Californian Sentenced to Prison for HIPAA Violation

Californian Sentenced to Prison for HIPAA Violation

[Editor’s note, August 9, 2010: Huping Zhou was the first person in the nation to receive jail time for a misdemeanor HIPAA offense—for accessing confidential records without a valid reason or authorization but not profiting from it through the sale or use of the information.]

A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA.

Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.

In 2003, Zhou, who was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.

On October 29, 2003, Zhou received notice that UCLA intended to dismiss him for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers.

Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.

According to court documents, Zhou accessed the UCLA record system 323 times during the three-week period. In the plea agreement, Zhou admitted he obtained and read patient health information on four specific occasions — with no legitimate reason, medical or otherwise — after he was terminated from his job.

Zhou did not improperly use or attempt to sell any of the information he illegally accessed, according to the press release. In January Zhou’s attorney Edward Robinson was quoted in the UCLA student newspaper The Daily Bruin saying Zhou did not know that accessing the records was a federal crime.


  1. That man, was Dr. and is now, Mr. Zhou, was a person that at one time took the Hippocratic oath and maybe was a member of the American Medical Association was well aware of HIPAA, ethics, trust, physician-patient relationships, fraud, fiduciary duty, right from wrong, integrity, fairness, and on and on. He was wrong, he got caught, and every doctor and licensed nurse have no excuse for invasion of a patient’s health care information if that is not his or her patient and they are not in a report. Bottom line. He should have been fined and sent to prison for a federal crime. He was about to be fired for something anyway. He was an unethical person who did not care about doing wrong. If you come from another country, there are provisions that allow a doctor or practice medicine in this country. They even may have to retake their medical boards. This man knew. He was pulling somebody’s leg but certainly not a lawyers.


  3. Jail time is too harsh for being nosey; however, he is a MD and has been taught ethical conduct

  4. The HIPPA Laws can be violated by texting, social media and mishandling of patients records. Illegal access of patient record is also a breach that could arise from social situation.HIPPA violations can be avoided with precautions and adequate training.

  5. He knew what he was doing ws wrong even though he done nothing with the info he still should have recieve more prison time

  6. As an American college health care profession, Mr. Zhou should have known their would bbe serious consequences for hie actions.

  7. “A major goal of the Privacy Rule is to assure that individuals’ health information is properly secured while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.”–Summary of the HIPAA Privacy Rule. In my opinion I feel like his punishment was well thought-out. We should find a better way to keep patients’ medical records more confidential.

  8. I dont know if he knew it was a crime or not, but knowingly using his access to look it to someone else’s personal record is a violation of that persons privacy and intrudes apon doctor / patient relationship . Four months is light for the level of damage he could have caused.
    If anybody could just hop on the internet an look up your information imagine if that was your records and your privacy was violated, what do you think about the laws now!

  9. Mr. Zhou new exactly what he was doing. He violated the HIPPA law. He should have not read the Doctor notes unless he was told too. All he got was four months. He should be grateful that’s all he received.

  10. i think he should have gotten more time because working in healthcare i find it hard to believe that he did not know it was a crime and he shouldn’t have been in somebody else. files who is not a patience of his

  11. I think he shouldn’t had to do all that time he did an he didn’t know that it was a crime at the same time so he was an there didn’t know y he was n there tell court

  12. Dr. Zhou had no reason to access these patients file. What he didn’t know that he would get caught.

  13. I believe Zhou’s sentencing was fair. He should not of been reading his supervisor’s records. The HIPAA law is made for confidentiality.


  15. I feel that the punishment he received was just a slap in the face, his punishment was not firm enough. In my opinion, he should not be able to any clinic or hospital’s with out being supervised by a M.A. or M.O.S.. and if he ever get sick for some unknown reason do not leave him alone in a room with a computer, he can stand some watching around any bodies computer at any place of business.

  16. If im not mistaken nobody is allowed to read a patients information if that patient is not your patient because its their personal information

  17. i think thats was fair u it imporntant to follow the protcall cause someone can get really hurt or even die

  18. I think that everyone stating ” this article violates HIPAA because it states the celebrities names should go over all aspects of the HIPAA law. I’m not sure how it violates it if the writer of this article did not read these celebrities PHRs and the writer also did not disclose any information that would be obtained from the records other than who the records belonged to. Lol.

