Ninth Circuit on HIPAA Criminal Liability: No Knowledge Requirement
On May 10, 2012, the United States Court of Appeals for the Ninth Circuit issued its opinion in United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the criminal misdemeanor provision of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), located at 42 U.S.C. § 1320d-6(a)(2)—which penalizes the mere unauthorized access to patient documents—does not require a defendant to know that his or her actions were illegal under the statute.
According to press accounts, the defendant, Huping Zhou, was hired as a research assistant at the UCLA Health System in February of 2003. On October 29 of that same year, UCLA issued a notice of intent to dismiss Zhou, citing poor performance. That evening, Zhou, for reasons that were not made clear, allegedly accessed the patient records of co-workers and well-known actors, including Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger, without authorization. UCLA terminated the defendant from his job on November 14, 2003, after a formal internal grievance hearing.
The defendant was eventually charged in 2008 with a violation of HIPAA. The particular provision the government claimed the defendant violated penalizes a “person who knowingly . . . obtains individually identifiable health information relating to an individual” for reasons other than those permitted under federal law. See 42 U.S.C. § 1320d-6(a)(2). Zhou was not accused of disseminating any of the information he allegedly accessed.
The defendant moved to dismiss the charge on the basis that the word “knowingly” in the statute required that he have knowledge that it was illegal to obtain such protected health information. After a federal magistrate judge denied the motion, Zhou entered a conditional guilty plea, reserving his right to appeal the denial of his motion to dismiss.
In its opinion, the Ninth Circuit rejected the Zhou’s interpretation of HIPAA criminal provision. Rather than applying only to individuals who knew that improperly accessing protected health information violated HIPAA, the Court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” and did not require a defendant to have knowledge that his actions may have violated HIPAA. The Court’s affirmation of the denial of the motion to dismiss thus gave effect to Zhou’s guilty plea, which had previously garnered a sentence of four months in prison, a year of supervised release, and a fine of approximately $2,100.00.
The Ninth Circuit’s decision is significant because it underscores how easily criminal liability can attach to individuals who simply access private health information for reasons other than those permitted under federal law. Health care providers and other entities covered by HIPAA should be aware of the civil and criminal liability that attaches to unauthorized breaches of patient confidentiality.