As reported by, a former hospital employee is facing criminal charges brought by federal prosecutors in Texas for alleged violations of the privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA). You may remember that back on June 1, 2005, the Department of Justice issued an opinion supporting the prosecution of individuals under HIPAA’s criminal enforcement provisions.  42 U.S.C. § 1320d-6(b). In 2010, we reported on a doctor in California who was sentenced to four months in prison for snooping into medical records. So, while prosecutions for privacy violations under HIPAA are not common, under certain circumstances individuals can be criminally prosecuted for violating HIPAA.

When is a violation of HIPAA criminal.

In short, a person that knowingly and in violation of the HIPAA rules commits one or more of the following puts himself in jeopardy of criminal prosecution under HIPAA:

  • use or cause to be used a unique health identifier,
  • obtain individually identifiable health information relating to an individual, or
  • disclose individually identifiable health information to another person.

If convicted, the level of punishment depends on the seriousness of the offense:

  • fine of up to $50,000 and/or imprisonment for up to a year for a simple violation
  • fine up to $100,000 and/or imprisonment up to five years if the offense is committed under false pretenses
  • a fine of up to $250,000 and/or imprisonment up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

Texas Prosecution

According to the DOJ, the former East Texas hospital employee has been indicted for criminal violations of HIPAA. The individual is being charged with wrongful disclosure of individually identifiable health information. The DOJ alleges that from December 1, 2012, through January 14, 2013, while an employee of the hospital (a HIPAA covered entity), the individual obtained protected health information with the intent to use the information for personal gain. If convicted, the individual faces up to ten years in prison.

Although not common, criminal prosecutions like this one can be an important reminder to workforce members of HIPAA covered entities that violating the HIPAA rules can result in more than the loss of their jobs. Some covered entities inform their employees of the potential for criminal sanctions as part of their new hire and annual trainings.