HIPAA Regulatory Alert

Access, not use, of PHI results in conviction

Doctor's conviction raises concerns for hospitals

Four months in prison and a $2,000 fine to Huping Zhou, a 47-year-old cardiothoracic surgeon from China and a UCLA health care system employee, for violating the Health Insurance Portability and Accountability Act (HIPAA) should be a cause for concern for hospitals.

"Prosecution and a prison sentence are significant in this case because there is no evidence that Zhou shared any of the protected health information [PHI] he accessed," says Allyson Labban, JD, senior associate in the Greensboro, NC, law office of Smith Moore Leatherwood. "The sentence sends a message to all health care employees that merely accessing information without a reason is a crime."

Zhou, a researcher at UCLA, reportedly began accessing and reading medical records of health care system employees, administrators, and celebrity patients following his notice of termination. In a three-week period, Zhou accessed more than 320 medical records for which he had no legitimate reason to access, says Labban.

"I do believe that hospital employees become complacent about following HIPAA requirements when there is no obvious breach of security or when private information is not shared outside the hospital," says Labban. In Zhou's case, UCLA cooperated with the Federal Bureau of Investigation and no charges were filed against the hospital, she points out. "Instead, prosecutors focused on the one individual." Although she does not know for sure, Labban believes that this indicates that the hospital had procedures in place to detect and report the breach.

Because it is obvious that attorneys general are willing to prosecute violators of HIPAA requirements, it is important for hospitals to take steps to limit access of records to employees who need access in order to perform their jobs, says Labban. "With the increasing use of electronic medical records, the ease with which employees can access records will only increase," she says.

Steps that hospitals should take now to prevent a similar situation include:

• Re-educate staff members about who can access records.

"Hospital staff members, especially physicians, are so accustomed to picking up charts and reviewing them that they don't think about whether or not it is appropriate," says Labban. Only physicians or hospital employees who are actively treating the patient or billing for that account, or supervising those activities should be accessing that record, she explains.

• Establish regular audits of medical records access.

"There is no set standard for how often an organization should audit access," says Labban. "Larger organizations may want to audit on a weekly or bi-weekly basis, while a smaller organization with fewer patients and charts might want to conduct an audit every month or two," she says. The key factors in determining how often to audit are the number of records and the potential risk associated with inappropriate access to information.

• Review policies and procedures related to privacy and security of PHI.

"This is a good time to review policies in light of Zhou's conviction," says Labban. "Make sure policies clearly define who can access information and how to report inappropriate access."

[For more information about privacy and security requirements of HIPAA and HITECH, contact:

Allyson Labban, JD, Senior Associate, Smith Moore Leatherwood, 300 N. Greene Street, Suite 1400, Greensboro, NC 27401. Phone: (336) 378-5200. Fax: (336) 378-5400. E-mail: allyson.labban@smithmoorelaw.com.]