Employee Need Not be Aware of HIPAA to be Guilty
A U.S. appeals court has ruled that an employee does not need to be aware of healthcare privacy laws to be guilty of violating them. In the case, a research assistant, Huping Zhou, at the University of California at Los Angeles Health System (UHS) was fired for “continued serious job deficiencies and poor judgment.”
After he was fired, Zhou accessed patient records without authorization. He viewed the personal health care records of coworkers and of celebrities who had been treated at UHS. Zhou was charged with a misdemeanor under theHealth Insurance Portability and Accountability Act(HIPAA). The charge stated that Zhou obtained identifiable health information relating to an individual.
Zhou moved to dismiss the charge, arguing that he didn’t know that obtaining the information was illegal. The U.S. District Court for the Central District of California ruled that it was unnecessary to prove that Zhou knew his actions were illegal. The court noted that the law defines the crime as obtaining individually identifiable health information and obtaining this information for a purpose other than permitted under law. Zhou appealed the decision.
The U.S. Court of Appeals for the Ninth Circuit upheld the lower court’s ruling, and Zhou’s misdemeanor charge. The appeals court ruled that Zhou’s knowledge of the law was irrelevant.Violations of HIPAA, ruled the court, are “not limited to defendants who knew that their actions were illegal.” To violate the law, Zhou only needed to know that he obtained the identifiable health information of other people. ( U.S. v. Zhou, U.S. Court of Appeals for the Ninth Circuit, No. 10-50231, 2012)