Criminal Penalties for HIPAA Violations

Three people in Louisiana recently pled guilty to federal bank larceny charges following an identity theft scheme that resulted from the unauthorized release of protected health information (PHI) by an employee at a medical clinic. We all have heard about the fines assessed against covered entities and business associates who have violated HIPAA standards and been caught.

Many may not realize that the HIPAA law also contains criminal penalties that can come into play in certain situations. We will address what constitutes a criminal violation of HIPAA, who can be charged, and what the possible criminal penalties for a HIPAA violation are.

HIPAA Violations: Civil vs. Criminal?

The primary focus of HIPAA’s Rules and Regulations is maintaining the privacy and security of each patient’s PHI. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcement of HIPAA, which can be done both through regular audits and investigations following a data breach.

If violations of HIPAA rules are discovered, OCR can then assess civil penalties, including fines and monitoring, depending on the severity of the violation and the organization’s awareness of the circumstances

The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6, the offense is defined as a “person who knowingly: 

  1. Uses or causes to be used a unique health identifier;
  2. Obtains individually identifiable health information relating to an individual; or 
  3. Discloses individually identifiable health information to another person.”

The word “knowingly” in the statute is important as well. Based on charging guidance from the U.S. Attorney’s Office of Legal Counsel, the term simply means that the facts of the violation are known. The lack of awareness that the violation is a crime should not be considered a defense. Unless the disclosure meets one of the exceptions allowed by the HIPAA Privacy Rule, there could be serious consequences.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Criminal Penalties for HIPAA Violations: Who Can be Charged?

For the purpose of charging, federal prosecutors have defined “person” as an individual or an organization. In general, criminal charges are reserved for especially flagrant violations of the law or violations that were part of a larger conspiracy.

One example of this is the case of Landon Eckles, 30, of Huntersville, N.C. The former district manager of pharmaceutical company Warner Chilcott pleaded guilty to wrongful disclosure of identifiable health information in violation of the criminal provisions of the Health Insur