Can you go to jail for a HIPAA violation?


HIPAA violations are extremely serious in nature, but can you go to jail for a HIPAA violation? Is this a risk for all violations, or is it only certain ones that will result in jail terms? 

The answer, perhaps unsurprisingly, is yes you can go to jail for violating HIPAA. However, it is extremely unlikely that someone who is discussing patient care with a colleague and accidentally discloses too much information (breaching the Minimum Necessary Standard) will be jailed for 4 years. It is important to recognise that while this is a HIPAA breach, it was limited in scope and, therefore, will probably not attract the most severe of HIPAA penalties. 

 Rather, jail terms are reserved for the violations that involve the access of Protected Health Information (PHI) for personal gain or under false pretences. PHI has a very high value on the black market, as it contains pieces of data (names, Social Security Numbers, bank details etc.) that can be used for identity theft or insurance fraud. 

These crimes leave a patient very vulnerable, as it can have a devastating impact on their credit scores or make it more difficult for them to make insurance claims in the future. It is for this reason that HIPAA violations that involve the theft of PHI are treated so severely.

If the Office for Civil Rights, which oversees HIPAA enforcement, suspect that there has been criminal activity involved in a HIPAA violation, they will refer the case to the Department for Justice (DoJ). The DoJ will then decide if the case is indeed criminal, and they will then charge the individual. 

There are three tiers of penalties for criminal HIPAA violations, depending on the severity of the crime: 

Tier 1:   Reasonable cause or no knowledge of violation – a maximum of 1 year in jail

Tier 2:   Obtaining PHI under false pretenses – a maximum of 5 years in jail

Tier 3:   Obtaining PHI for personal gain or with malicious intent – a maximum of 10 years in jail

Can you go to jail for a HIPAA violation? Yes, and there have been several cases where individuals have been jailed for HIPAA violations. Overall, however, it is rarer to go to jail than to be ordered to pay a financial penalty. 

In 2018, a former dental receptionist was sentenced to at least two years in prison for stealing patient PHI. At least 653 patients were affected, and the data was used to obtain lines of credit for high-value purchases. 

Recently, in November 2022, 10 individuals were charged with scamming several insurers, resulting in Medicare, Medicaid, and other private insurers being defrauded out of $11.1 million. However, the individuals have not yet been charged.