Many may not realize that the HIPAA law also contains criminal penalties that can come into play in certain situations. We will address what constitutes a criminal violation of HIPAA, who can be charged, and what the possible criminal penalties for a HIPAA violation are.
HIPAA Violations: Civil vs. Criminal?
The primary focus of HIPAA’s Rules and Regulations is maintaining the privacy and security of each patient’s PHI. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcement of HIPAA, which can be done both through regular audits and investigations following a data breach.
If violations of HIPAA rules are discovered, OCR can then assess civil penalties, including fines and monitoring, depending on the severity of the violation and the organization’s awareness of the circumstances.
The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6, the offense is defined as a “person who knowingly:
- Uses or causes to be used a unique health identifier;
- Obtains individually identifiable health information relating to an individual; or
- Discloses individually identifiable health information to another person.”
The word “knowingly” in the statute is important as well. Based on charging guidance from the U.S. Attorney’s Office of Legal Counsel, the term simply means that the facts of the violation are known. The lack of awareness that the violation is a crime should not be considered a defense. Unless the disclosure meets one of the exceptions allowed by the HIPAA Privacy Rule, there could be serious consequences.