You can go to jail for HIPAA HITECH violations

On our webinar Tuesday, April 2th, we had a question about criminal penalties for HIPAA HITECH violations, I submit the following article in it's entirety:

UCLA Researcher Gets Jail Time for HIPAA Violations (Corrected Version)
4-month sentence comes amid heightened federal scrutiny of health information privacy.
A former UCLA School of Medicine researcher became one of the first healthcare workers sentenced to prison for violating the HIPAA privacy rule this week.

Huping Zhou, a licensed cardiothoracic surgeon in China, was working as a researcher at the university in 2003 when he received notice of his dismissal for performance reasons unrelated to HIPAA, according to prosecutors. That's when Mr. Zhou began accessing the medical records of his superior, his co-workers and celebrity patients in the UCLA Health System, including Tom Hanks, Drew Barrymore and Arnold Schwarzenegger. He accessed confidential medical records in violation of the HIPAA privacy rule a total of 323 times over a 3-week period, according to the FBI.

In January, Mr. Zhou pleaded guilty to 4 misdemeanor counts of illegally reading confidential medical records, and earlier this week a judge sentenced him to 4 months in federal prison, plus a fine of $2,000.

Correction: The U.S. Attorney's Office in Los Angeles said in a press release that this is the first time a healthcare worker has been given jail time for violating the HIPAA privacy rule. However, a handful of other individuals have been convicted and sentenced to prison for accessing protected health information and using the information for identity theft. Mr. Zhou may be the first healthcare worker to go to jail simply for snooping on protected health records; the U.S. Attorney's Office says there is no evidence that he did anything with the information other than read it.

Edward Robinson, attorney for Mr. Zhou, told CBS News his client had "no idea that looking at another person's medical records was a federal criminal violation for which you could go to jail."

The ruling comes at a time when the federal government is increasingly cracking down on health information security as it also promotes a shift from paper to electronic medical records. The HITECH Act of 2009 put some enforcement teeth behind the HIPAA privacy rule, making healthcare employees subject to criminal penalties for disclosing protected health information without authorization.


Add Your Comments

(not published)