Employment Law Blog

News, trends and analysis in employment law and HR

Jun 12, 2012

HIPAA violations can mean prison time

Employee Benefits 

Think the Health Insurance Portability and Accountability Act (HIPAA) privacy rules are just an exercise in compliance on paper? Think again. 

Think the Health Insurance Portability and Accountability Act (HIPAA) privacy rules are just an exercise in compliance on paper? Think again.  A medical school researcher learned the hard way that HIPAA’s criminal sanctions are very real. He is one of the first people to be convicted of violating HIPAA’s privacy provisions, after improperly accessing and reading the medical records of his supervisor, coworkers, various celebrities and other high profile patients when he learned that he would soon be terminated for unrelated performance issues. He was sentenced to four months in prison, followed by a year on supervised release. Although he tried to defend himself by arguing that he did not knowingly violate HIPAA, the Ninth Circuit Court of Appeals rejected his argument, concluding that criminal sanctions under HIPAA are not limited to individuals who know their behavior is illegal. They apply to anyone who knowingly obtains information, and obtains the information in violation of HIPAA (United States v. Zhou, 9th Cir, May 2012). 
 
Tips: The government seems to have heightened its focus on HIPAA privacy compliance and enforcement in recent months. If anyone in your workforce has access to protected health information (PHI) from your health plan, be sure you not only have privacy policies and procedures in place, but you also train the members of your workforce who have access to PHI.

Comments