Criminal Penalties for HIPAA Violations: What You Risk

A Nurse in Tennessee Got Four Years in Federal Prison

In 2022, a former employee of a Tennessee medical clinic was sentenced to federal prison for stealing patient information — names, dates of birth, Social Security numbers — and selling that data to commit identity fraud. Not a hacker from overseas. Not a sophisticated cybercrime ring. A member of the workforce who walked through the front door every morning.

Most people in healthcare know that HIPAA violations can lead to fines. What fewer realize is that criminal penalties for HIPAA violations include actual prison time, felony charges, and financial ruin. These aren't theoretical. They happen every year, and the Department of Justice prosecutes them aggressively.

If you work for a covered entity or business associate — or you manage one — you need to understand exactly where the criminal line sits. Because by the time someone on your team crosses it, damage control is no longer an option.

The Federal Statute Behind Criminal HIPAA Charges

Criminal penalties for HIPAA violations are codified under 42 U.S.C. § 1320d-6. This section of federal law spells out three tiers of criminal liability, each tied to the offender's intent.

Tier 1: Knowingly Obtaining or Disclosing PHI

If someone knowingly obtains or discloses individually identifiable health information in violation of HIPAA, they face up to one year in prison and a fine of up to $50,000. "Knowingly" doesn't require evil intent — it means the person was aware they were accessing or sharing PHI without authorization.

Tier 2: Offenses Committed Under False Pretenses

If the violation involves false pretenses — like logging in with someone else's credentials or lying about why you need access — the penalty jumps to up to five years in prison and fines up to $100,000.

Tier 3: Offenses for Personal Gain or Malicious Harm

The most severe tier applies when someone obtains or discloses PHI for personal gain, commercial advantage, or malicious harm. Think selling patient data, blackmailing someone with medical records, or snooping on a celebrity's chart and leaking it to the press. This carries up to 10 years in prison and fines up to $250,000.

Who Actually Gets Prosecuted?

Here's a question I hear constantly: "Does the DOJ really prosecute healthcare workers for HIPAA crimes?" Yes. Unequivocally yes.

Criminal HIPAA cases are referred by HHS to the Department of Justice. The DOJ doesn't chase every unauthorized access — but when there's evidence of intent, personal gain, or a pattern of abuse, prosecutors move forward. And the cases are not limited to large-scale fraud operations.

In many prosecutions, the defendant is a single employee: a registration clerk, a medical assistant, a nurse, a billing specialist. People who had legitimate access to ePHI as part of their job — and then used that access for something they shouldn't have.

Common Scenarios That Trigger Criminal Charges

• Selling patient information: Employees who extract PHI and sell it to identity theft rings or personal injury attorneys.
• Snooping on records: Accessing the charts of ex-partners, neighbors, coworkers, or celebrities out of curiosity. If you're not involved in that patient's care, it's unauthorized — and potentially criminal. Our course Accessing Records: If It's Not Your Job, It's a Breach walks through exactly how these situations escalate.
• Using PHI for personal advantage: Leveraging medical information in custody disputes, insurance fraud, or business dealings.
• Sharing PHI on social media: Posting identifiable patient details online, even in private groups. This is a growing area of enforcement — our Social Media & PHI training covers the specific boundaries your staff needs to understand.

Criminal vs. Civil: Two Different Tracks, Both Dangerous

People often conflate OCR's civil enforcement with DOJ criminal prosecution. They're completely separate tracks — and an organization or individual can face both simultaneously.

OCR handles civil penalties. These are the headline-grabbing settlements you see on the HHS enforcement page — multi-million-dollar resolutions against hospitals and health plans for systemic failures. Civil penalties target organizations (and sometimes individuals) for negligence, lack of safeguards, or failure to comply with the Privacy, Security, or Breach Notification Rules.

Criminal penalties target individuals for intentional misconduct. The DOJ doesn't care whether your organization had a risk assessment on file. They care about what a specific person did with PHI and why.

That distinction matters for your risk posture. Strong compliance programs reduce your civil exposure. But criminal liability sticks to individual people — which is why workforce training has to go beyond policies and actually change behavior.