    1. This is not the reason at all. The journal writer is not a covered entity and is not bound by the Privacy Rule. If he had the entire medical record of one of those individuals and published it he would not be in violation of the Privacy Rule. There might be civil claims, but not related to HIPAA. Only the Covered Entity is governed by HIPAA. Get a copy of your medical record and give it to your neighbor. That neighbor isn’t bound by HIPAA.

  19. I feel UCLA would have imposed some strict action against Zhou initially when he was convicted, i think a lot more work has to be done to strengthen the HIPAA not just banging on.

  20. He came from China He didn’t know the law.
    for Him , wasn’t
    a big deal.

  21. This is the correct spelling of HIPAA, not HIPPA. But also just want to say that for any record that you have accessed, you can be questioned later. Will you remember the business need for it?….if you don’t, you could be prosecuted too and they can make a case that you were being nosy. Remember this is Federal violation which could you land you in Federal prison…. don’t ya love our government. For every federal rule, violation is now a federal crime… it seems it’s U.S. GOVT vs. U.S. CITIZEN anymore. So you better document why you accessed each and every record you access.

  22. As a RHIT student about to graduate, I had to sign a non-discloure form at my Practicum sight. As a former employee way back when at LAC-USC in East Los Angeles (LA County Hospital) we knew if we even talked about a patient’s file between co-workers it was grounds for immediate termination and we were unionized. So I find it hard to believe he did not know…but even with ignorance comes common sense of knowing right from wrong. These other innocent people had nothing to do with his termination.

  23. he should have known better. He was a licensed cardiothoracic sugeoon, he should know that. And not only that, they teach him things like that is school. I know, i am currently in school fora medical assistant. I know that.

    1. Starr, go back and re-read the article. You missed a few major details. Don’t feel bad, though, lot’s of other commenters did too. I seriously doubt China has anything like our HIPAA laws!

  24. If he came from China, and lives in California, this does not make him a Californian.

  25. A farmers Insurance Attorney went to my Doctor lie and said that agree to release my medical record I never even talk to the guy,the he even said the court order it with out any court order, my doctor gave them to him, and now he blames my doctor, well both are wrong come find out he paid my doctor

  26. i want to know why he chose to do such a thing. this man should do serious time. he knew that he was doing something illegal. therefore, he should do his time.

  27. There is a gross misunderstanding of HIPAA and it’s interpetation on this blog!

  28. Accessing private medical records with no reason, regardless of they were used inappropriately or not is grounds for termination.

  29. To Hendrix: Although it is difficult as a student to know all of the nuances of HIM and HIPAA, it is your responsibility to recuse yourself if assigned a family member’s record. You should not be reviewing or coding the record of a family member.

  30. I too am currently a Medical Billing/Coding student. Anyone in the medical field should know that accessing a patients PHI when it is not necessary is a federal offense and can be punishable by stiff fines and/or imprisonment. Anyone in the medical field who doesn’t know this either wasn’t taught, didn’t not pay attention when they were in school, or simply doesn’t care and thinks that the HIPAA laws don’t apply to them. Rediculous.

  31. We are studying HIPAA in my phlebotomy class right now and my homework was to find this article. As a student I know that looking at the the medical record of any patient including yourself, is a HIPAA violation, unless you are directly providing care for that patient at the time that you look at the record.

  32. For those inquiring why he still had access to patient records for three weeks, the article states that UCLA intended to dismiss him and there was never a mention of WHEN he was dismissed so I’m assuming he wasn’t dismissed until much later.

  33. As a current medical coding student I agree with numerous posts stating this person did not have reason to view patients’ personal health information for treatment or payment. Two of the HIPAA regulations concerning viewing a patient’s personal health record.

  34. I have few comments to make:

    1) To the person who wrote “Since when is it a breach of HIPAA to read medical records when you are an MD?” I hope to God you are not a MD or even in the HIM field because if you don’t know the answer to your own question, then you go back to school. By the way it is HIPAA, not HIPPA.

