HIPAA Applies To Those Who Don’t Know About It

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.