The trend in increased enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) continues. (See our previous coverage of the uptick in Office of Civil Rights enforcement.) The 9th U.S. Circuit Court of Appeals recently ruled that HIPAA allows criminal conviction of a defendant who claimed he did not know his actions were illegal. The court ruled that prosecutors only have to prove the defendant knew he was accessing individually identifiable health information without authorization. Additionally significant is the fact that the criminal sanctions in this case were imposed on a former employee of a covered entity.
In 2003, Huping Zhou was fired for performance issues from his position at the UCLA Health System as a research assistant in rheumatology. According to prosecutors, in the three weeks after his dismissal, Zhou accessed hundreds of personal health records with Protected Health Information (PHI) on the UCLA system — including those of his previous supervisor, co-workers and a number of celebrities — all without authorization. Prosecutors were able convict Zhou for four of these instances of unauthorized access of PHI under the criminal provisions of HIPAA. Zhou was sentenced to four months in prison, followed by a year of supervised release, in addition to a monetary fine of $2,000.
Zhou appealed his conviction to the 9th Circuit, arguing that the criminal provisions of HIPAA require that he knew he was breaking the law in order to be convicted. The misdemeanor criminal penalty applies to anyone who “knowingly and in violation of [HIPAA] … obtains individually identifiable health information relating to an individual.” Zhou argued that “knowingly” modified violation of HIPAA, such that the prosecution was required to prove that he knew his actions were illegal. The 9th Circuit disagreed, noting:
If the statute did not contain “and,” then Zhou’s argument might be more persuasive. However, we cannot ignore “and” because its presence often dramatically alters the meaning of a phrase. Without “and,” the Second Amendment would guarantee “the right of the people to keep bear arms,” Leo Tolstoy would have published “War Peace,” and James Taylor would have confusingly crooned about “Fire Rain.”
United States v. Zhou, No. 10-50231, slip op. at 5046 (9th Cir. May 10, 2012).
The 9th Circuit’s ruling signals a continuation of a trend toward more aggressive interpretation, enforcement, and prosecution of HIPAA violations. It is now clear that violations of HIPAA — even by individuals who are unaware they have violated the law, and by former employees — can result in criminal sanctions, including jail time, in the largest federal circuit in the nation. All those with access to PHI should be aware of HIPAA’s requirements, and employees should be trained to ensure that they do not inadvertently expose themselves — and their employers — to liability under the law.