    2) So many comments have horrible misspellings and fragmented sentences that I couldn’t even understand what been said.

    3) I agree with Bob’s comment completely. How is it that a person is fired and still able to access 323 medical records? Where I work if you’re fired,you are given boxes to put your stuff in and walked out the door. We even have a door code that is changed that day and your privileges are removed from the system immediately. The gentleman in this story should have received a fine for each record accessed, as well as UCLA for their negligence in security matters. I am curious to know if the judge even addressed UCLA for their negligence in court. If not, shame on him or her. I am also curious to know if UCLA notified each and every of the 323 individuals that there had been a security breach; which I’m sure you all know is part of the HITECH Act.

    4) The names mentioned in the article were purely for shock value I’m sure, but the trial IS a matter of public record and the author has done nothing illegal by reporting peoples names in this story.

    1. Andrea I agree with you about the horrible sentence structure, punctuation, and grammar. However, do you not think you should check your post prior to lashing out at the previous posts???

  35. Great comments! However the part that’s still resonating with me is “— with no legitimate reason, medical or otherwise — after he was terminated from his job.” How did he get access after he was involuntarily terminated? Where is UCLA Compliance (for the training – I agree with others comments) but more importantly IT Security! AND naming the “celebrities” is also a HIPAA violation. Considering he admitted to 323 records at a maximum potential fine of $50K each, he got off easy with four months and $2K fine. So did UCLA as the exposure to them is $150K/patient!

  36. I don’t think you should read information when a patient is involved.

  37. every patient is cosidered ahippa violation

  38. i dont think you should read anyone’s information unless youneed impotant information when dealing with that patient

  39. HIPAA violation. Read the policy and procedures. Training is necessary. Also, should not use celebritie names?? Someone who isn’t really paying attention to this article will have it all over the hospital that Will Smith’s son was here???

  40. Dr. Zhou had no need to access these records to do his job. He violated HIPPA.

  41. I don’t think you should read records unless is has to do with your job.

  42. I don’t think you should read peoples records unless it has to do with your job.

  43. Dr. Zhou should not have accessed information on anyone that wasn’t his patient.

  44. If all the information in the article is accurate, the UCLA Health System is also guilty of not following HIPAA by 1) not training its employees about the requirements of HIPAA, and 2) not removing access to health information from someone who was terminated and/or not having procedures in place to do this.

  45. Dr. Zhou should not have excessed information on anyone that is private information.

  46. I agree with Randy above, UCLA is due some blame as they allowed him to still have access to the clinical systems once they had notified him of his dismissal, shame on them. An angry worker who feels they have nothing more to loss should not be allowed access to PHI once termination or suspension has been decided.

  47. The article can say the names because they are listed in the Court Case Documentation. (Which are now public record)

    1. No, it is because the journal is not a Covered Entity and is no way bound by the Privacy Rule. Just like in a personal injury lawsuit, if a patient provides his medical records to an attorney, that attorney is not bound by the Privacy Rule.

  48. What do you think about students using the 3M system to code medical records. I remember I ran across a close family members information and to this day I have to look at this person and know what they did without her husband knowing. This could happen to anyone – even a student.

  49. Even though this MD clearly violated HIPAA, this story really should be about how easy it is for people to access medical records when they clearly have no need for them. HIPAA is supposed to be more strict on the security of Patient records, so why wasn’t this addressed? Yes, the MD was responsible for his part, what about the part of the HIT department who didn’t have stricter regulations on access to patient files?

  50. I don’t think folks who are commenting on the story are reading the article thoroughly. Although it says that Dr. Zhou was a cardiothoracic surgeon in China, it says he was hired in the US as a researcher, not an MD. Therefore, in that role, he does not automatically get access to records except as they relate to his research. I think I can be safe in saying that I highly doubt that his supervisor’s records related to his research and is, therefore, more proof that he was looking at records he had no business looking at.

