Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA).   See HERE for that previous post.

That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation.  The US Attorney’s Office in Boston made the announcement late last month.

The Warner Chilcott settlement involved illegal drug promotion.  Specifically, sales reps were accused of flagging patient medical records with product brochures and filling out the provider’s prior authorization forms in advance for specific patients.  All of this required impermissible access to patient records.  The physician’s criminal liability stems from providing these sales reps with access to her patients’ records.  In some cases, the reps were even allowed to take the records home with them!

We are often reminded through settlements with the HHS Office for Civil Rights that HIPAA violations are taken seriously and can include hefty fines and corrective action plans (see HERE, HERE and HERE for just a few examples).  This case serves as fair warning that intentional misuse of protected patient information can lead to jail time.  When this physician is sentenced, she could be looking at up to a year in prison, a $50,000 fine, and a year of supervised release.  If you picture a sales rep combing through your personal health issues in his or her living room to determine whether you might be a sales target, it shouldn’t be so surprising that this conduct can rise to the level of criminal liability.

Written by Kimberly Gold

Individuals who access protected health information without authorization may be found guilty of a misdemeanor even if they lack knowledge that their actions are illegal. 

On May 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a United States District Court information that charged Huping Zhou, a former research assistant at the University of California at Los Angeles Health System (“UHS”), with violating Section 1320d-6 (the “Wrongful Disclosure Section”) of the Health Insurance Portability and Accountability Act (HIPAA).  The section provides that any person who “knowingly and in violation of this part…obtains individually identifiable health information relating to an individual” is subject to a misdemeanor punishable by a fine of not more than $50,000 and/or imprisonment for not more than one year.

Zhou was charged under subsection (a)(2) of the Wrongful Disclosure Section for “knowingly” accessing patients’ medical records with no permitted justification after he was terminated from UHS for performance-related reasons.  According to a 2010 statement, Zhou illegally accessed patient records 323 times during a three-week period, including those of his immediate supervisor, co-workers, and well-known celebrities.  Zhou admitted in his plea agreement to accessing patient records on four specific occasions after his termination.  Zhou was the first individual convicted of, and incarcerated for, misdemeanor HIPAA offenses for accessing confidential patient records without a valid reason or authorization. 

On appeal, Zhou argued that a defendant cannot be guilty of violating HIPAA if he did not know that obtaining the protected health information was illegal.  The court rejected his argument, finding that it “contradicts the plain language of HIPAA.”  The court held that the word “and” clearly provides that there are two elements of a Wrongful Disclosure Section violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of HIPAA. 

 The court stated that “the term ‘knowingly’ applies only to the act of obtaining the health information” and that the defendant need only know that he obtained individually identifiable health information relating to an individual in order to be found guilty of violating the statute.  

Every provider must develop and implement policies designed to ensure that terminated employees cannot access the provider’s systems, including those with protected health information.  Referencing this case in the course of employee training will further drive the point home and reinforce the importance of preventing the unauthorized access of protected health information.