In late April, a cardiothoracic surgeon working in the U.S. was sentenced to four months in jail and assessed a $2,000.00 fine for unauthorized viewing of patient records in violation of the federal privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). Huping Zhou was employed as a researcher at the UCLA School of Medicine in 2003 when, after being fired, he accessed patient records 323 times over the course of approximately three weeks.
Upon learning that he was about to be terminated, Zhou began "snooping" into the medical files of his supervisor and co-workers. He also accessed the confidential patient files of many celebrity patients. Although he pled guilty, Zhou claimed he did not know that it was a federal offense to read patients' confidential files. Mr. Zhou's lawyer also alleged that, at the time Mr. Zhou worked at the Medical Center, UCLA did not offer its employees any substantial training concerning the punishments for accessing confidential patient files. Despite these considerations, Zhou was sentenced to jail for his offense.
Zhou is the first person in the U.S. to be incarcerated for violating HIPAA by accessing patient records without authorization. He pled guilty to four misdemeanor counts of violating HIPAA's privacy provisions.
It appears clear that the government was using Mr. Zhou's case to send a message to the health care provider community - i.e., HIPAA enforcement under the Obama Administration will have some teeth.
"Snooping" into patient files, particularly those of celebrity patients, has long been a problem for hospital and medical practices; the Zhou case is just one example. In another case from 2008, a former hospital employee on the west coast plead guilty to unauthorized viewing of the medical records of celebrities, including Farrah Fawcett and Britney Spears, and selling the information she obtained from those records to the National Enquirer.
These examples serve as a cautionary tale to all health care providers to be vigilant about training their staff on the HIPAA privacy rules. For electronic medical records, unique user IDs should be issued so employers can track who is accessing particular medical records. Moreover, medical practices should ensure that they terminate access to confidential patient files in a timely manner when employees are fired.
In the wake of the Zhou case, health care providers and employees alike should be aware that the government no longer views "snooping" into patients' medical records as a victimless crime and is now prepared to sentence medical workers to prison sentences for violating HIPAA's privacy provisions. Medical employers are cautioned to take appropriate measures to protect themselves, their patients, and their employees.
* * *
For HIPAA questions and to ensure that your practice is fully compliant with the new breach notification rules under the HITECH Act, contact your attorney contact at our firm.