The Ninth Circuit Court of Appeals has held that a misdemeanor conviction for obtaining protected health information (PHI) in violation of HIPAA privacy rules does not require proof that the defendant knew that his/her conduct was unlawful. United States v. Zhou, 9th Cir., No. 10-50231 (May 10, 2012). The case is likely to set a strong precedent and create a difficult landscape for defendants in similar cases in the future.
The Ninth Circuit opinion comes from a classic case of EHR "snooping." Mr. Zhou, a former UCLA Health System research assistant, accessed the health records belonging to his immediate supervisor, his co-workers and various celebrities who received care at UCLA. The government alleged that Mr. Zhou improperly accessed the UCLA patient records system 300 times. Mr. Zhou was criminally charged under a HIPAA provision that imposes misdemeanor penalties on any "[p]erson who knowingly and in violation of this part…obtains individually identifiable health information relating to an individual…" 42 U.S.C. § 1320d-6.
Mr. Zhou argued that a violation requires proof that the he knew that his conduct (access of PHI in violation of HIPAA privacy rules) was illegal. The Ninth Circuit wholly rejected that argument based upon the plain language of the statute. Instead, the Ninth Circuit held that a misdemeanor conviction only requires proof of the defendant: (1) knowingly obtaining PHI; and (2) obtaining that information in violation of HIPAA.
The Ninth Circuit's decision provides a broad interpretation of the HIPAA misdemeanor provisions. Indeed, under the Ninth Circuit standard, every "EHR snooping" case would be a misdemeanor violation, as the snooper will "know" that he/she is obtaining PHI through a provider's EHR. Even beyond such cases, it is difficult to envision a scenario where a person would not "know" he/she is accessing PHI, particularly if using a medical record system at the time.
What Providers Should Know
While there have been relatively few criminal prosecutions under HIPAA privacy rules and regulations, Mr. Zhou's case is a cautionary tale. Prudent health care providers should take steps to ensure that their workforces are aware and properly trained on the HIPAA privacy and security rules. Some providers will even use Mr. Zhou's case to highlight the potential consequences of EHR snooping and other unauthorized access of patient records. In the end, ongoing education and vigilance is a health care provider's best strategy to avoid HIPAA compliance issues. To access the Ninth Circuit opinion, click here.