  51. I read multiple times here about how the author of the article violated HIPPA. This is not a violation since the author does not have access to the records. HIPPA strictly deals only in this matter. The author only has access to court information in which the names of these celebrities became public. It is tacky to name them, but not illegal. It is easy to quickly jump on the blame wagon without getting the facts straight.

    1. I could be COMPLETELY WRONG..and confusing cases here..but it seems to me, that the patients (celebrities) in question, may have testified in this case. although again, I may be completely confusing this case with another one, in which case, their names, would have been made public at that time. Just a thought..

  52. As a clarification, Huping Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or proper authorization. He did not release the information to others or use it for personal gain, but still received jail time – a first for HIPAA violation cases, according to the Central District of California’s United States Attorney’s Office. There have been other HIPAA violation cases before Zhou’s conviction in which people were sent to jail, but they all involved using the information for personal gain or further disclosing the sensitive info. Zhou was the first to be sent to jail just for improperly looking at confidential information.

  53. Journal – where are your ethics and why are you not following HIPAA rules? Releasing the names as you have, has me wondering where this organization is headed. Shame on you!

  54. Amazing, the guy should be deported back his original country, the names of those celebs surprized even me a student, I was wonder who they were,but wow they should sue the writer of this article for disclosure of personal info still. I dont feel bad for the nozy doctor, but I instantly feel or the celebrities who did nothing wrong but get help for what ever the conditions were… three months is not long enough. should have been a three months for each record. This goes to show security needs to be improved on in a major way. and we are releaseing PHR’s now what a mess this will be in a few years…with students not knowing really what they are getting into in the HIT Field…

  55. People in the health care industry have access to medical records and can look [be nosy] for no apparent or medically based reason at any time when they have access. Some people who have access are medical assistants and office personnel and don’t always have the best education or morals. They should be prosecuted, fined or sanctioned. It’s intrusive, illegal and clearly against HIPAA. If they are unaware, then they have not been trained BUT that is unlikely in the world we live in with all the laws that are in force for HIPAA. Do you want someone in your records just because they are nosy?

  56. If he was unaware of HIPAA- Shame on UCLA for not training on HIPAA as required

  57. I agree with Janet. It should be a violation to list the celebs names (unless The Journal had express consent). And viewing records the way this guy did is definitely a HIPAA violation. Even though he came from China, UCLA should have briefed him on HIPAA laws.

  58. Isn’t it a HIPAA violation to list the celebrities in the article??

    1. This journal is not a Covered Entity and is in no way bound by the Privacy Rule.

      1. While that is true, It doesnt negate the fact that these people are patients too, and if your name was up there, you might feel differently. It may not be a HIPPA violation, but it very well might be an ethical issue.

  59. While we as HIM professionals would like to think everyone in the health care setting knows and understands HIPAA, it isn’t always the case. At 2 of my 3 jobs, I received, read, and signed a confidentiality form that briefly explain HIPAA and then also received a longer document about it to keep. At the third job, no such information about HIPAA was provided.

    Also, it is often times hard to keep medical staff up on recent changes in HIPAA. The HITECH Act containing the consequences of HIPAA breach is less than a year old and might not have been provided to the medical staff at this facility.

    I’m not trying to make excuses for this person, because what they did is obviously wrong (not only according to HIPAA, but also according to general human ethics). I think that by going public with this, it will serve as a good example for those in the health care industry. Hopefully this incident will educate health care professionals throughout the country and encourage them to review what HIPAA is really about.

  60. This may be a violation of HIPPAA, but it is clearly an example of very bad IT management that is rampant in our business environments. This person should not have continued to have log-on access passed the day he was let go!
    How many times & other ways are our personal information gathered by disgruntled, DISMISSED employees who do not have their log-on priveledges blocked?

    1. My thoughts exactly! His access should have been terminated immediately. I am also wondering why a researcher had access to what sounds like the entire database of patient records. It sounds as though they also need to tighten up the levels of security for different groups. The UCLA health system should be fined for enabling the violations.

  61. I work at a medical clinic and my HIPAA was violated. I put a restriction on one of the employees whom worked in the Health Information deparment. This employee was allowed to copies multiple EHR records of mine to put in my medical chart. There were no violations according to the manager because she (the manager) authorized this employees to copy my EHR records. There are 4 other employees in her department includin herself, who could have worked in my chart. This to me was clearly a violation. Does a manager have the authority to bend HIPAA regulations?

