Criminal penalties for HIPAA violations apply when a person knowingly obtains or discloses individually identifiable health information in violation of federal law, with maximum penalties that range from a fine of up to $50,000 and imprisonment of up to one year to a fine of up to $250,000 and imprisonment of up to ten years, depending on the conduct and intent.
Criminal enforcement is handled through the U.S. Department of Justice and focuses on wrongful acquisition or disclosure of protected health information, including accessing records without authorization, disclosing patient information outside permitted channels, or using patient information for non-permitted personal or third-party purposes. Criminal exposure can apply to individuals, including workforce members, contractors, and other persons who obtain or disclose protected health information unlawfully. A covered entity’s compliance controls remain relevant because criminal matters often arise from misuse of access privileges, weak access governance, or failures to detect and stop improper access and disclosure.
The criminal penalty levels increase based on aggravating circumstances. Knowingly obtaining or disclosing individually identifiable health information can result in a fine of up to $50,000, imprisonment of up to one year, or both. When the offense is committed under false pretenses, the maximum increases to a fine of up to $100,000, imprisonment of up to five years, or both. When the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm