Question

A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA. Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the US Attorney’s Office (Links to an external site.) for the Central District of California. Zhou was also fined $2,000. In 2003, Zhou, who was a licensed cardiothoracic surgeon in China before immigrating to the United States, was employed as a researcher with the UCLA School of Medicine.

On October 29, 2003, Zhou received notice that UCLA intended to dismiss him for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers. Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.

According to court documents, Zhou accessed the UCLA record system 323 times during the three-week period. In the plea agreement, Zhou admitted he obtained and read patient health information on four specific occasions—with no legitimate reason, medical or otherwise—after he was terminated from his job. Zhou did not improperly use or attempt to sell any of the information he illegally accessed, according to the press release. In January, Zhou’s attorney, Edward Robinson, was quoted in the UCLA student newspaper saying Zhou did not know that accessing the records was a federal crime.

1. As a member of the UCLA workforce, would Zhou have a legitimate right to view patient records in his normal course of employment?
2. In managing access and disclosure of PHI, determine how UCLA could have discovered Zhou’s infractions?

Answer 1

As a member of the UCLA workforce, would Zhou have a legitimate right to view patient records in his normal course of employment?

Well in this case if Zhou has his normal course of employment, he might have the right to access a patient record. Although, he does not have the right to access a such kind of information because the UCLA is not telling him to do so. In addition, he did not have the right because he does not have any legal reason to access such the patient information. Depending on the type of research the team was doing, Zhou may have a legitimate right to view patient records. He did not have the right to view his supervisors’, coworkers’, or famous celebrities’ PHI though. Simply we may also consider that, However, in this case, Mr. Zhou has no such rights to access the medical information ofpatients, supervisors, colleagues, or celebrities because it is not UCLA telling him to do so.Besides, Mr. Zhou has no legitimate reason for accessing the information and therefore, does nothave the legitimate right. Mr. Zhou not only abused his legitimate rights but also went against theprovisions of HIPAA.

In managing access and disclosure of PHI, determine how UCLA could have discovered Zhou’s infractions?

I think they discovered him when they saw the different times that he was trying to access to the patient’s information. Also, I know that they have programs to show all the people who view the patient’s information. Zhou’s access should have been terminated when he was fired. The UCLA should have been alerted that he was still logging into the database. They then should have been able to run an analysis report to see what he was looking at. For access and disclosure management of PHI, HIPAA provides that every entity coveredas well as their business companions should monitor the access logs for PHI regularly for unauthorized access. Although a "regular basis" is prone to different interpretations, it is a goodpractice to continuously audit the access logs to help in identifying unauthorized access. It is indicated from the case presentation that Mr. Zhouaccesses the information 323 times. It can be that UCLA detected several times he was trying toaccess the medical records of patients and was alerted that there might be some infractions goingon in the health record system. Besides, the school of medicine must be having programs whichdisplay all the individuals viewing patients' information. Another way through which Mr. Zhou's infractions might have been discovered through acomplaint by a patient. He might have shared the medication information of a patient, informallythough, with another per who happened to know the patient, prompting the patient to launch acomplaint with UCLA upon discovering that his/her medical information has been shared. Aninternal investigation might have followed which subsequently found that Mr. Zhou hadbreached the DPA of 1998 as well as the rules of patient confidentiality.

*****Please please please LIKE THIS ANSWER, so that I can get a small benefit, Please*****