The first person to be sentenced to prison for a HIPAA violation has lost his appeal. Even though the employee was a hospital employee, the rules are equally applicable to anyone handling protected health information on behalf of an employer-sponsored health plan.
Defendant-Appellant Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (UHS), accessed patient records without authorization after his employment was terminated. The government charged him with violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which imposes a misdemeanor penalty on “[a] person who knowingly and in violation of this part . . . obtains individually identifiable health information relating to an individual[.]” Zhou moved to dismiss because the charges did not allege that Zhou knew that the statute prohibited him from obtaining the health information. The district court denied the motion to dismiss. Zhou entered a conditional guilty plea, reserving the right to appeal the denial of his motion to dismiss.
The United States Court of Appeals for The Ninth Circuit affirmed the district court because the plain text of HIPAA is not limited to defendants who knew that their actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.
The case is United States of America v. Huping Zhou
Zhou was hired as a research assistant in rheumatology at UHS on February 2, 2003. On October 29, 2003, UHS issued Zhou a notice of intent to dismiss due to “continued serious job deficiencies and poor judgment.” On November 12, 2003, after a formal internal grievance hearing, Zhou received a dismissal letter effective November 14, 2003.
After his termination on November 14, 2003, there were at least four instances, on November 17 and 19, in which Zhou accessed patient records without authorization. Zhou was charged with crimes only for accessing patients’ medical information after he was terminated and no longer treating patients at the hospital.
On November 17, 2008, Zhou was charged under HIPAA. The four misdemeanor counts stated that Zhou “knowingly and for reasons other than permitted…obtained and caused to be obtained individually identifiable health information relating to an individual. ” Each count alleged access to a patient record after Zhou’s termination. Zhou allegedly accessed patient records related to his immediate supervisor, co-workers and celebrities.
On October 19, 2009, Zhou moved to dismiss, arguing that he did not know that it was illegal to obtain the health information. On November 12, 2009, the magistrate judge denied the motion in a ruling from the bench.
On January 8, 2010, Zhou entered a conditional guilty plea, reserving his right to appeal the court’s denial of his motion to dismiss. Zhou was sentenced to four months in prison, followed by a year of supervised release, a $2,000 fine, and a $100 special assessment. Zhou filed a timely notice of appeal.
Zhou argued that “knowingly,” modifies “in violation of this part.” Under Zhou’s interpretation of the statute, a defendant is guilty only if he knew that obtaining the personal healthcare information was illegal.
The 9th Circuit rejected Zhou’s argument because it contradicts the plain language of HIPAA. The statute’s misdemeanor criminal penalty applies to an individual who “knowingly and in violation of this part . . . obtains individually identifiable health information relating to an individual.” The word “and” unambiguously indicates that there are two elements of a violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA. Thus, the term “knowingly” applies only to the act of obtaining the health information.
The 9th Circuit said it could not ignore “and” because its presence often dramatically alters the meaning of a phrase. Without “and,” the the 9th Circuit pointed out that the Second Amendment would guarantee “the right of the people to keep bear arms,” Leo Tolstoy would have published “War Peace,” and James Taylor would have confusingly crooned about “Fire Rain.” To overlook “and” would be to violate an important rule of statutory construction— that every word and clause in a statute be given effect.
In sum, the 9th Circuit held that HIPAA is not limited to defendants who knew that their actions were illegal. Rather, the defendant need only know that he obtained individually identifiable health information relating to an individual.
This case should be a warning to all individuals with access to protected health information under HIPAA to access only the information needed to perform their duties. It should also serve as a reminder to all plan sponsors to turn off access to computer systems as soon as an employee is terminated.