What you see; what you get

Agen­cies, em­ploy­ers clamp­ing down on med­i­cal records snoop­ing

Modern Healthcare - - The Week In Healthcare - Gregg Blesch

It’s per­haps like the urge to look through your big brother’s dresser or the medicine cabi­net at a neigh­bor’s house. Some health­care work­ers with ac­cess to med­i­cal records can’t help but snoop, which is more than naughty—it’s a fed­eral crime.

En­force­ment agen­cies and em­ploy­ers are get­ting in­creas­ingly se­ri­ous about bust­ing the snoops as elec­tronic records pro­lif­er­ate and ac­cess be­comes dif­fuse. Last week Hup­ing Zhou, as far as pros­e­cu­tors and ob­servers can tell, be­came the first per­son to be sen­tenced to prison (four months) for just look­ing.

That is, Zhou didn’t use any­thing gleaned from the records to ap­ply for credit cards, sell to tabloids or do any­thing else profitable or harm­ful. Zhou, li­censed as a cardiothoracic sur­geon in China, worked for UCLA Health Sys­tem in Los An­ge­les as a re­search as­sis­tant. Af­ter he was told he was be­ing dis­missed from the job, his lawyer con­cedes, Zhou trolled through the records of co-work­ers and UCLA’s many celebrity pa­tients in the three weeks un­til he was of­fi­cially ter­mi­nated.

Zhou ac­cessed the sys­tem 323 times out­side of work­ing hours in those weeks and looked at records be­long­ing to the su­per­vi­sors be­hind his ter­mi­na­tion, as well as Drew Bar­ry­more, Tom Hanks, Cameron Diaz and other celebri­ties, telling the FBI he did so be­cause he was cu­ri­ous, pros­e­cu­tors said in a court doc­u­ment.

That’s a crim­i­nal of­fense un­der the pri­vacy pro­vi­sions of the Health In­surance Porta­bil­ity and Ac­count­abil­ity Act of 1996. Zhou en­tered a con­di­tional guilty plea to the mis­de­meanor charge, re­serv­ing the right to with­draw it pend­ing an ap­peal of the judge’s re­jec­tion of a pre­trial mo­tion ar­gu­ing that pros­e­cu­tors failed to al­lege that Zhou in­tended to com­mit a crime.

“I don’t think he had any ma­li­cious in­tent,” Zhou’s lawyer, Ed­ward Robin­son, said. “I think it was a com­bi­na­tion of cu­rios­ity and be­ing up­set he’d been wrong­fully ter­mi­nated.”

Alan Gold­berg, an in­de­pen­dent lawyer and ex­pert in HIPAA en­force­ment, said that ap­peal sounds like a long shot. “Some might say, ‘Look, if you put your eyes on some movie-star med­i­cal records, you don’t have to have a Ph.D. in pri­vacy to know that’s some­thing only a dolt would do.’ ”

Gold­berg noted that some peo­ple might view what Zhou did as no big deal; all kinds of peo­ple who work for the in­surance com­pa­nies and the govern­ment and its contractors are look­ing at pri­vate health in­for­ma­tion all the time, and the only dif­fer­ence is they have a pur­pose. Nonethe­less, Gold­berg said, breaches in­volv­ing celebri­ties have drawn more scru­tiny to the mat­ter. “My sense is, with all the pub­lic­ity now, he’s lucky he didn’t get a cou­ple of years in prison.”

Zhou’s sen­tence was ini­tially pub­li­cized by pros­e­cu­tors as the first prison term or­dered for a vi­o­la­tion of HIPAA’s health pri­vacy pro­vi­sions. Ac­tu­ally, that dis­tinc­tion goes to Richard Gib­son, who pleaded guilty to a HIPAA charge in 2004 and was sen­tenced to 16 months. Gib­son ad­mit­ted crib­bing names, ad­dresses and So­cial Se­cu­rity num­bers from records at the Seat­tle can­cer cen­ter where he was a lab tech­ni­cian, then used the in­for­ma­tion to get credit cards and run up charges to­tal­ing about $9,000.

In 2005, a Jus­tice Depart­ment lawyer is­sued an opin­ion that nar­rowly de­fined the law’s crim­i­nal reach to providers and or­ga­ni­za­tions ex­plic­itly reg­u­lated by it, ex­clud­ing em­ploy­ees and other in­di­vid­u­als. U.S. attorneys, though, con­tin­ued to bring cases against a va­ri­ety of peo­ple, though none so far against hos­pi­tals or in­surance com­pa­nies or their cor­po­rate of­fi­cers.

The health in­for­ma­tion technology pro­vi­sions of the Amer­i­can Re­cov­ery and Rein­vest­ment Act of 2009, or stim­u­lus law, clar­i­fied that the crim­i­nal pro­vi­sion can be ap­plied to any­one who ob­tains or dis­closes health in­for­ma­tion main­tained by a “cov­ered en­tity.”

A Jus­tice Depart­ment spokes­woman said the depart­ment doesn’t gather statis­tics on HIPAA prose­cu­tions. Based on a sur­vey of cases an­nounced by in­di­vid­ual U.S. attorneys, most crim­i­nal HIPAA charges have in­volved theft of in­for­ma­tion for fi­nan­cial gain. In most of them, but not all, judges have pinned any prison sen­tences to re­lated charges such as iden­tity theft while giv­ing pro­ba­tion on the HIPAA counts.

In at least one other case, pros­e­cu­tors brought crim­i­nal charges against health­care work­ers who sim­ply let their cu­rios­ity get the best of them. In Oc­to­ber 2008, lo­cal TV news an­chor Anne Pressly was fa­tally beaten and brought to St. Vin­cent In­fir­mary Med­i­cal Cen­ter in Lit­tle Rock, Ark. Jay Hol­land, the med­i­cal di­rec­tor of a spe­cialty hos­pi­tal lo­cated in the build­ing, ad­mit­ted he logged onto the records sys­tem from home to check the ac­cu­racy of news re­ports about her sta­tus, ac­cord­ing to the U.S. at­tor­ney’s of­fice in Lit­tle Rock.

Hol­land pleaded guilty to a mis­de­meanor HIPAA charge and was sen­tenced to pro­ba­tion and com­mu­nity ser­vice, to in­clude speeches ed­u­cat­ing fel­low health­care pro­fes­sion­als about pri­vacy. Two St. Vin­cent In­fir­mary ad­min­is­tra­tive em­ploy­ees who peeked at Pressly’s records pleaded guilty to the same charge and got pro­ba­tion. “The thought of peo­ple trolling through her med­i­cal records

Gold­berg: Those who look at records should have a rea­son to do so.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.