As Dr. Huping Zhou recently discovered, being a pioneer is not always a good thing. On April 27, 2010, Zhou, a forty-seven-year-old cardiothoracic surgeon from China and a former UCLA Healthcare System employee, became the first person in the nation to be convicted and sent to prison for violating the Health Insurance Portability and Accountability Act ("HIPAA"). Health care providers need to be aware that the civil and criminal penalties provided by HIPAA can be quite severe even for violations that do not involve the disclosure of protected health information ("PHI") to third parties.
Zhou was employed by the UCLA Healthcare System as a researcher with the UCLA School of Medicine. According to the United States Attorney's Office in the Central District of California, which prosecuted the case, Zhou received notice from the UCLA Healthcare System that he was being dismissed for job performance reasons. After receiving this notice, Zhou, "without any legal or medical reason, accessed and read his immediate supervisor's medical records and those of other co-workers." Zhou continued illegally accessing patient records for a three-week period thereafter. His illegal access of the patient record system was shown to number more than three hundred twenty separate instances, most of which involved the unauthorized access of the confidential health records of various well-known celebrities.
Zhou was caught following an investigation conducted by the Federal Bureau of Investigation with the full cooperation of the UCLA Healthcare System and its affiliates. Zhou pled guilty to four misdemeanor counts of knowingly obtaining individually identifiable health information without a valid reason in violation of HIPAA. Federal Magistrate Judge Andrew J. Wistrich sentenced Zhou to four months in federal prison. This prison sentence is remarkable given that there was no evidence that Zhou disclosed the information to others or did anything other than merely access the information without valid reason or authorization.
Other health care privacy criminal cases have been brought under different federal statutes, and there have been some pleas of guilty associated with HIPAA violations. However, Dr. Zhou's case serves as a reminder that HIPAA violations are not to be taken lightly, that attorneys general are becoming less hesitant to prosecute offenders, and that the courts are willing to impose the criminal penalties available under HIPAA, up to and including incarceration. This trend will continue to be important as the social media phenomenon of sharing large amounts of traditionally personal information with the online world leads to a diminished respect and appreciation for the privacy rights of others. In addition to this laxity with personal information, the ever-increasing availability of electronic documents over remote servers from any location increases the susceptibility of PHI to unauthorized access. As Dr. Zhou's case demonstrates, HIPAA violations can occur solely as a result of unauthorized access or use of PHI - an unauthorized disclosure is not required. Given these factors, we think health care providers should require staff and any affiliated physicians to undergo HIPAA refresher courses that include reminders of existing HIPAA requirements as well as the new requirements imposed by HITECH.