What Happens When an Employee Commits a HIPAA Crime

Let me walk you through the chain of events I've seen play out multiple times.

An audit log flags unusual access patterns. Maybe a nurse accessed 300 patient records in a single week — none of them her assigned patients. The compliance officer investigates. IT pulls the access logs. The employee either admits to the snooping or, more commonly, denies everything until the evidence is undeniable.

The organization files a breach report with HHS. Depending on the number of individuals affected, this may trigger a full OCR investigation of the organization's safeguards. Meanwhile, HHS refers the criminal conduct to the DOJ.

Now the employee faces federal charges. The organization faces an OCR investigation that could uncover additional compliance gaps — insufficient audit controls, inadequate training documentation, missing policies. One employee's criminal act pulls the entire organization into a regulatory spotlight.

Your first 60 minutes after discovering an incident like this set the tone for everything that follows. That's why I recommend every covered entity and business associate prepare with our First 60 Minutes: Incident Response training — because the window to contain damage is shockingly small.

Can Executives and Owners Face Criminal HIPAA Charges?

Yes. The statute isn't limited to the person who physically accessed the record. Anyone who "causes to be" disclosed or obtained protected health information can be charged. That means a practice owner who directs a staff member to pull patient records for a non-treatment purpose could face criminal liability.

Federal courts have also allowed charges against individuals who aren't technically "covered entities" under HIPAA. In United States v. Smith and similar cases, courts applied general principles of aiding and abetting to extend criminal liability beyond the traditional HIPAA-covered workforce.

If you're a compliance officer, practice administrator, or executive, you should treat this as personal. Your oversight decisions — or your failure to implement meaningful safeguards — could put you in a prosecutor's crosshairs.

How to Reduce Your Criminal Exposure

You can't eliminate the possibility that an employee will misuse PHI. But you can build an environment that deters it, detects it early, and demonstrates that your organization took reasonable steps.

Implement Role-Based Access Controls

Every member of your workforce should only have access to the minimum necessary PHI for their job function. If a billing clerk can see psychiatric notes, your access controls are broken.

Monitor Audit Logs — Actually Monitor Them

Having audit logs isn't enough. Someone on your team needs to review them regularly for anomalies: after-hours access, bulk record views, access to VIP or coworker charts. Automated alerts help, but human review catches what algorithms miss.

Train for Criminal Awareness, Not Just Policy Compliance

Most HIPAA training programs spend 45 minutes on the Privacy Rule and five minutes on enforcement. Flip that ratio. Your staff needs to know that criminal penalties for HIPAA violations are real, that people go to prison, and that audit logs capture everything. When people understand the personal consequences, behavior changes. Explore our full HIPAA training catalog for courses built around real enforcement scenarios.

Report and Escalate Without Delay

Create a culture where staff report suspicious access immediately — without fear of retaliation. The organizations that survive criminal incidents are the ones that catch them early, cooperate with investigators, and document every step of their response.

What Are the Criminal Penalties for HIPAA Violations?

Criminal penalties for HIPAA violations fall into three tiers under federal law. Knowingly obtaining or disclosing protected health information carries up to one year in prison and $50,000 in fines. If false pretenses are involved, penalties increase to five years and $100,000. When the violation is committed for personal gain or malicious harm, the maximum penalty is 10 years in prison and $250,000 in fines. These penalties apply to individuals, not organizations, and are prosecuted by the Department of Justice.

The Threat Most Organizations Underestimate

I've worked with dozens of organizations that had sophisticated firewalls, encrypted databases, and detailed breach notification procedures — but hadn't once told their staff that accessing a patient record out of curiosity could land them in federal prison.

That gap between technical compliance and human behavior is where criminal violations live. Your ePHI might be locked down tight from the outside. But the person sitting at the front desk already has the keys.

Criminal penalties for HIPAA violations aren't reserved for criminal masterminds. They're designed for ordinary healthcare workers who make a terrible decision — and for the organizations that failed to make the consequences clear before it was too late.

Don't wait for the DOJ to teach your team what you should have taught them yourself.