An incident relating to a breach violation resulted in a prison sentence of 4 months in prison, 1 year of supervised release, and fine of $2,000. This has been the first jail time sentence involving a HIPAA (Health Insurance Portability and Accountability Act) misdemeanor, which was handed in April 2010.
The event took place at the University of California at Los Angeles Health System (UHS), involving an employee – Huping Zhou. Dr. Huping was found to have illegally accessed Protected Health Information (PHI) of several patients/clients, including that of his co-workers, and well-known celebrities.
Dr. Huping was a previously practicing cardiothoracic surgeon in China before he migrated to the US. He then worked as a researcher at the UCLA School of Medicine upon arriving in the US. After a few months of employment as a researcher, UCLA decided to fire him from his job for initial reasons different and unrelated from the illegal access of Protected Health Information. After being informed of this matter on October 2003, Dr. Huping proceeded to illegally access the Protected Health Information on the Electronic Health Records (EHR) of over 300 patients within 3 weeks after his notice of termination.
According to Dr. Huping Zhou’s lawyer, his client did not maliciously use, nor has he planned to sell the information that he accessed. Further reports indicate that he was well aware that he should have not been accessing PHI’s without a valid and authorized reason. Dr. Huping believed everything is okay as long as he is not sharing the PHI with anyone, and not selling the information.
After his termination from his employment, Dr. Huping learned he was charged in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) – handing a misdemeanor penalty on a person in breach violation of Protected Health Information of individuals. He also filed an appeal after his conviction to no avail, his sentence and fines prevailed.
The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information… The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”**