Criminal Liability Under HIPAA
HIPAA provides for criminal penalties in addition to civil monetary penalties for knowing violations of the Privacy and Security Rules. Unlike civil penalties, which are administrative actions by OCR, criminal penalties are prosecuted by the Department of Justice (DOJ). Criminal charges may be brought against covered entities (corporations), business associates, and in some cases individual workforce members — including employees, officers, and directors.
Criminal prosecutions under HIPAA are relatively rare compared to civil enforcement actions, but they do occur — particularly in cases involving the theft or sale of PHI for personal gain, unauthorized access to celebrity or public figure medical records, and employees accessing the records of family members, ex-partners, or neighbors without authorization.
Three Levels of Criminal Offenses
Level 1: Knowing Violation
A person who knowingly and in violation of HIPAA uses or causes to be used a unique health identifier, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person faces:
- Fine: Up to $50,000
- Imprisonment: Up to 1 year
Level 2: Under False Pretenses
If the offense is committed under false pretenses — meaning the person used deception to obtain PHI — the penalties increase:
- Fine: Up to $100,000
- Imprisonment: Up to 5 years
Level 3: With Intent to Sell, Transfer, or Use for Commercial Advantage, Personal Gain, or Malicious Harm
The highest criminal tier applies when the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm:
- Fine: Up to $250,000
- Imprisonment: Up to 10 years
Who Can Be Charged
The question of who can face criminal liability under HIPAA has been the subject of significant legal debate. HIPAA's criminal provision applies to a "person" who "knowingly" commits the violation. Courts have generally held that employees who improperly access PHI in their personal capacity — not in furtherance of the covered entity's business — can be individually prosecuted. The DOJ has successfully prosecuted individual employees, including medical records clerks who accessed celebrity patients' records out of curiosity, and employees who sold patient data to identity thieves.
Corporate covered entities and business associates can also face criminal charges, though this is less common. Corporate criminal liability typically requires that the violation was committed by a high-ranking officer or that the conduct was ratified by management.
Intent Requirement
Criminal HIPAA violations require proof of knowing conduct — the government must prove that the defendant knew they were violating HIPAA, not merely that they knowingly committed the act that constituted the violation. This scienter requirement distinguishes criminal from civil liability. A covered entity that unknowingly violates HIPAA due to a compliance gap may face civil penalties but typically not criminal prosecution.
Referral from OCR to DOJ
OCR refers potential criminal violations to the DOJ for investigation and prosecution. OCR refers cases when the facts suggest knowing, intentional violations — particularly when PHI was accessed for personal gain, under false pretenses, or with intent to harm. The DOJ then conducts its own investigation and determines whether to pursue criminal charges. In practice, criminal prosecutions tend to involve egregious conduct: selling patient data, accessing famous patients' records without authorization, or using PHI to commit identity theft or fraud.