  62. It is always a breach of HIPAA when an individual seeks access to protected health information for purposes other than treatment, payment or healthcare operations. I have worked in HIM for years and even before HIPAA, I have denied a physician access to a patient’s health record for personal reasons.

  63. Since when is it a breach of HIPPA to read medical records if you are an MD?

    1. In response to May 13, 2010 NO AUTHOR

      Because that Dr. had NO REASON to read private, HIPPA protected information. Just because you have “MD” beside your name does not give you the right to access private, privileged information. Privacy, does no one respect that anymore? He is unethical and he is lucky if he is still able to practice.

      By the way, I have a license to conceal and carry, does that give me the right to shoot someone just because??? There are laws in the country, and people need to obey them.

        1. THANK YOU LIZ! I was getting concerned.

    2. I am not aware of anything that breaches HIPPA.

      As for HIPAA, the ‘Minimally Necessary Standard’ applies to all individuals of a Covered Entity.

    3. he was a md in china but not here in the us he was only a researcher

  64. I would hope that anyone hired to work with medical records would be aware of the guidelines for viewing confidential reports and the penalties for breaching confidentiality. I’m very concerned that these kinds of things can get out of control when in the wrong hands. This man obviously got caught but what about those who don’t get caught. Reports are going overseas and who knows what is happening with them. Hopefully we can trust the people we hire but that is not always the case especially when jobs are in jeopardy. He should have never been allowed to stay beyond his day of termination just for a reason like this one. Most companies with sensitive information walk their employees out the door when terminated for fear they will do something just like this.

  65. Alisa, Elise did not SAY that Dr. Zhou SAID he was not aware this was a crime, she said she could not believe he did not know. His lawyer said he was unaware. I too find it hard to believe it was aware. Get YOUR facts “strait” (I believe that’s “straight”)

  66. The article does not state which month Dr. Zhou immigrated to the U.S., but it appears, from the way this article is written, that he was here less than a year. It is entirely possible that he did NOT know about HIPPA, even though most of us would find that truly amazing. Nonetheless, ignorance of the law does not save you from it.

    I agree with Katy – shame on the Journal for stating the names of celebs whose records he viewed.

    1. The journal is not bound by HIPAA regulations

    2. Because that is the crap UCLA does. They fired me for the same thing for 45 seconds in an actor’s file. Funny thing though, I was a senior employee and in charge of all VIP patients, and very good at my job. They even hired Robert Half to come in to run me down. After they paid him $100 thousand dollars and a week at the W Hotel, he said I was the most knowledgeable and efficient, not to mention well liked by our patients. You see, I was getting near retirement, and this seemed like a smart thing for administration to do. They picked all the other senior employees off before me. I was more tenacious about keeping my retirement after 33 and a half years working. All the doctors acted like little school girls when it came to celebrities. I threatened to report them numerous times as they discussed their patients on the elevator in public. This is the way UCLA behaved. I think this guy was not liked, so a method had to be devised to dump him. I would take this story with a grain of salt, especially in that they released the victimized parties names to the public…exacty the same violation.
      Also the law is HIPAA, for all you medically trained know it alls.

      1. Forgot to mention that I told the administration that if they really believed I did the crime, they must give me jail time. Never happened. In fact they refused to discuss that issue at all. So what does that say? They deprived me of the notariety of being number one for this offense (Nov. 2008).

  67. Elise, the article did not say that Dr. Zhou was unaware that viewing EHR’s was a crime. It says that his lawyer said that Dr. Zhou was unaware that it was a FEDERAL crime. There’s a big difference. Get your facts strait.

  68. People often exhibit irrational thoughts and behavior after receiving poor performance reviews, especially those that culminate in the loss of a job. I see room for compassion in this specific case.

  69. He’s a CV surgeon and has time on his hands to go prying? What would the motive for that be? Fishy..

  70. I totally agree with you Katy. The courts need to put a “gag” order on him to make sure he doesn’t leak any of the information about his coworkers or the celebrities.

