What you see; what you get
Agencies, employers clamping down on medical records snooping
It’s perhaps like the urge to look through your big brother’s dresser or the medicine cabinet at a neighbor’s house. Some healthcare workers with access to medical records can’t help but snoop, which is more than naughty—it’s a federal crime.
Enforcement agencies and employers are getting increasingly serious about busting the snoops as electronic records proliferate and access becomes diffuse. Last week Huping Zhou, as far as prosecutors and observers can tell, became the first person to be sentenced to prison (four months) for just looking.
That is, Zhou didn’t use anything gleaned from the records to apply for credit cards, sell to tabloids or do anything else profitable or harmful. Zhou, licensed as a cardiothoracic surgeon in China, worked for UCLA Health System in Los Angeles as a research assistant. After he was told he was being dismissed from the job, his lawyer concedes, Zhou trolled through the records of co-workers and UCLA’s many celebrity patients in the three weeks until he was officially terminated.
Zhou accessed the system 323 times outside of working hours in those weeks and looked at records belonging to the supervisors behind his termination, as well as Drew Barrymore, Tom Hanks, Cameron Diaz and other celebrities, telling the FBI he did so because he was curious, prosecutors said in a court document.
That’s a criminal offense under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996. Zhou entered a conditional guilty plea to the misdemeanor charge, reserving the right to withdraw it pending an appeal of the judge’s rejection of a pretrial motion arguing that prosecutors failed to allege that Zhou intended to commit a crime.
“I don’t think he had any malicious intent,” Zhou’s lawyer, Edward Robinson, said. “I think it was a combination of curiosity and being upset he’d been wrongfully terminated.”
Alan Goldberg, an independent lawyer and expert in HIPAA enforcement, said that appeal sounds like a long shot. “Some might say, ‘Look, if you put your eyes on some movie-star medical records, you don’t have to have a Ph.D. in privacy to know that’s something only a dolt would do.’ ”
Goldberg noted that some people might view what Zhou did as no big deal; all kinds of people who work for the insurance companies and the government and its contractors are looking at private health information all the time, and the only difference is they have a purpose. Nonetheless, Goldberg said, breaches involving celebrities have drawn more scrutiny to the matter. “My sense is, with all the publicity now, he’s lucky he didn’t get a couple of years in prison.”
Zhou’s sentence was initially publicized by prosecutors as the first prison term ordered for a violation of HIPAA’s health privacy provisions. Actually, that distinction goes to Richard Gibson, who pleaded guilty to a HIPAA charge in 2004 and was sentenced to 16 months. Gibson admitted cribbing names, addresses and Social Security numbers from records at the Seattle cancer center where he was a lab technician, then used the information to get credit cards and run up charges totaling about $9,000.
In 2005, a Justice Department lawyer issued an opinion that narrowly defined the law’s criminal reach to providers and organizations explicitly regulated by it, excluding employees and other individuals. U.S. attorneys, though, continued to bring cases against a variety of people, though none so far against hospitals or insurance companies or their corporate officers.
The health information technology provisions of the American Recovery and Reinvestment Act of 2009, or stimulus law, clarified that the criminal provision can be applied to anyone who obtains or discloses health information maintained by a “covered entity.”
A Justice Department spokeswoman said the department doesn’t gather statistics on HIPAA prosecutions. Based on a survey of cases announced by individual U.S. attorneys, most criminal HIPAA charges have involved theft of information for financial gain. In most of them, but not all, judges have pinned any prison sentences to related charges such as identity theft while giving probation on the HIPAA counts.
In at least one other case, prosecutors brought criminal charges against healthcare workers who simply let their curiosity get the best of them. In October 2008, local TV news anchor Anne Pressly was fatally beaten and brought to St. Vincent Infirmary Medical Center in Little Rock, Ark. Jay Holland, the medical director of a specialty hospital located in the building, admitted he logged onto the records system from home to check the accuracy of news reports about her status, according to the U.S. attorney’s office in Little Rock.
Holland pleaded guilty to a misdemeanor HIPAA charge and was sentenced to probation and community service, to include speeches educating fellow healthcare professionals about privacy. Two St. Vincent Infirmary administrative employees who peeked at Pressly’s records pleaded guilty to the same charge and got probation. “The thought of people trolling through her medical records
Goldberg: Those who look at records should have a reason to do so.