HIPAA violation leads to jail time

The case, involving a former UCLA employee, is the first to result in incarceration for unauthorized access of patient medical records.

By — Posted June 7, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Huping Zhou, a licensed cardiothoracic surgeon in China who was working at the UCLA School of Medicine as a researcher in 2003, was sentenced in late April to four months in jail after pleading guilty to charges related to looking at patient medical records he was not authorized to view.

According to experts, Zhou's incarceration, the first in the nation for looking at patient files without a valid reason, should serve as a warning sign to all medical practices that times have changed when it comes to patient privacy.

"There's no question that this is sending a message," said Stephen Aborn, executive director of Andrews International, a Valencia, Calif.-based investigative and security services provider. That message: Health care organizations, and their employees, can't afford to be complacent about privacy of patients' electronic data.

"This would be an example of [the government] demonstrating, 'Yes, we are serious about making sure you all understand we will exercise this authority with respect to employees,' " said John Christiansen, a Seattle-based attorney who advises clients on information technology matters.

The safeguards should start at the hiring process. In addition to criminal background checks, practices should also look at things such as credit reports, Aborn said. An employee who has a lot of debt and works in an office that serves celebrities could be tempted to sell information to tabloids, which has happened, he noted.

But practices that think just because they don't have a patient roster full of famous names they don't have anything to worry about "are living in a little bit of denial," Aborn said.

"Identity theft is one of the most critical things you have to be aware of," he said. "It's not just worrying about whether Mrs. Jones has the flu. It's about all the stuff in Mrs. Jones' files."

Beyond making good hires, practices also need access controls in place that would eliminate the potential for employees to look at files they are not authorized to see. Christiansen said if the practice has done all it can to protect itself, but an employee circumvents those safeguards and breaks the law anyway, the employee is the one authorities hold responsible.

According to the U.S. Attorney's Office, Central District of California, which prosecuted Zhou, the night Zhou's employment was terminated, he accessed and read his immediate supervisor's medical records and those of former co-workers. Over the course of three weeks he remotely accessed other medical records he was unauthorized to see, including those belonging to celebrities.

In January, Zhou pleaded guilty to four misdemeanor counts of violating the federal privacy provisions of the Health Insurance Portability and Accountability Act. In addition to jail time, the judge handed Zhou a $2,000 fine.

"It sounds like the kind of thing where it's not overkill to do a criminal prosecution," Christiansen said. "In some cases you may be able to say, 'No harm, no foul.' But this sort of activity is one that could be a real problem, and you want to make it clear that people who do this sort of thing will get prison time."

Aborn said these types of cases are happening all across the country, and it's likely the U.S. Attorney's Office is using this as an educational opportunity.

A study by the California Health Dept. conducted in 2008 found the Zhou incident was hardly an isolated one for UCLA. Since 2003, UCLA hospital workers inappropriately accessed the electronic medical records of 1,041 patients, including those of California first lady Maria Shriver.

About the time that report was released, Gov. Arnold Schwarzenegger signed into law two bills that significantly increased fines not only for the illegal use of medical records but also for unauthorized access of records. The laws also opened the door for patients to sue physicians when their records are accessed, even if there was no damage.

UCLA acknowledged it was slow to terminate Zhou's access to the patient files. It has since developed a more stringent process to ensure prompt termination of access when employees leave, according to Dale Triber Tate, executive director of communications and government relations for UCLA Health Sciences. UCLA declined further comment on the case.

Part of making sure the practice has sound policies and procedures is to have a risk assessment, Aborn said. "No one is 100% bulletproof, but from a liability standpoint, you've taken measures to protect the information," he said.

Numerous resources on HIPAA compliance are available, including guides from the American Medical Association that are tailored to physicians.

Back to top

External links

American Medical Association resources on the Health Insurance Portability and Accountability Act (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn