Can you go to jail for a HIPAA violation?

All individuals who work for a HIPAA Covered Entity (health plans, healthcare clearinghouses, or healthcare organizations) should try and avoid violating HIPAA irrespective of the consequences. However, mistakes can be made, and concerned employees may wish to know: can you go to jail for a HIPAA violation?

Given the severe nature of some HIPAA violations, it may be unsurprising to know that you can go to jail for violating HIPAA. However, this penalty is reserved for cases where there has been an intentional violation of HIPAA. An individual is very unlikely to go to jail if they accidentally cc’d someone into an email, even if this does not comply with HIPAA email rules. 

But why would someone intentionally violate HIPAA? The answer lies in the information that HIPAA seeks to protect. HIPAA stipulates how Protected Health Information (PHI) can be used and disclosed and what safeguards must be in place to maintain its security and integrity.

 PHI consists of information relating to the health condition of an individual and contains pieces of data that mean the identity of that individual can be traced. These identifiers include Social Security Numbers, license plates, addresses, and financial information, all of which can be used to steal a person’s identity or to commit insurance fraud. 

The potential to use PHI for identity theft and fraud means that it has a high retail value on the black market. Therefore, if an individual accesses PHI under false pretences, shares it with unauthorised individuals, or uses it for personal gain, they may face jail time. 

Whether a HIPAA violation was criminal will be determined by the Department of Justice, which will have been referred the case by the Department of Health and Human Services (which usually oversees HIPAA enforcement). The potential penalties are as follows: 

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Tier 1:   Reasonable cause or no knowledge of violation – a maximum of 1 year in jail

Tier 2:   Obtaining PHI under false pretenses – a maximum of 5 years in jail

Tier 3:   Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail

So, can you go to jail for HIPAA violations? Yes, and it has happened. 

In February 2017, for example, a former analyst at the Transformations Autism Treatment Center was sentenced to 30 days in jail, with 3 years of supervised release for stealing PHI from his employer. 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/