Remember Huping Zhou, the UCLA researcher sentenced to prison for snooping through the health records of celebrities and co-workers? A federal appeals court has upheld his conviction and rejected his defense attorney’s position that the prosecution had not alleged that he had known he was violating HIPAA when he accessed the records. The court determined that the only elements that were necessary to prove the violation were that he had knowingly accessed the records, and that such access was not permitted under HIPAA.

Zhou was charged with violating the HIPAA provision that imposes a misdemeanor penalty on "[a] person who knowingly and in violation of this part … obtains individually identifiable health information relating to an individual[.]"

At trial, Zhou entered a conditional guilty plea, reserving his right to appeal the court’s denial of his motion to dismiss the information. Zhou was sentenced to four months in prison, followed by a year of supervised release, a $2,000 fine, and a $100 special assessment. Zhou filed a timely notice of appeal.

The U.S. Court of Appeals for the Ninth Circuit stated:

We reject Zhou’s argument because it contradicts the plain language of HIPAA. The statute’s misdemeanor criminal penalty applies to an individual who “knowingly and in violation of this part . . . obtains individually identifiable health information relating to an individual.” 42 U.S.C. § 320d-6(a)(2) (emphasis added). The word “and” unambiguously indicates that there are two elements of a Section 1320d-6(a)(2) violation: 1) knowingly obtaining individually identifiable health information relating to an individual; and 2) obtaining that information in violation of Title 42 United States Code Chapter 7, Subchapter XI, Part C. Thus, the term “knowingly” applies only to the act of obtaining the health information.

Little words count, and not just in political scandals . As the court noted, somewhat tongue-in-cheek,

If the statute did not contain “and,” then Zhou’s argument might be more persuasive. However, we cannot ignore “and” because its presence often dramatically alters the meaning of a phrase. Without “and,” the Second Amendment would guarantee “the right of the people to keep bear arms,” Leo Tolstoy would have published “War Peace,” and James Taylor would have confusingly crooned about “Fire Rain.

It is conceivable, but unlikely, that a person could unknowingly access PHI, for instance clicking on John W. Smith’s records instead of John P. Smith’s, or by opening an email with a cryptic subject heading only to discover it contained misdirected medical records, but if it is shown that the perpetrator knew he was accessing PHI, and if he had no legitimate reason to do so, game over, at least in the Ninth Circuit. No need to establish that the defendant had ever heard of HIPAA or knew he was breaking the law.

Zhou’s case was noteworthy as it was the first to result in severe sanctions against an individual even where the information was not further leaked, sold or used improperly. As we noted in this blog, it also resulted in a settlement under which UCLA agreed to pay a civil fine of $865,000 It now stands as further evidence of the longstanding maxim that “ignorance of the law is no excuse." (Ignorantia juris non excusat for you Latin aficionados).

As of this month, it may be slightly more difficult to claim ignorance of HIPAA now that HHS has published a 47-page plain-English Guide to Privacy and Security of Health Information.   The Guide was developed in conjunction with the American Health Information Management Association (AHIMA) and is targeted at physicians and other healthcare providers. It was released with little fanfare and is not easy to find on the ONC web site, but has been noted by industry publications including Modern Healthcare and Healthcare IT News. The Guide contains a 10-step plan for covered entities to review their HIPAA compliance, including advice on performing a risk analysis, developing an action plan, staff education and training, managing and mitigating risks, and patient communication. The Guide is a helpful reference tool for nonlawyers in navigating the shark-filled HIPAA waters, but details are limited due to the length of the publication. As Mr. Zhou has learned the hard way, you are held responsible for knowing the rules, so when in doubt, consult knowledgeable counsel.