Californian Sentenced to Prison for HIPAA Violation

[Editor’s note, August 9, 2010: Huping Zhou was the first person in the nation to receive jail time for a misdemeanor HIPAA offense—for accessing confidential records without a valid reason or authorization but not profiting from it through the sale or use of the information.]

A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA.

Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.

In 2003, Zhou, who was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.

On October 29, 2003, Zhou received notice that UCLA intended to dismiss him for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers.

Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.

According to court documents, Zhou accessed the UCLA record system 323 times during the three-week period. In the plea agreement, Zhou admitted he obtained and read patient health information on four specific occasions — with no legitimate reason, medical or otherwise — after he was terminated from his job.

Zhou did not improperly use or attempt to sell any of the information he illegally accessed, according to the press release. In January Zhou’s attorney Edward Robinson was quoted in the UCLA student newspaper The Daily Bruin saying Zhou did not know that accessing the records was a federal crime.

468 ad

52 Comments

  1. As a consultant in the Healthcare Industry, I find it difficult to believe that Dr. Zhou was not aware that viewing EHR’s is a crime.

  2. Perhaps a further intrusion into these “high-profile patients” privacy could’ve been avoided by identifying them by name in this article as patients of UCLA.

  3. I totally agree with you Katy. The courts need to put a “gag” order on him to make sure he doesn’t leak any of the information about his coworkers or the celebrities.

  4. He’s a CV surgeon and has time on his hands to go prying? What would the motive for that be? Fishy..

  5. People often exhibit irrational thoughts and behavior after receiving poor performance reviews, especially those that culminate in the loss of a job. I see room for compassion in this specific case.

  6. Elise, the article did not say that Dr. Zhou was unaware that viewing EHR’s was a crime. It says that his lawyer said that Dr. Zhou was unaware that it was a FEDERAL crime. There’s a big difference. Get your facts strait.

  7. The article does not state which month Dr. Zhou immigrated to the U.S., but it appears, from the way this article is written, that he was here less than a year. It is entirely possible that he did NOT know about HIPPA, even though most of us would find that truly amazing. Nonetheless, ignorance of the law does not save you from it.

    I agree with Katy – shame on the Journal for stating the names of celebs whose records he viewed.

  8. Alisa, Elise did not SAY that Dr. Zhou SAID he was not aware this was a crime, she said she could not believe he did not know. His lawyer said he was unaware. I too find it hard to believe it was aware. Get YOUR facts “strait” (I believe that’s “straight”)

  9. I would hope that anyone hired to work with medical records would be aware of the guidelines for viewing confidential reports and the penalties for breaching confidentiality. I’m very concerned that these kinds of things can get out of control when in the wrong hands. This man obviously got caught but what about those who don’t get caught. Reports are going overseas and who knows what is happening with them. Hopefully we can trust the people we hire but that is not always the case especially when jobs are in jeopardy. He should have never been allowed to stay beyond his day of termination just for a reason like this one. Most companies with sensitive information walk their employees out the door when terminated for fear they will do something just like this.

  10. Since when is it a breach of HIPPA to read medical records if you are an MD?

  11. It is always a breach of HIPAA when an individual seeks access to protected health information for purposes other than treatment, payment or healthcare operations. I have worked in HIM for years and even before HIPAA, I have denied a physician access to a patient’s health record for personal reasons.

  12. I work at a medical clinic and my HIPAA was violated. I put a restriction on one of the employees whom worked in the Health Information deparment. This employee was allowed to copies multiple EHR records of mine to put in my medical chart. There were no violations according to the manager because she (the manager) authorized this employees to copy my EHR records. There are 4 other employees in her department includin herself, who could have worked in my chart. This to me was clearly a violation. Does a manager have the authority to bend HIPAA regulations?

  13. This may be a violation of HIPPAA, but it is clearly an example of very bad IT management that is rampant in our business environments. This person should not have continued to have log-on access passed the day he was let go!
    How many times & other ways are our personal information gathered by disgruntled, DISMISSED employees who do not have their log-on priveledges blocked?

  14. While we as HIM professionals would like to think everyone in the health care setting knows and understands HIPAA, it isn’t always the case. At 2 of my 3 jobs, I received, read, and signed a confidentiality form that briefly explain HIPAA and then also received a longer document about it to keep. At the third job, no such information about HIPAA was provided.

