HIPAA regulations, while laws aren’t usually prosecuted as crimes. Moist HIPAA investigations are handled with civil penalties by HHS OCR. However, when a case needs to be prosecuted for criminal wrongdoing, the case is referred to the Department of Justice. In addition, States are free to build and prosecute their own cases for violations. Criminal cases for HIPAA are not common, that is true. But it does happen and it’s not always for the violations you might think. Sometimes they are the cases of large amounts of data stolen or data used for personal gain. But usually, they are for much smaller infractions.
In 2010, Huping Zhou became the first person in the United States to be sent to prison for violating HIPAA laws. What could have been so bad that it necessitated jail time? He must have stolen and sold patient data or released celebrity information to the tabloids right? Not quite.
Accessing medical records without a need are HIPAA violations
Mr. Zhou was a cardiologist in his native China but while working to pass exams for the United States, he worked as a researcher at UCLA Health System in California. In 2003, he received notice that UCLA was terminating his employment. However, that same day, Mr. Zhou accessed the medical records of his immediate supervisor and other coworkers.
Over a period of three weeks, he viewed the medical records of thousands of patients including high profile celebrities such as Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.
Mr. Zhou never disclosed any of the information he found, even to his wife. He didn’t sell it or make use of it in any way. He simply viewed it. However, he didn’t have a medically necessary reason for doing so. HIPAA doesn’t allow for the viewing of patient records by anyone that doesn’t have a medical need to do so.
Sent to jail for HIPAA violations?
He was charged with four misdemeanor counts of accessing and reading the confidential medical records. He was later sentenced to four months in federal prison for the violations. He was the person ever sent to prison for HIPAA violations even though he never personally benefited from the violations or actually stole the information.