Criminal Charges under HIPAA Do Not Require Knowledge of Illegality of Actions

Does your organization have policies and procedures to protect patient privacy and does the organization conduct training sessions for staff on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P. L. 104-191) Privacy Rules as well as your policies and procedures, but you still find occasions of unauthorized access? Perhaps, a real life example of the ramifications of unauthorized access could be the impetus to stop such actions. On May 10, 2012, in United States of America v. Zhou, the United States Court of Appeals, Ninth Circuit, concluded that not knowing that obtaining protected health information (PHI) without authorization is illegal under HIPAA will not protect the individual from criminal charges and conviction.

The Violation

Huping Zhou, a former research assistant at the Universityof California at Los Angeles Health System (UHS), accessed patient records without authorization after his employment was terminated. Zhou accessed patient records without authorization on at least four occasions after his termination when he was no longer treating patients at the hospital. The government charged Zhou by information with four criminal misdemeanor counts for knowingly and for reasons other than permitted under HIPAA obtained and caused to be obtained individually identifiable health information after his termination under 42 U.S.C. §1320d-6(a)(2). This provision describes the offense as a “person who knowingly and in violation of this part . . . obtains individual identifiable health information related to an individual.” Among the penalties provided under the statute are a fine of not more than $50,000, imprisonment of not more than one year, or both (see §1320d-6(b)(1)).

At the district court, Zhou moved to dismiss the information contending that the information did not allege that he knew that the statute prohibited him from obtaining health information. When the district court denied Zhou’s motion to dismiss, Zhou entered a conditional guilty plea, reserving the right to appeal the denial of his motion to dismiss.

The Appeal

On appeal, the court evaluated whether the information met the requirements under the Due Process Clause and Federal Rule of Criminal Procedure 7 and looked to the language of the law. Under the Due Process Clause, an information is sufficient if it “contains the elements of the offense charged and fairly informs a defendant of the charge against which he must defend and enables him to plead an acquittal or conviction in bar of future prosecutions for the same offense. “Federal Rule of Criminal Procedure 7(c)(1) requires that “an indictment or information be a plain, concise, and definite written statement of the essential facts constituting the offense charged,”  the court explained.

Zhou contended that the information failed to meet the requirements because it did not explicitly state that Zhou knew that obtaining the information was illegal and  knowingly, as used in the statute, modifies “in violation of this part.” Under Zhou’s interpretation, a defendant is guilty only if he knew that obtaining the personal health information was illegal, the court said. The court rejected Zhou’s argument finding that it contradicts the plain language of HIPAA. The word “and” unambiguously indicates that there are two elements of a §1320d-6(a)(2) violation: (1) knowingly obtaining individually identifiable health information related to an individual and (2) obtaining that information in violation of HIPAA, the court said concluding that “knowingly” applies only to the act of obtaining the health information and the placement of “and” eliminates any ambiguity.

In addition, the court determined that HIPAA’s legislative history indicates that Congress intended to broadly apply this misdemeanor criminal penalty noting that “nothing in the Committee Report suggests that Congress intended to confine this criminal penalty to those who knew that their actions were illegal.” In furtherance of its determination, the court said that Congress did not require willfulness as an element of the crime and pointed out that other statues require the crime to be “knowingly” and “willingly.” Finally, the court reasoned that if Congress had intended to confine this penalty to people that knew that the disclosure was illegal, rather than entitling the section “Wrongful disclosure of individually identifiable health information” which indicates a broad scope, the title likely would have limited the scope to “knowingly”  illegal conduct.

The appellate court affirmed the district court’s denial of Zhou’s motion to dismiss the information finding that “42 U.S.C. §1320d-6(a)(2) is not limited to defendants who knew that their actions were illegal. Rather, the defendant need only know that he obtained individually identifiable health information relating to an individual.” Thus, the information satisfied the requirements of the Due Process Clause and Federal Rule of Criminal Procedure 7.

Have you ensured that your employees aware of the criminal penalties for violating HIPAA privacy rules?