Court Clarifies HIPAA's Criminal RulesWhen Can You Get Prison Time?
Can you go to prison for violating HIPAA even if you're not aware you're breaking the law? A U.S. appellate court says yes.
The decision is an important reminder that ignorance of the law won't protect you from criminal prosecution for violating HIPAA. And it hammers home the point that those who access patient information without a valid reason could face jail time. That's the message in a new blog from attorney Adam Greene, partner at Davis Wright Tremaine LLP. And it's a message that's worth sharing with everyone on your staff who potentially has access to protected health information.
This case has significant relevance to covered entities and business associates in that it sets a relatively low bar on what conduct may be deemed a criminal violation of HIPAA.
The U.S. Court of Appeals for the Ninth Circuit on May 10 rejected a motion to dismiss criminal charges in a headline-grabbing case involving Huping Zhou, Greene notes. You may recall that the case was portrayed by prosecutors as the first in the nation involving a prison sentence for a HIPAA privacy rule violation (see: HIPAA Violation Leads to Prison Term).
Zhou, a former University of California at Los Angeles Healthcare System research assistant, was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others. As we reported back in April 2010, Zhou pleaded guilty to four misdemeanor counts of violating the HIPAA privacy rule. He admitted obtaining individually identifiable health information without a valid reason.
The case dates back to 2003, when Zhou received notice that he was being dismissed from his job. On the day he received the notice, Zhou accessed and read his immediate supervisor's medical records and those of other co-workers, according to prosecutors. For three weeks, he continued illegally accessing patient records, including those of celebrities, according to prosecutors.
In his plea agreement, Zhou admitted he read private electronic records on four occasions after he was formally terminated. At the time, prosecutors said there was no evidence Zhou improperly used or attempted to sell any of the information he illegally accessed.
Details of Appeal
Greene points out that Zhou faced criminal misdemeanor charges related to HIPAA's prohibition of "knowingly" obtaining individually identifiable health information in violation of the law. Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information, and, therefore, did not act "knowingly," Greene notes. But the court dismissed the motion, and Zhou submitted a conditional guilty plea, reserving the right to appeal the dismissal of his motion.
Zhou filed an appeal, and the appellate court this month affirmed the denial of the motion to dismiss, finding that, with respect to the criminal HIPAA statute, "knowingly" applies only to the act of obtaining health information and that knowledge of the law is irrelevant, Greene says.
"This case has significant relevance to covered entities and business associates in that it sets a relatively low bar on what conduct may be deemed a criminal violation of HIPAA," Greene stresses.
As Greene points out, the case provides a valuable "teaching moment." Not only may an employee lose their job for inappropriately accessing patient information in violation of HIPAA. They also face the risk of criminal prosecution - and jail time.
So when your organization conducts its HIPAA compliance training, make sure your staff is aware of the severe potential consequences of HIPAA violations.