    Also, it is often times hard to keep medical staff up on recent changes in HIPAA. The HITECH Act containing the consequences of HIPAA breach is less than a year old and might not have been provided to the medical staff at this facility.

    I’m not trying to make excuses for this person, because what they did is obviously wrong (not only according to HIPAA, but also according to general human ethics). I think that by going public with this, it will serve as a good example for those in the health care industry. Hopefully this incident will educate health care professionals throughout the country and encourage them to review what HIPAA is really about.

  15. Isn’t it a HIPAA violation to list the celebrities in the article??

  16. I agree with Janet. It should be a violation to list the celebs names (unless The Journal had express consent). And viewing records the way this guy did is definitely a HIPAA violation. Even though he came from China, UCLA should have briefed him on HIPAA laws.

  17. If he was unaware of HIPAA- Shame on UCLA for not training on HIPAA as required

  18. People in the health care industry have access to medical records and can look [be nosy] for no apparent or medically based reason at any time when they have access. Some people who have access are medical assistants and office personnel and don’t always have the best education or morals. They should be prosecuted, fined or sanctioned. It’s intrusive, illegal and clearly against HIPAA. If they are unaware, then they have not been trained BUT that is unlikely in the world we live in with all the laws that are in force for HIPAA. Do you want someone in your records just because they are nosy?

  19. Amazing, the guy should be deported back his original country, the names of those celebs surprized even me a student, I was wonder who they were,but wow they should sue the writer of this article for disclosure of personal info still. I dont feel bad for the nozy doctor, but I instantly feel or the celebrities who did nothing wrong but get help for what ever the conditions were… three months is not long enough. should have been a three months for each record. This goes to show security needs to be improved on in a major way. and we are releaseing PHR’s now what a mess this will be in a few years…with students not knowing really what they are getting into in the HIT Field…

  20. Journal – where are your ethics and why are you not following HIPAA rules? Releasing the names as you have, has me wondering where this organization is headed. Shame on you!

  21. As a clarification, Huping Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or proper authorization. He did not release the information to others or use it for personal gain, but still received jail time – a first for HIPAA violation cases, according to the Central District of California’s United States Attorney’s Office. There have been other HIPAA violation cases before Zhou’s conviction in which people were sent to jail, but they all involved using the information for personal gain or further disclosing the sensitive info. Zhou was the first to be sent to jail just for improperly looking at confidential information.

  22. I read multiple times here about how the author of the article violated HIPPA. This is not a violation since the author does not have access to the records. HIPPA strictly deals only in this matter. The author only has access to court information in which the names of these celebrities became public. It is tacky to name them, but not illegal. It is easy to quickly jump on the blame wagon without getting the facts straight.

  23. I don’t think folks who are commenting on the story are reading the article thoroughly. Although it says that Dr. Zhou was a cardiothoracic surgeon in China, it says he was hired in the US as a researcher, not an MD. Therefore, in that role, he does not automatically get access to records except as they relate to his research. I think I can be safe in saying that I highly doubt that his supervisor’s records related to his research and is, therefore, more proof that he was looking at records he had no business looking at.

  24. Even though this MD clearly violated HIPAA, this story really should be about how easy it is for people to access medical records when they clearly have no need for them. HIPAA is supposed to be more strict on the security of Patient records, so why wasn’t this addressed? Yes, the MD was responsible for his part, what about the part of the HIT department who didn’t have stricter regulations on access to patient files?

  25. What do you think about students using the 3M system to code medical records. I remember I ran across a close family members information and to this day I have to look at this person and know what they did without her husband knowing. This could happen to anyone – even a student.

  26. The article can say the names because they are listed in the Court Case Documentation. (Which are now public record)

  27. I agree with Randy above, UCLA is due some blame as they allowed him to still have access to the clinical systems once they had notified him of his dismissal, shame on them. An angry worker who feels they have nothing more to loss should not be allowed access to PHI once termination or suspension has been decided.

  28. Dr. Zhou should not have excessed information on anyone that is private information.

  29. If all the information in the article is accurate, the UCLA Health System is also guilty of not following HIPAA by 1) not training its employees about the requirements of HIPAA, and 2) not removing access to health information from someone who was terminated and/or not having procedures in place to do this.

