This post is prepared by Christopher Dodson.
Readers of this blog are probably familiar with the case of Dr. Huping Zhou, who was successfully prosecuted for violating HIPAA's privacy protections. Zhou accessed the patient records of celebrities and coworkers more than three hundred (300) times over the course of several months, including four times after he was fired. The case is notable, in part, because Zhou's actions were not part of a broader criminal conspiracy. He was not defrauding the government or engaging in identity theft but was merely reading patient records as a matter of curiosity. When he appealed his conviction, the Ninth Circuit ruled that HIPAA's wrongful disclosure provision does not require intent to break the law.
One of the interesting details of the case was that while Zhou accessed several hundred records, he was only charged for the four records he accessed after he was fired. Why did the Department of Justice not charge him for accessing the other records while he was employed?
§ 1320d-6 of HIPAA prohibits anyone from knowingly accessing individually identifiable health information from a covered entity without authorization.
The answer to why Zhou was only charged with four counts may lie in the phrase "without authorization." It is possible that since DOJ was already breaking new ground by prosecuting him for accessing records without criminal intent, they did not want to add a second novel issue in whether he had sufficient authorization while he was employed.
But now that DOJ has established that criminal intent is not required to violate HIPAA's wrongful disclosure provision, is it possible that the next person in Zhou's position could be charged for inappropriately accessing records while employed?
There is an interesting parallel with the Computer Fraud and Abuse Act. As with HIPAA, the CFAA prohibits certain actions when they occur "without authorization," a phrase which is undefined. There is ongoing debate over what qualifies as authorization for purposes of the CFAA and a split has developed among the circuit courts over a theory relating to authorization for employees. The theory holds that when an employee violates the duty of loyalty, her authorization is canceled as a matter of law even while she is still employed. Under this theory, if an employee has authorization to access a computer system then violates the duty of loyalty and engages in actions prohibited under the CFAA, a court may rule that her authorization to use the computer system was terminated as a matter of law at the time of the offense. In other words, as far as the employee and her employer are concerned she is an authorized user. But sometime later the legal system determines otherwise, leaving her liable under the CFAA.
Because there is a split among the circuit courts, many observers think the issue will wind up before the Supreme Court. If the Supreme Court affirms canceling authorization retroactively based on an employee's actions, it is not a stretch to imagine DOJ developing an argument that the authorization of someone like Zhou was terminated as a matter of law prior to being fired. This would enable DOJ to charge the defendant with all of the record views that occur after the authorization-terminating event.
Christopher is a former software developer and current J.D. candidate at the Earle Mack School of Law of Drexel University. He is working with the Attorneys at Oscislawski LLC as a summer intern.