A federal appeals court has upheld the conviction of a former employee of the UCLA Healthcare System for accessing the hospital's electronic health record system without authorization, in violation of HIPAA.
Huping Zhou, a researcher for the hospital, had accessed at least 323 patient records--including those of actors Arnold Schwarzenegger and Tom Hanks, and her boss--during a three week period in 2003 after he was informed that he was to be dismissed for performance reasons. He pled guilty in 2010 for violating HIPAA, and was sentenced to four months in prison, assessed a $2,000 fine and a $100 special assessment. Zhou appealed his conviction on the grounds that he didn't know that it was illegal to obtain the health information.
The United States Court of Appeals for the Ninth Circuit affirmed the conviction. According to the court, "knowingly" under HIPAA applies to the act of obtaining the information, and that "the defendant need only know that he obtained individually identifiable health information relating to an individual." In other words, ignorance of the law was no excuse; his lack of knowledge that he had violated HIPAA was not relevant.
Zhou was the first defendant in the United States to receive a prison sentence for a HIPAA privacy violation merely for snooping. There is no evidence that he used the patient records for personal gain.
Legal analysts believe that the decision sets a "low bar on what may be deemed a criminal violation of HIPAA." The case also may serve as another example of the increased scrutiny of HIPAA compliance and enhanced enforcement environment.