  30. Dr. Zhou should not have accessed information on anyone that wasn’t his patient.

  31. I don’t think you should read peoples records unless it has to do with your job.

  32. I don’t think you should read records unless is has to do with your job.

  33. Dr. Zhou had no need to access these records to do his job. He violated HIPPA.

  34. HIPAA violation. Read the policy and procedures. Training is necessary. Also, should not use celebritie names?? Someone who isn’t really paying attention to this article will have it all over the hospital that Will Smith’s son was here???

  35. i dont think you should read anyone’s information unless youneed impotant information when dealing with that patient

  36. every patient is cosidered ahippa violation

  37. I don’t think you should read information when a patient is involved.

  38. Great comments! However the part that’s still resonating with me is “— with no legitimate reason, medical or otherwise — after he was terminated from his job.” How did he get access after he was involuntarily terminated? Where is UCLA Compliance (for the training – I agree with others comments) but more importantly IT Security! AND naming the “celebrities” is also a HIPAA violation. Considering he admitted to 323 records at a maximum potential fine of $50K each, he got off easy with four months and $2K fine. So did UCLA as the exposure to them is $150K/patient!

  39. I have few comments to make:

    1) To the person who wrote “Since when is it a breach of HIPAA to read medical records when you are an MD?” I hope to God you are not a MD or even in the HIM field because if you don’t know the answer to your own question, then you go back to school. By the way it is HIPAA, not HIPPA.

    2) So many comments have horrible misspellings and fragmented sentences that I couldn’t even understand what been said.

    3) I agree with Bob’s comment completely. How is it that a person is fired and still able to access 323 medical records? Where I work if you’re fired,you are given boxes to put your stuff in and walked out the door. We even have a door code that is changed that day and your privileges are removed from the system immediately. The gentleman in this story should have received a fine for each record accessed, as well as UCLA for their negligence in security matters. I am curious to know if the judge even addressed UCLA for their negligence in court. If not, shame on him or her. I am also curious to know if UCLA notified each and every of the 323 individuals that there had been a security breach; which I’m sure you all know is part of the HITECH Act.

    4) The names mentioned in the article were purely for shock value I’m sure, but the trial IS a matter of public record and the author has done nothing illegal by reporting peoples names in this story.

  40. As a current medical coding student I agree with numerous posts stating this person did not have reason to view patients’ personal health information for treatment or payment. Two of the HIPAA regulations concerning viewing a patient’s personal health record.

  41. For those inquiring why he still had access to patient records for three weeks, the article states that UCLA intended to dismiss him and there was never a mention of WHEN he was dismissed so I’m assuming he wasn’t dismissed until much later.

  42. We are studying HIPAA in my phlebotomy class right now and my homework was to find this article. As a student I know that looking at the the medical record of any patient including yourself, is a HIPAA violation, unless you are directly providing care for that patient at the time that you look at the record.

  43. I too am currently a Medical Billing/Coding student. Anyone in the medical field should know that accessing a patients PHI when it is not necessary is a federal offense and can be punishable by stiff fines and/or imprisonment. Anyone in the medical field who doesn’t know this either wasn’t taught, didn’t not pay attention when they were in school, or simply doesn’t care and thinks that the HIPAA laws don’t apply to them. Rediculous.

  44. To Hendrix: Although it is difficult as a student to know all of the nuances of HIM and HIPAA, it is your responsibility to recuse yourself if assigned a family member’s record. You should not be reviewing or coding the record of a family member.

  45. Accessing private medical records with no reason, regardless of they were used inappropriately or not is grounds for termination.

  46. There is a gross misunderstanding of HIPAA and it’s interpetation on this blog!

  47. i want to know why he chose to do such a thing. this man should do serious time. he knew that he was doing something illegal. therefore, he should do his time.

  48. A farmers Insurance Attorney went to my Doctor lie and said that agree to release my medical record I never even talk to the guy,the he even said the court order it with out any court order, my doctor gave them to him, and now he blames my doctor, well both are wrong come find out he paid my doctor

  49. If he came from China, and lives in California, this does not make him a Californian.

  50. he should have known better. He was a licensed cardiothoracic sugeoon, he should know that. And not only that, they teach him things like that is school. I know, i am currently in school fora medical assistant. I know that.

Submit a Comment

Share This

Share This

Share this post with your friends!