Protected Health Information Case Sets Strong Precedent For HIPAA Compliance


The Ninth Circuit Court of Appeals has held that a misdemeanor conviction for obtaining protected health information (PHI) in violation of HIPAA privacy rules does not require proof that the defendant knew that his/her conduct was unlawful. United States v. Zhou, 9th Cir., No. 10-50231 (May 10, 2012). The case is likely to set a strong precedent and create a difficult landscape for defendants in similar cases in the future.

The Ninth Circuit opinion comes from a classic case of EHR "snooping." Mr. Zhou, a former UCLA Health System research assistant, accessed the health records belonging to his immediate supervisor, his co-workers and various celebrities who received care at UCLA. The government alleged that Mr. Zhou improperly accessed the UCLA patient records system 300 times. Mr. Zhou was criminally charged under a HIPAA provision that imposes misdemeanor penalties on any "[p]erson who knowingly and in violation of this part…obtains individually identifiable health information relating to an individual…" 42 U.S.C. § 1320d-6.

Mr. Zhou argued that a violation requires proof that the he knew that his conduct (access of PHI in violation of HIPAA privacy rules) was illegal. The Ninth Circuit wholly rejected that argument based upon the plain language of the statute. Instead, the Ninth Circuit held that a misdemeanor conviction only requires proof of the defendant: (1) knowingly obtaining PHI; and (2) obtaining that information in violation of HIPAA.

The Ninth Circuit's decision provides a broad interpretation of the HIPAA misdemeanor provisions. Indeed, under the Ninth Circuit standard, every "EHR snooping" case would be a misdemeanor violation, as the snooper will "know" that he/she is obtaining PHI through a provider's EHR. Even beyond such cases, it is difficult to envision a scenario where a person would not "know" he/she is accessing PHI, particularly if using a medical record system at the time.

What Providers Should Know

While there have been relatively few criminal prosecutions under HIPAA privacy rules and regulations, Mr. Zhou's case is a cautionary tale. Prudent health care providers should take steps to ensure that their workforces are aware and properly trained on the HIPAA privacy and security rules. Some providers will even use Mr. Zhou's case to highlight the potential consequences of EHR snooping and other unauthorized access of patient records. In the end, ongoing education and vigilance is a health care provider's best strategy to avoid HIPAA compliance issues. To access the Ninth Circuit opinion, click here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:


Polsinelli on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.