Surgeon Convicted for HIPAA Violations

HIPAA compliance form and gavel in the court.
iStock

In our article “EHR and ICD-10 Explained,” we discussed the importance of healthcare privacy (Protected Health Information—PHI) and the legal consequences that a medical provider can face if he/she violates the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA was enacted on August 21, 1996, and is designed to (as stated in its General Rules section of their website the following):

    • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
    • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
    • Protect against reasonably anticipated, impermissible uses or disclosures; and
    • Ensure compliance by their workforce.

Here’s one example of a HIPAA violation that went to the extreme and which signifies the importance of being vigilant so as not to breach PHI rules.

Surgeon Arrested for HIPAA Violations

A cardiac surgeon, Huping Zhou, was sentenced in April 2024 to four months in jail. He acquired patient records after being fired from the UCLA School of Medicine in 2003 and viewed them 323 times over a three-week period. 

Zhou accessed the medical files of his coworkers and the confidential records of celebrities who were patients at the UCLA School of Medicine at one time or another after he was let go from the position. 

Zhou pleaded guilty but claimed ignorance, as his lawyer stated that UCLA did not provide adequate training on the consequences of accessing confidential patient files at the time. That was not convincing enough for the court, and Zhou was sentenced and ordered to pay a $2,000.00 fine. This was the first time a person had been jailed for violating HIPPA privacy rules. 

The US Government Takes PHI Very Seriously

It is evident that the government is taking HIPAA PHI infractions quite seriously and will take action against those who violate it. Although the case against Zhou was the first verdict for jail time, instances like this are not uncommon when it comes to violating the rights of celebrities.

In 2008, a former hospital employee accessed and sold Farrah Fawcett’s and Britney Spears’s medical records and gave them to the National Enquirer.

The government appears to be making it clear that breaches in healthcare PHI will not be tolerated. It conveys that adequate HIPAA training is essential within healthcare provider organizations.

For more information, please see Surgeon Jailed for HIPAA Privacy Law on the Abrams Fensterman website.

EHR and ICD-10 Explained

Illustration of an EHR record on a computer
Illustration of an EHR record on a computer

When you see your doctor, a nurse’s assistant or nurse will first come into the office and provide the standard medical testing procedures, such as weight and blood pressure. He/She will then enter that information into the computer containing your medical record.

These records are very confidential; only the medical office, clinic, or hospital can access them, technically called Electronic Health Records or EHR. Medical providers have been required to use EHR since the Obama Administration administered this policy to keep our medical records safe and secure and bring administrative healthcare technology to the 21st century.

The Health Insurance Portability and Accountability Act of 1996 is the policy every medical provider must adhere to. The Centers for Medicare and Medicaid (CMS) is the governing agency overseeing HIPAA and any violations.

You can tell if your medical provider follows this rule when you visit your doctor’s office. If you still see rows and rows of paper charts, your doctor has not yet upgraded to EHR, but this would be a HIPAA violation and the physician or physician’s office can be placed under severe penalties.

Implementing such a system is expensive, and they also have a tedious learning curve that all staff, not just physicians, need to learn. Once implemented, keeping track of your medical records becomes faster, less prone to error, much more secure, and more organized; hence, more efficient.

The EHR process includes entering codes related to one’s injury or illness. Until recently, these codes were called ICD-9, but the last update is called ICD-10, where they added about 64,000 more codes to the system.

The medical staff does not need to remember every code, of course. All they need to do is run a search related to that particular illness or injury. For example, a boy in a little league fell and broke his arm. The staff member would look up a sports arm injury and get a code or set of codes that relate to that injury.

To get a more detailed understanding of the ICD-10 process, please see this chart from the Center for Medicare and Medicaid (CMS).