What you see; what you get

It's perhaps like the urge to look through your big brother's dresser or the medicine cabinet at a neighbor's house. Some healthcare workers with access to medical records can't help but snoop, which is more than naughty—it's a federal crime.

Enforcement agencies and employers are getting increasingly serious about busting the snoops as electronic records proliferate and access becomes diffuse. Last week Huping Zhou, as far as prosecutors and observers can tell, became the first person to be sentenced to prison (four months) for just looking.

That is, Zhou didn't use anything gleaned from the records to apply for credit cards, sell to tabloids or do anything else profitable or harmful. Zhou, licensed as a cardiothoracic surgeon in China, worked for UCLA Health System in Los Angeles as a research assistant. After he was told he was being dismissed from the job, his lawyer concedes, Zhou trolled through the records of co-workers and UCLA's many celebrity patients in the three weeks until he was officially terminated.

Zhou accessed the system 323 times outside of working hours in those weeks and looked at records belonging to the supervisors behind his termination, as well as Drew Barrymore, Tom Hanks, Cameron Diaz and other celebrities, telling the FBI he did so because he was curious, prosecutors said in a court document.

That's a criminal offense under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996. Zhou entered a conditional guilty plea to the misdemeanor charge, reserving the right to withdraw it pending an appeal of the judge's rejection of a pretrial motion arguing that prosecutors failed to allege that Zhou intended to commit a crime.

“I don't think he had any malicious intent,” Zhou's lawyer, Edward Robinson, said. “I think it was a combination of curiosity and being upset he'd been wrongfully terminated.”

Alan Goldberg, an independent lawyer and expert in HIPAA enforcement, said that appeal sounds like a long shot. “Some might say, ‘Look, if you put your eyes on some movie-star medical records, you don't have to have a Ph.D. in privacy to know that's something only a dolt would do.' ”

Goldberg noted that some people might view what Zhou did as no big deal; all kinds of people who work for the insurance companies and the government and its contractors are looking at private health information all the time, and the only difference is they have a purpose. Nonetheless, Goldberg said, breaches involving celebrities have drawn more scrutiny to the matter. “My sense is, with all the publicity now, he's lucky he didn't get a couple of years in prison.”

Zhou's sentence was initially publicized by prosecutors as the first prison term ordered for a violation of HIPAA's health privacy provisions. Actually, that distinction goes to Richard Gibson, who pleaded guilty to a HIPAA charge in 2004 and was sentenced to 16 months. Gibson admitted cribbing names, addresses and Social Security numbers from records at the Seattle cancer center where he was a lab technician, then used the information to get credit cards and run up charges totaling about $9,000.

In 2005, a Justice Department lawyer issued an opinion that narrowly defined the law's criminal reach to providers and organizations explicitly regulated by it, excluding employees and other individuals. U.S. attorneys, though, continued to bring cases against a variety of people, though none so far against hospitals or insurance companies or their corporate officers.

The health information technology provisions of the American Recovery and Reinvestment Act of 2009, or stimulus law, clarified that the criminal provision can be applied to anyone who obtains or discloses health information maintained by a “covered entity.”

A Justice Department spokeswoman said the department doesn't gather statistics on HIPAA prosecutions. Based on a survey of cases announced by individual U.S. attorneys, most criminal HIPAA charges have involved theft of information for financial gain. In most of them, but not all, judges have pinned any prison sentences to related charges such as identity theft while giving probation on the HIPAA counts.

In at least one other case, prosecutors brought criminal charges against healthcare workers who simply let their curiosity get the best of them. In October 2008, local TV news anchor Anne Pressly was fatally beaten and brought to St. Vincent Infirmary Medical Center in Little Rock, Ark. Jay Holland, the medical director of a specialty hospital located in the building, admitted he logged onto the records system from home to check the accuracy of news reports about her status, according to the U.S. attorney's office in Little Rock.

Holland pleaded guilty to a misdemeanor HIPAA charge and was sentenced to probation and community service, to include speeches educating fellow healthcare professionals about privacy. Two St. Vincent Infirmary administrative employees who peeked at Pressly's records pleaded guilty to the same charge and got probation. “The thought of people trolling through her medical records was almost more than we could bear,” Pressly's father told the judge at the sentencing hearing, according to a published report.

Zhou's recreational peeking caught up to him about five years after he left UCLA when the U.S. attorney's office embarked on a broad investigation into breaches at the system's hospitals, which is ongoing.

The only other criminal case stemming from the inquiry so far was more sensational. Lawanda Jackson, an administrative specialist for Ronald Reagan UCLA Medical Center, trolled the records of Farrah Fawcett and sold details of the late actress' 2007 cancer recurrence to the National Enquirer for about $5,000. Jackson died last March, two months before she was to be sentenced.

A review by the California Center for Health Care Quality that wrapped up last year tallied more than 1,000 UCLA health records accessed for no legitimate purpose since 2003. UCLA terminated, suspended or warned 165 employees and committed to a variety of changes to prevent further breaches.

Also in the Los Angeles area, 24 hospital workers resigned or were terminated or reprimanded after prying into the files of Nadya Suleman, the woman branded in the media as the “Octomom.” The state fined Kaiser Foundation Hospitals $437,500 for those breaches as well as unauthorized viewings of records of four of the octuplets Suleman gave birth to at the system's hospital in Bellflower, Calif. (Inpatient services have since been transferred to its new Downey [Calif.] Medical Center).

The fines were levied under a California law passed in 2008 intended to get tough on patient privacy, which subjects healthcare workers and organizations to fines as high as $250,000 for each violation.

The stimulus law, meanwhile, included provisions intended to make it more painful for healthcare organizations that allow personal health information to be lost or stolen.

Under the law, state attorneys general are authorized to enforce HIPAA's privacy provisions and impose $25,000 fines. Connecticut Attorney General (and U.S. Senate candidate) Richard Blumenthal was the first to wield the power, suing Health Net over the company's loss of a hard drive.

The law also requires organizations to notify HHS and local media any time they experience a data breach involving more than 500 people. HHS is posting those breaches to its website. The responsible organizations range from small medical practices to health systems and insurance companies.