HIPAA Applies To Those Who Don’t Know About It

Now here’s a pretty how-to-do for HIPAA lawbreakers. According to a new appellate decision in California, people convicted of accessing patient records illegally can be punished whether or not they knew it was illegal.

The case, United States v. Zhou, concerned the acts of one Huping Zhou, a former research assistant in rheumatology at the University of California at Los Angeles Health System. After being fired from his job as a research assistant in 2003, Zhou accessed patient records without authorization at least four times (and obviously, got caught).  After some sparring over charges, the feds eventually prosecuted him for HIPAA violations.

For years, the case worked its way through the system, with Zhou taking the position that he didn’t know accessing the patient records was illegal, and for that reason should not be found guilty.

Last month, the case ended up in the United States District Court for the Central District of California last month. It took the judges only a few weeks to decide that yes, Zhou was responsible even though he may not have known that his data spying was illegal under HIPAA.  Wow.

The HIPAA provision the judges relied on was the following:

HIPAA provides that: “[a] person who knowingly and in violation of this part — (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).” 42 U.S.C. § 1320d-6(a).

And their analysis of Zhou’s defense did not go the way he had hoped. Again, from the appellate decision:

[T]he plain text of Section 1320d-6(a)(2) [of HIPAA]  is not limited to defendants who knew that their
actions were illegal. Rather, the misdemeanor applies to defendants who knowingly obtained individually identifiable health information relating to an individual, and obtained that information in violation of HIPAA.

In other words,  if you knowingly snoop into patient records, you’re on the hook even if you never knew HIPAA existed. (Note, I am not a lawyer or court-watcher, but this is how most legal commentators have interpreted the decision.)

While I like my privacy as much as anyone else, this case does trouble me. While it’s unlikely that a hospital staffer would think PHI peeping was OK, some healthcare workers — in settings such as, say, home care or a small mental health practice — might have no idea that the Department of Justice might come knocking at their door.

Wouldn’t it be more logical to prosecute the hospital for being so insecure that its data could be accessed by an angry ex-employee?  If it were my PHI, that’s where I’d be venting my wrath.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • Ignorantia juris non excusat – a basic principle of US Law. It took 9 years to try this case? There must be more to this story.

  • I don’t disagree with you that the hospital should be held partially at fault for allowing the unauthorized access to the system of a former employee. However,
    I think that in this day and age if you work in healthcare to say you don’t know it is illegal under HIPAA to look at a patients information is bogus – even 9 years ago when I started working for a EMR provider I knew not to look up patient data. Additionally, I don’t have to know it is illegal to look at other people’s personal information regardless of the setting. Apply this to any other profession and accessing information from your former employer is wrong, period.

  • FAA has always gone after the air carrier who is the certificate holder first when taking action for failure of party including vendors to the carrier.

    Same should apply to employees of any HIPAA liable entity (or former employee)who have access (or gain access through a leaky portal) to protected data as a part of their work.

    Rule should always go after the bigger more liable entity to underscore the need for oversight of its protection processes. Seems there are very obvious means to control access to information through hardware registration in addition to userids … so the entities given access to data need to police themselves or suffer legal action when they fail.

  • Criminal prosecution of an ex-employee for HIPAA violations does not mean that OCR cannot or will not investigate and enforce against a covered entity, in this case a hospital that employed the person. Since enforcement has been strengthened, there may well be more actions by OCR.

  • Ruth,
    That’s a good point. I wonder if OCR watches lawsuits that are filed when they choose who to look at.

  • Thu,
    I guess intent partially matters. Although, only to the extent that the intent was for an appropriate healthcare purpose. However, since he no longer worked at the company it would be really hard to say that it was appropriate.

Click here to post a comment