    1. I agree also. If he has committed anything to memory from accessing those records, he has 20 years of nothing to do but discuss this info with other inmates.

      1. I Agree, he will be in there for a long time to think about what he did. He probably is thinking different about it now.

  71. Perhaps a further intrusion into these “high-profile patients” privacy could’ve been avoided by identifying them by name in this article as patients of UCLA.

    1. I agree. But there is no legal mandate that this journal must protect that information or respect the privacy of the individuals listed because the journal is not the one providing the direct HEALTH services to them.

      1. Lets not just view “Health Services” as only clinical services provided by a health institution. Health services is any services that promotes an individuals total well being not limited to only the elimination of disease or injury.
        I strongly believe that, listing these personalities here on this website will not be healthy to their social wellbeing or sanity. Zhou may not have used their information anything else but that may lead to these people feeling paranoid or other celebrities reluctance to trust their healthcare providers with their information.

        1. was it worth it? i does not appear that he used the information for a substantial reason. He Lost his job for being curious. what a waste….

          1. He’d already lost his job for unrelated issue(s) per the article. I find it telling that he had not invaded anyone’s records until he had been advised of termination; he knew it was wrong.

  72. As a consultant in the Healthcare Industry, I find it difficult to believe that Dr. Zhou was not aware that viewing EHR’s is a crime.

    1. He may have known it was a crime and against the law, but it says that he didn’t know it was a “federal” crime. That’s a whole new level of serious.

      1. I’m not sure that you understand what “federal” means


          1. I think the doctor knew what he did was wrong and I think the sentence was to light. I feel he needed more time so he will think twice before would something like that again.

      2. I think the doctor really knew what he was doing. He just wanted to see what he could get away with. It is to bad he went to prison.

        1. I like your answer on that, because he knew what he was doing, cause in the medical field there are a lot of doctors that do some under the table stuff and down the line they get caught, so he have to pay the consequence for his action.

          1. I agree,that is so true so many doctors do things because they think they can get away with it and think just because they have a title behind their name they can do whatever they want to do but they did the right thing they made and example out of him, make the next doctor or doctor’s who think they can get away with trying to do something of the sort think twice about committing a crime such as that.

    2. In his case, he was a cardiothoracic surgeon in China not the USA, in the USA he was just a researcher in the UCLA school of medicine.Not a surgeon in the USA. He was in Violation of HIPPA.

    3. i believe that zhou was curious and read the documents of those celebrities without doing any harm.
      he did not sell or advertise the records.
      i feel a suspension would have been more than a fair punishment.

      1. I think that he was’t give enough time. I think that the judge should have taken his license to practice and ban him from practice medicine for five years 0r more

      2. And if it were your file he had illegally accessed, maybe you could have given that opinion to the judge, hippa has rules and punishments for a reason, any and everyone working in the healthcare industry, researcher or not, knows about hippa laws, and the penalties that come with breaking the rules, so no a suspension would not have been a fair punishment, cause the next shady disgruntled worker will scream for the same penalty.

    4. i feel zhou was aware but felt he could get away with it. he should have taken hipaa more serious

    5. I do not agree with the punishment because of the fact he thought he was going to get a way with it and i do think he did it on purpose to see what can and how long he can do this without getting cought i mean he could have did worse with the these people information like bank fraud,etc.You ask me i think the judge was to soft on him.

    6. he admitted doing it and being in medical he knew it was wrong morally and unethical why did he go in and look at it so many times, whos to say he was not going to use it wrongfully, maliciously against the persons of whom the records he was looking at

    7. I feel as though I ‘m on the fence with the imprisonment. one- being that I am also in the healthcare field and naturally feel some form of compassion. Two although he was totally in violation of the HIPPA law, at the time he was a researcher, and not to attach any humor to this situation. Isn’t that what he did. Finally, we have case laws, and the only reason for that is exactly because of unlawful acts such as these.

    8. that is crazy he was wrong on so many levels he should have gotten more time then that when you go to the doctor you would thing your information would be safe ,I GUESS NOT

Comments are closed.