Contributed by Lee Kim, Esquire, 412.594.3915

The HIPAA Security Rules require covered entities and (soon) business associates to implement and adopt administrative, physical, and technical safeguards to ensure that electronic protected health information (“ePHI”) is adequately protected from those without legitimate cause to access such information.  Only authorized personnel should be allowed to access ePHI and only when there is a legitimate (e.g., medical) reason under the HIPAA provisions.  HIPAA audit trails should be monitored to ensure that ePHI is being accessed appropriately.  In addition, when an employee or a contractor has been dismissed, his or her access should be restricted to ensure that he or she will not access the information to ensure compliance with the HIPAA provisions.

The government has recently started to scrutinize HIPAA violations and invoke criminal sanctions against those individuals who violate the HIPAA provisions.  In a press release, the FBI has stated that Huping Zhou, 48, of Los Angeles, California is one of the first people in the nation to be convicted of violating the HIPAA privacy provisions according to the Los Angeles office of the Federal Bureau of Investigation.  On January 12, 2010, he pleaded guilty prior to a scheduled trial to begin next week to four misdemeanor counts of violating the HIPAA privacy provisions.

By way of background, Mr. Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at UCLA Healthcare System as a UCLA School of Medicine Researcher.  On October 29, 2003, he received a notice of intent to dismiss him from employment for reasons unrelated to the HIPAA violations.  However, for the next three weeks, Mr. Zhou continued to access private and confidential medical records of various individuals including his immediate supervisor’s, other co-workers, celebrities, and high-profile people.  He accessed these records without any legitimate reason under HIPAA.

“There is a persistent problem with improper and illegal viewing of medical records by individuals who abuse the access they have as a result of their employment,” Acting United States Attorney George S. Cardona said.  “The FBI is committed to investigating violations of HIPAA laws, the compromise of which can cause major financial or emotional distress,” said Steven M. Martinez, Assistant Director in Charge of the FBI in Los Angeles.  “These laws exist to protect the privacy that must be afforded to all patients…” said Mr. Martinez.

Click here for the original press release.