Is a HIPAA Violation a Felony?
A HIPAA violation felony involves the knowing and wrongful use or disclosure of individually identifiable health information contrary to §1320d-6 of the Social Security Act. Importantly, §1320d-6 of the Social Security Act applies to covered entities and individuals – including individuals not employed by a covered entity. To best explain what a HIPAA violation felony is, it is important to also explain:
- What a HIPAA violation is,
- What violation enforcement actions are,
- What criminal violations of HIPAA are, and
- Why HIPAA violation felony convictions are rare.
What is a HIPAA Violation?
HIPAA covered entities and business associates must comply with all applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Regulations (42 CFR Parts 160,162, and 164), and develop policies and procedures to govern compliance by members of their workforces.
The failure to comply with any applicable regulation, standard, or implementation specification is a HIPAA violation; but, because covered entities and business associates are only required to notify HHS’ Office for Civil Rights of violations that result in a breach of Protected Health Information, most HIPAA violations are dealt with “in-house”.
Violation Enforcement Actions
Exceptions to the above exist when an organization complains to HHS’ Centers for Medicare and Medicaid Services about Part 162 coding issues, or when a member of the public complains directly to HHS’ Office for Civil Rights about an impermissible disclosure of PHI or about not being able to exercise their rights under HIPAA.
When an HHS agency receives a justified complaint or a notification of a data breach, it has the authority to enforce a corrective action plan or impose a civil monetary penalty. However, if a HIPAA violation involves the knowing and wrongful use or disclosure of individually identifiable health information, the case is referred to the Department of Justice.
Criminal Violations of HIPAA
In order to be considered a criminal violation of HIPAA contrary to §1320d-6 of the Social Security Act, a covered entity or individual must have knowingly used or caused to be used a unique health identifier, obtained individually identifiable health information relating to [another] individual, or disclosed individually identifiable health information to another person without authorization.
These events, by themselves, are considered a HIPAA violation misdemeanor and carry a maximum penalty of $50,000 and a year in jail – or both. However, if use or disclosure is committed under false pretenses and/or with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm, the events are escalated to a HIPAA violation felony that carry a maximum penalty of $250,000 and ten years in jail – or both.
Why HIPAA Violation Felony Convictions are Rare
When individuals are convicted of using or disclosing health information knowingly and wrongfully, the convictions are rarely based on HIPAA violations. Most convictions are based on how health information is used or disclosed rather than how it is acquired. Consequently, you often find individuals convicted of an identity theft felony or a computer fraud felony rather than a HIPAA violation felony.
There are many examples of former employees being convicted of a felony other than a HIPAA violation felony despite knowingly and wrongfully using or disclosing health information contrary to §1320d-6 of the Social Security Act. For example:
- In 2018, Albert Torres – a former employee of the Veteran Affairs Medical Center in Long Beach, California – was sentenced to three years in jail after being found guilty of identity theft. Mr. Torres had stolen hard drives from his former employer which contained the health information of 1,030 patients.
- Also in 2018, Jeffrey Luke – a former employee of Transformations Autism Treatment Center (TACT) in Bartlett, Tennessee – was sentenced to 30 months in jail after being found guilty of computer fraud. Mr. Luke had downloaded the health information of 500 patients from a shared drive and used the information for personal gain.
- In 2021. Amanda Lowry – a former employee of an unnamed healthcare provider – was sentenced to 30 months in jail after being found guilty of violating the Anti-Kickback Statute. Ms. Lowry had used her former position to steal health information from an EHR which was then repackaged and sold to durable medical equipment providers and contractors.
It is worth noting that, in addition to individuals being convicted of a HIPAA violation felony, if their former covered entity employers facilitated the unauthorized use or disclosure of health information by failing to implement adequate safeguards or provide effective workforce HIPAA training, they can still be sanctioned by HHS’ Office for Civil Rights for a civil violation of HIPAA.