All individuals who work for a HIPAA Covered Entity (health plans, healthcare clearinghouses, or healthcare organizations) should try and avoid violating HIPAA irrespective of the consequences. However, mistakes can be made, and concerned employees may wish to know: can you go to jail for a HIPAA violation?
Given the severe nature of some HIPAA violations, it may be unsurprising to know that you can go to jail for violating HIPAA. However, this penalty is reserved for cases where there has been an intentional violation of HIPAA. An individual is very unlikely to go to jail if they accidentally cc’d someone into an email, even if this does not comply with HIPAA email rules.
But why would someone intentionally violate HIPAA? The answer lies in the information that HIPAA seeks to protect. HIPAA stipulates how Protected Health Information (PHI) can be used and disclosed and what safeguards must be in place to maintain its security and integrity.
PHI consists of information relating to the health condition of an individual and contains pieces of data that mean the identity of that individual can be traced. These identifiers include Social Security Numbers, license plates, addresses, and financial information, all of which can be used to steal a person’s identity or to commit insurance fraud.
The potential to use PHI for identity theft and fraud means that it has a high retail value on the black market. Therefore, if an individual accesses PHI under false pretences, shares it with unauthorised individuals, or uses it for personal gain, they may face jail time.
Whether a HIPAA violation was criminal will be determined by the Department of Justice, which will have been referred the case by the Department of Health and Human Services (which usually oversees HIPAA enforcement). The potential penalties are as follows:
Tier 1: Reasonable cause or no knowledge of violation – a maximum of 1 year in jail
Tier 2: Obtaining PHI under false pretenses – a maximum of 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail
So, can you go to jail for HIPAA violations? Yes, and it has happened.
In February 2017, for example, a former analyst at the Transformations Autism Treatment Center was sentenced to 30 days in jail, with 3 years of supervised release for stealing PHI from his employer.