & Permissions; Tweet

Individuals who access protected health information without authorization may be found guilty of a misdemeanor even if they lack knowledge that their actions are illegal.

On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court information that charged Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (“UHS”), with violating Section 1320d-6 (the “Wrongful Disclosure Section”) of the Health Insurance Portability and Accountability Act (HIPAA). The section provides that any person who “knowingly and in violation of this part…obtains individually identifiable health information relating to an individual” is subject to a misdemeanor punishable by a fine of not more than $50,000 and/or imprisonment for not more than one year.

Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for “knowingly” accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons. According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities. Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination. Zhou was the first individual convicted of, and incarcerated for, misdemeanor HIPAA offenses for accessing confidential patient records without a valid reason or authorization.

On appeal, Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal. The court rejected his argument, finding that it “contradicts the plain language of HIPAA.” The court held that the word “and” clearly provides that there are two elements of a Wrongful Disclosure Section violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA.

The court stated that “the term ‘knowingly’ applies only to the act of obtaining the health information” and that the defendant need only know that he obtained individually identifiable health information relating to an individual in order to be found guilty of violating the statute.

Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information. Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.

About the Author

Kimberly J. Gold

Associate

Prior to joining Mintz Levin, Kimberly was an associate at Arent Fox LLP. Her practice focused on health care and corporate matters such as mergers and acquisitions, financings, regulatory compliance, licensing, reimbursement, and privacy.

Kimberly's experience includes negotiating, reviewing, and drafting agreements, including stock and asset purchase agreements, operations transfer agreements, and loan agreements. She has also advised health care clients with respect to HIPAA, HITECH, fraud and abuse issues, Medicare and Medicaid reimbursement, food and drug laws, and state...

KJGold@mintz.com

(212) 692-6706

www.mintz.com/people/733/Kimberly_Gold