Jail Time for HIPAA Violation

Can HIPAA violations result in jail time? While jail time for HIPAA violations is rare, it does occur. 

An Iowa man who pleaded guilty to a pair of counts related to HIPAA violations will spend the next 27 months in federal prison following his sentencing in Des Moines.

Dustin James Ortiz, 49, pleaded guilty to conspiracy to wrongfully obtain and disclose individually identifiable health information and wrongfully obtaining individually identifiable health information after conspiring with a then-employee of the Veterans Affairs Medical Center (VAMC) in Des Moines. 

Ortiz received protected health information that pertained to a victim’s mental health conditions and medications. This information was obtained without authorization and then disclosed to a third party.

Civil vs. Criminal HIPAA Violations

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The primary focus of HIPAA’s Rules and Regulations is maintaining the privacy and security of each patient’s PHI. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcement of HIPAA, which can be done both through regular audits and investigations following a data breach.

If violations of HIPAA rules are discovered, OCR can then assess civil penalties, including fines and monitoring, depending on the severity of the violation and the organization’s awareness of the circumstances

Let’s Simplify Compliance

Avoid HIPAA violations, become compliant today!

Learn More!
HIPAA Seal of Compliance

The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6, the offense is defined as a “person who knowingly: 

  1. Uses or causes to be used a unique health identifier;
  2. Obtains individually identifiable health information relating to an individual; or 
  3. Discloses individually identifiable health information to another person.”

The word “knowingly” in the statute is important as well. Based on charging guidance from the U.S. Attorney’s Office of Legal Counsel, the term simply means that the facts of the violation are known. The lack of awareness that the violation is a crime should not be considered a defense. Unless the disclosure meets one of the exceptions allowed by the HIPAA Privacy Rule, there could be serious consequences.

Why Jail Time for the HIPAA Violation Was Appropriate

Not all HIPAA violations result in jail time. 

Because the co