Access To Patient Data Even Without Knowledge of Illegality Can Still Lead to HIPAA Criminal Liability

On May 10, 2012, the Ninth Circuit heard United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) criminal misdemeanor provision, 42 U.S.C. § 1320d-6(a)(2), is not limited to defendants who knew their actions were illegal.

The case arose out of the following facts:  Huping Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at University of California at Los Angeles Health System (UHS) as a researcher.  UHS later terminated his employment.  After his termination, Zhou accessed patient records of celebrities and co-workers on at least four separate occasions.  The U.S. Attorney’s Office for the Central District of California brought criminal charges for a misdemeanor violation of HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of HIPAA.  Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information and, therefore, did not act “knowingly.”  The magistrate judge dismissed Zhou’s motion, and Zhou then submitted a conditional guilty plea, reserving the right to appeal the dismissal.  The trial court sentenced Zhou to four months in prison, a $2,000 fine, and a $100 special assessment.

The Ninth Circuit rejected Zhou’s interpretation of the statute as applying only to defendants who knew obtaining the personal healthcare information was illegal.  Rather the court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” the appeals court said.  Thus, the statute did not require a defendant to have knowledge that his or her actions were illegal under HIPAA.

The court’s decision is significant because it sets a relatively low bar for criminal misdemeanor liability under HIPAA.  To access the case click here.