Can HIPAA violations result in jail time? While jail time for HIPAA violations is rare, it does occur.
An Iowa man who pleaded guilty to a pair of counts related to HIPAA violations will spend the next 27 months in federal prison following his sentencing in Des Moines.
Dustin James Ortiz, 49, pleaded guilty to conspiracy to wrongfully obtain and disclose individually identifiable health information and wrongfully obtaining individually identifiable health information after conspiring with a then-employee of the Veterans Affairs Medical Center (VAMC) in Des Moines.
Ortiz received protected health information that pertained to a victim’s mental health conditions and medications. This information was obtained without authorization and then disclosed to a third party.
Civil vs. Criminal HIPAA Violations
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The primary focus of HIPAA’s Rules and Regulations is maintaining the privacy and security of each patient’s PHI. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcement of HIPAA, which can be done both through regular audits and investigations following a data breach.
If violations of HIPAA rules are discovered, OCR can then assess civil penalties, including fines and monitoring, depending on the severity of the violation and the organization’s awareness of the circumstances.
The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6, the offense is defined as a “person who knowingly:
- Uses or causes to be used a unique health identifier;
- Obtains individually identifiable health information relating to an individual; or
- Discloses individually identifiable health information to another person.”
The word “knowingly” in the statute is important as well. Based on charging guidance from the U.S. Attorney’s Office of Legal Counsel, the term simply means that the facts of the violation are known. The lack of awareness that the violation is a crime should not be considered a defense. Unless the disclosure meets one of the exceptions allowed by the HIPAA Privacy Rule, there could be serious consequences.
Why Jail Time for the HIPAA Violation Was Appropriate
Not all HIPAA violations result in jail time.
Because the conduct involved the intent to transfer and use the health information for personal gain and malicious harm, it was a felony under federal law. Ortiz was ordered to pay $2,000 in restitution and serve a 3-year term of supervised release to follow the prison sentence.
Ortiz’s co-defendant, a former employee of the VAMC, is scheduled to be sentenced in August 2022.
There is no parole in the federal system.
“Our office is committed to giving real meaning to HIPAA’s right-to-privacy protections,” said United States Attorney Richard D. Westphal. “HIPAA-covered entities should continue to remind everyone that the privacy provisions of HIPAA are important and have significant consequences if violated.”
