Individuals who access protected health information without authorization may be found guilty of a misdemeanor even if they lack knowledge that their actions are illegal. 

On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court information that charged Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (“UHS”), with violating Section 1320d-6 (the “Wrongful Disclosure Section”) of the Health Insurance Portability and Accountability Act (HIPAA).  The section provides that any person who “knowingly and in violation of this part…obtains individually identifiable health information relating to an individual” is subject to a misdemeanor punishable by a fine of not more than $50,000 and/or imprisonment for not more than one year.

Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for “knowingly” accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons.  According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities.  Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination.  Zhou was the first individual convicted of, and incarcerated for, misdemeanor HIPAA offenses for accessing confidential patient records without a valid reason or authorization. 

On appeal, Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal.  The court rejected his argument, finding that it “contradicts the plain language of HIPAA.”  The court held that the word “and” clearly provides that there are two elements of a Wrongful Disclosure Section violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA. 

The court stated that “the term ‘knowingly’ applies only to the act of obtaining the health information” and that the defendant need only know that he obtained individually identifiable health information relating to an individual in order to be found guilty of violating the statute.  

Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information.  Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.