HIPAA Violation Leads to Jail Time

Veriphyr proactively reports impermissible use of PHI the first time it happens.

Setting an Example

In April 2010, a former UCLA Healthcare System employee, Dr. Huping Zhou, was the first to get time behind bars for violating the Health Insurance Portability and Accountability Act (HIPAA). Zhou was fined and sentenced to four months in federal prison (a, b).

Zhou’s snooping started shortly after being notified that he would be soon dismissed. He was found to have accessed patient records, including those of celebrities, 323 times. Four of those 323 instances occurred after he officially left the hospital, and were thus federal misdemeanors.

“Zhou acknowledged that at the time he viewed these patients’ medical information, he had no legitimate reason, medical or otherwise”

FBI Archives, April 27, 2010

In general, employee snooping has cost hospitals hundreds of thousands of dollars. Shortly after Zhou was sentenced, the UCLA Healthcare Systems paid $865,000 to the federal government to settle allegations of employee snooping. Earlier in 2010 the same hospital was fined $95,000 for employee snooping into the records of Micheal Jackson (c).


The Challenge of Meaningful Use and the Security Rule

The HIPAA Rule requires that healthcare organizations “implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends” (d).

This has proven easier said than done. Employees keeping access to medical records even after they have been let go is difficult problem to prevent, because prevention depends on managers or HR notifying IT.


Traditional Controls are Not Reliable

Simply because they are too busy to complete the paperwork, managers and HR have been reported to take weeks to notify IT of a terminated employee.

In at least one firm the HR systems took months because the former employee’s severance agreement involved payments for months after termination. As long as the employee was getting paid, he was classified as an employee for HR regulatory purposes.


Learn how the Veriphyr Proactive Patient Privacy service supports meaningful use by identifying terminated users, as well as, detecting inappropriate access to patient medical records.


Proactive Patient Privacy 

Fortunately, there are more reliable ways to block access to terminated employees. Veriphyr Proactive Patient Privacy reduces human error and delay by automatically identifying terminated employees based on their on-line activity, without needing continual maintenance by IT.




(a) MedPage Today – February 3rd, 2018

(b) NBC Los Angeles – April 27, 2010

(c) Pro Publica – July 7, 2011

(d) “Security Standards for the Protection of Electronic Protected Health Information,” – 45 CFR Part 164.308(a)(3)(ii)(C)