Featured Health Business Daily Story, June 7, 2012
Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
The U.S. Court of Appeals for the Ninth Circuit on May 23 refused to reconsider its May 10 decision that a former researcher was guilty of criminal violations of HIPAA even though the government had not shown he knew his actions of snooping into records were illegal.
In the May 10 ruling, the court said the government did not need to prove that a defendant in a criminal HIPAA case knowingly broke the law, dismissing the appeal of Huping Zhou and upholding a lower court’s imposition of a four-month jail sentence and fines for the former researcher at the University of California at Los Angeles Healthcare System. In 2010, Zhou pleaded guilty to four misdemeanor charges of violating HIPAA.
The refusal appears to conclude a nearly 10-year saga for Zhou, among the first individuals to face jail time for a HIPAA infraction. But his case lives on for others, carrying lessons for covered entities and business associates alike, HIPAA experts say.
According to court records, Zhou, who had been a cardiothoracic physician in China, was hired by the UCLA system in February 2003 as a research assistant in rheumatology. But by the end of October of that same year, he was told the system intended to fire him because of “continued serious job deficiencies and poor judgment.”
Following a grievance hearing on Nov. 10, Zhou received a letter on Nov. 12 notifying him that his job was over effective Nov. 14, 2003.
However, the health system did not actually terminate his access to its medical records at that time, and Zhou was charged in 2008 with accessing records from his termination date until Nov. 19, 2003.
He was also accused of accessing records for which he had no need, many hundreds of time and beginning in April 2003, including those of his supervisor, other hospital workers and celebrities. His snooping into inappropriate records increased after he learned of the system’s intention to dismiss him and occurred mostly from home, court records show. Zhou was never accused of misusing any data or information he learned from reading the medical files or of sharing the information with anyone.
Just before a trial was to begin in January 2010, Zhou entered a conditional guilty plea, “reserving his right to appeal the court’s denial of his motion to dismiss the information,” the appeals court ruling states. The U.S. District Court in Central California sentenced him to four months in prison and a $2,000 fine (RPP 2/10, p. 10). He was ordered to report to prison April 27, 2010, to be followed by one-year supervised release and completion of a “mental health counseling program as directed by the probation officer.”
One of Zhou’s attorneys had earlier claimed that Zhou was not properly trained by UCLA, and in his appeal “Zhou contends that the information failed to meet [federal] requirements because it did not explicitly state that Zhou knew that obtaining the health information was illegal,” the appeals court judges wrote.
“Under Zhou’s interpretation of the statute, a defendant is guilty only if he knew that obtaining the personal healthcare information was illegal,” they wrote. “We reject Zhou’s argument because it contradicts the plain language of HIPAA. The statute’s misdemeanor criminal penalty applies to an individual who ‘knowingly and in violation of this part…obtains individually identifiable health information relating to an individual. 42 U.S.C. § 1320d-6(a)(2).”
The appeals court focused on the word “and,” saying it “unambiguously indicates that there are two elements of a Section 1320d-6(a)(2) violation: (1) knowingly obtaining individually identifiable health information relating to an individual; and (2) obtaining that information in violation of Title 42 United States Code Chapter 7, Subchapter XI, Part C. Thus, the term ‘knowingly’ applies only to the act of obtaining the health information,” the judges said.
In his May 15 request for a rehearing, Zhou — who is now representing himself — said he should not have pleaded guilty, and that his previous attorneys had not provided effective representation. He also suggested that his “research job duties” allowed him access to the records.
The court denied the rehearing request without comment. During a brief phone conversation with RPP, Zhou said the appeals court decision was “unfair.” He also said that he had lost his case because his attorneys “did not care,” and that he no longer has an income.
While Zhou’s claim of ignorance of the law, made back in 2003, might seem far-fetched today, it just might be valid in some cases, says Adam Greene, a former regulator with the Office for Civil Rights and now a partner with Davis Wright Tremaine LLP in Washington, D.C.
“What if staff have not receiving appropriate training and claim total ignorance — they have potential criminal liability nonetheless,” based on this ruling, he says. “What if a staff member, including an upper-level member of the workforce, makes a disclosure based on a misunderstanding of HIPAA — there is the potential for criminal liability despite any good faith belief.”
Business associates “are another twist,” Greene says. “As a BA, you could disclose protected health information in violation of HIPAA when you did not know that the information was PHI or that you were a BA.” He points out that “the definition of BA does not require that the CE actually fulfilled its obligations to obtain a business associate agreement, so a CE could fail to obtain a BA contract and the BA may have no idea that it is subject to HIPAA.”
This ruling could also potentially add a HIPAA charge to identity theft in situations where a criminal steals Social Security numbers from an entity that he or she did not realize was a covered entity, for example, Greene says.
But to David Ermer, a Washington, D.C., health care attorney who has long dealt with HIPAA compliance issues for his clients, the significance of the ruling is simple.
“No one accused of HIPAA violations is ever going to be able to successfully assert the ‘Sergeant Schultz defense,’” he says, referring to the bumbling Hogan’s Heroes TV character who always claimed “I know nothing” when he got into trouble.
© 2012 by Atlantic Information Services, Inc. All Rights Reserved.