June 1, 2012
The trend in increased enforcement of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) continues. (See our
previous
coverage of the uptick in Office for Civil Rights enforcement.) The 9th U.S.
Circuit Court of Appeals
recently ruled that HIPAA allows criminal conviction of a defendant who
claimed he did not know his actions were illegal. The court ruled that
prosecutors only have to prove the defendant knew he was accessing individually
identifiable health information without authorization. Additionally significant
is the fact that the criminal sanctions in this case were imposed on a former
employee of a covered entity.
In 2003, Huping Zhou was fired for performance issues from his position at
the UCLA Health System as a research assistant in rheumatology. According to
prosecutors, in the three weeks after his dismissal, Zhou accessed hundreds of
personal health records with Protected Health Information (PHI) on the UCLA
system — including those of his previous supervisor, co-workers and a number of
celebrities — all without authorization. Prosecutors were able convict Zhou for
four of these instances of unauthorized access of PHI under the criminal
provisions of HIPAA. Zhou was sentenced to four months in prison, followed by a
year of supervised release, in addition to a monetary fine of $2,000.
Zhou appealed his conviction to the 9th Circuit, arguing that the criminal
provisions of HIPAA require that he knew he was breaking the law in order to be
convicted. The misdemeanor criminal penalty applies to anyone who “knowingly and
in violation of [HIPAA] … obtains individually identifiable health information
relating to an individual.” Zhou argued that “knowingly” modified violation of
HIPAA, such that the prosecution was required to prove that he knew his actions
were illegal. The 9th Circuit disagreed, noting:
If the statute did not contain “and,” then Zhou’s argument might be more
persuasive. However, we cannot ignore “and” because its presence often
dramatically alters the meaning of a phrase. Without “and,” the Second
Amendment would guarantee “the right of the people to keep bear arms,” Leo
Tolstoy would have published “War Peace,” and James Taylor would have
confusingly crooned about “Fire Rain.”
United States v. Zhou, No. 10-50231, slip op. at 5046 (9th Cir. May
10, 2012).
The 9th Circuit’s ruling signals a continuation of a trend toward more
aggressive interpretation, enforcement, and prosecution of HIPAA violations. It
is now clear that violations of HIPAA — even by individuals who are unaware they
have violated the law, and by former employees — can result in criminal
sanctions, including jail time, in the largest federal circuit in the nation.
All those with access to PHI should be aware of HIPAA’s requirements, and
employees should be trained to ensure that they do not inadvertently expose
themselves — and their employers — to liability under the law.
McGuireWoods has extensive experience in HIPAA compliance and training, and
can help you navigate this increasingly complex area of the healthcare
landscape. If you have any questions regarding this article, or HIPAA compliance
and training more generally, please contact Nathan Kottkamp at 804.775.1092,
Vince Dongarra at 804.775.1049, or any member of the
McGuireWoods
Healthcare team.