Yes, a Person Can be Criminally Prosecuted for Violating HIPAA -

Yes, a Person Can be Criminally Prosecuted for Violating HIPAA - Health Insurance Portability and Accountability Act

by: Joseph J. Lazzarotti of Jackson Lewis P.C. - Workplace Privacy, Data Management & Security Report

Monday, July 21, 2014

Related Practices & Jurisdictions

Criminal Law / Business Crimes, Insurance Reinsurance & Surety, Health Law & Managed Care

All Federal | Workplace Privacy, Data Management & Security Report

As reported by , a former hospital employee is facing criminal charges brought by federal prosecutors in Texas for alleged violations of the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). You may remember that back on June 1, 2005, the Department of Justice issued an supporting the prosecution of individuals under HIPAA’s criminal enforcement provisions. . In 2010, we reported on a who was sentenced to four months in prison for snooping into medical records. So, while prosecutions for privacy violations under HIPAA are not common, under certain circumstances individuals can be criminally prosecuted for violating HIPAA.

When is a violation of HIPAA criminal.

In short, a person that knowingly and in violation of the HIPAA rules commits one or more of the following puts himself in jeopardy of criminal prosecution under HIPAA:

use or cause to be used a unique health identifier,
obtain individually identifiable health information relating to an individual, or
disclose individually identifiable health information to another person.

If convicted, the level of punishment depends on the seriousness of the offense:

fine of up to $50,000 and/or imprisonment for up to a year for a simple violation
fine up to $100,000 and/or imprisonment up to five years if the offense is committed under false pretenses
a fine of up to $250,000 and/or imprisonment up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

Texas Prosecution

, the former East Texas hospital employee has been indicted for criminal violations of HIPAA. The individual is being charged with wrongful disclosure of individually identifiable health information. The DOJ alleges that from December 1, 2012, through January 14, 2013, while an employee of the hospital (a HIPAA covered entity), the individual obtained protected health information with the intent to use the information for personal gain. If convicted, the individual faces up to ten years in prison.

Although not common, criminal prosecutions like this one can be an important reminder to workforce members of HIPAA covered entities that violating the HIPAA rules can result in more than the loss of their jobs. Some covered entities inform their employees of the potential for criminal sanctions as part of their new hire and annual trainings.

Current Legal Analysis

Governor Seeks $7.9 Million To Implement Venture Capital Company Reporting Law That He Branded As "Problematic"

by: Keith Paul Bishop

Mexico’s 2024 Elections: Workers Entitled to Holidays for Voting on June 2 and Presidential Inauguration on October 1

by: Pietro Straulino-Rodriguez , Natalia Merino Moreno

The Corporate Transparency Act: A Reporting Guide for Medical Groups and MSOs

by: John F. Golembesky , Richard Rifenbark

Dialing Up Accountability: FCC’s Warning Shot to Mobile Network Operators on CPNI

by: Brian D. Weimer , Douglas A. Svor

EPA Amends Procedural Framework Rule for Conducting TSCA Risk Evaluations

by: Lynn L. Bergeson , Lisa M. Campbell