Criminal Enforcement of HIPAA: DOJ vs. OCR Roles, Penalties, Requirements

You operate in a regulatory landscape where both civil and criminal enforcement of HIPAA can apply. Understanding how the Department of Health and Human Services Office for Civil Rights (OCR) and the Department of Justice (DOJ) divide responsibilities—and when matters escalate from civil to criminal—is essential to protect Protected Health Information (PHI) and manage risk under the HIPAA Privacy Rule and HIPAA Security Rule.

This guide explains the roles, the referral pathway between agencies, penalty structures, recent enforcement trends, and practical considerations so you can align your compliance program with real-world expectations.

Civil Enforcement by OCR

Scope of Authority and Standards Applied

OCR administers and enforces the HIPAA Privacy Rule and HIPAA Security Rule through investigations, compliance reviews, audits, and civil monetary penalties. Its focus is whether covered entities and business associates have met required administrative, physical, and technical safeguards, applied the minimum necessary standard, and honored individual rights (such as access to records) regarding PHI.

Investigations, Technical Assistance, and Corrective Action

OCR initiates inquiries from complaints, breach reports, or proactive reviews. You may receive technical assistance for minor issues, enter a resolution agreement with a corrective action plan (CAP) for systemic gaps, or face civil monetary penalties for significant or uncorrected violations. OCR evaluates the size, nature, and duration of the incident; number of affected individuals; harm risk; and your cooperation and remediation.

Civil Monetary Penalty Structure

HIPAA’s civil penalty framework uses four tiers keyed to culpability: (1) no knowledge; (2) reasonable cause; (3) willful neglect corrected within the required period; and (4) willful neglect not corrected. Penalty amounts and annual caps are adjusted for inflation. OCR weighs aggravating and mitigating factors, including the presence of risk analyses, risk management, workforce training, and timely corrective measures.

Common Civil Violations

• Failure to conduct an enterprise-wide risk analysis or implement risk management under the HIPAA Security Rule.
• Delayed patient access to records, a continuing OCR priority under the Privacy Rule’s access right.
• Insufficient access controls or audit logging that allow workforce “snooping.”
• Improper disclosures of PHI (e.g., misdirected mailings, public postings, or media sharing beyond the minimum necessary).
• Vendor management failures, including absent or incomplete business associate agreements.

Criminal Enforcement by DOJ

Statutory Basis and Charging Theories

DOJ leads criminal enforcement under 42 U.S.C. § 1320d‑6, which penalizes knowing violations of HIPAA. The statute recognizes escalating criminal penalties for knowing acquisition or disclosure of PHI, obtaining PHI under false pretenses, and misuse of PHI for commercial advantage, personal gain, or malicious harm. DOJ may also pair HIPAA counts with other crimes (e.g., wire fraud, identity theft, computer misuse) when facts support them.

Who Can Be Prosecuted and For What Conduct

Individuals—including workforce members of covered entities or business associates—are the most common criminal defendants. Conduct that triggers criminal exposure includes intentional snooping in patient files without a permissible purpose, selling or bartering PHI, illicitly accessing records under false pretenses, or using stolen credentials to harvest PHI for fraud schemes.

Criminal Penalties and Collateral Consequences

• Baseline offense: up to one year of imprisonment and fines for knowing violations.
• False pretenses: up to five years of imprisonment and higher fines for obtaining PHI under false pretenses.
• Commercial advantage/personal gain/malicious harm: up to ten years of imprisonment and substantial fines.

Convictions can also result in restitution, forfeiture, exclusion from federal health programs, professional licensure discipline, and lasting reputational damage.

Referral Process from OCR to DOJ

When and How Referrals Occur

OCR’s referral policy directs staff to refer matters to DOJ when evidence suggests intentional misconduct, deception, or other facts indicating potential criminal violations—such as willful misuse of PHI, access under false pretenses, or schemes to monetize PHI. OCR may continue civil investigation of policy and control failures in parallel, but criminal charging decisions rest with DOJ.

Coordination and Parallel Proceedings

After referral, agencies coordinate to avoid interfering with criminal inquiries while preserving OCR’s civil enforcement interests. You may see holds on certain civil discovery steps to protect criminal evidence. Cooperation, timely remediation, and documented controls influence both agencies’ approaches, even when criminal exposure exists.

Practical Indicators of Criminal Referral Risk

• Evidence of intentional data harvesting, sale, or attempted sale of PHI.
• Use of social engineering or forged credentials to obtain PHI under false pretenses.
• Patterns of unauthorized access tied to identity theft, fraud, or extortion.
• Internal communications acknowledging wrongful conduct or attempts to conceal it.

Penalties for HIPAA Violations

Civil Penalties (OCR)

OCR applies the four-tier civil framework with inflation-adjusted amounts and annual caps. Key factors include the extent of willful neglect, promptness of correction, the scale of impact, and documented governance. A strong compliance posture—risk analysis, risk management, training, audit trails, and vendor oversight—can significantly reduce exposure.

Criminal Penalties (DOJ)

DOJ’s criminal penalties escalate by intent: knowing violations, false pretenses, and misuse for gain or harm. Sentencing considers the volume and sensitivity of PHI, number of victims, financial gains or losses, obstruction, and your acceptance of responsibility.

Ancillary Remedies

Beyond fines and incarceration, resolutions may include restitution, corporate integrity obligations, mandated compliance enhancements, and reporting to oversight bodies. Settlements and plea agreements frequently require independent monitoring or audits.

State Attorneys General Enforcement

Authority and Coordination

Under the HITECH Act, state attorneys general can bring civil actions in federal court to enjoin HIPAA violations and obtain damages on behalf of residents. State AGs coordinate with OCR and often leverage state consumer protection or data breach statutes alongside HIPAA to increase remedies and deterrence.

What You Should Expect

AG cases often center on security failures (e.g., lack of encryption or patching), improper disclosures, or delayed notifications. Multistate investigations are common where incidents span jurisdictions, increasing potential penalties and compliance commitments.

Recent Enforcement Actions

Trends You Should Track

• Right of Access: OCR continues settlements for delayed or denied patient access, making this a perennial compliance checkpoint.
• Security Rule Safeguards: Actions frequently cite missing risk analyses, weak access controls, inadequate logging, and lack of encryption for ePHI.
• Workforce Snooping: Both civil and criminal matters arise from intentional, curiosity-driven access to celebrity or acquaintance records.
• Vendor/SaaS Misconfigurations: Exposures from cloud storage or tracking technologies underscore the need for vetted configurations and business associate management.
• Incident Response Quality: Timely containment, forensics, notifications, and transparent cooperation materially affect outcomes.

While case specifics evolve, the throughline is consistent: organizations that can demonstrate ongoing risk management and prompt remediation fare far better than those with ad hoc or undocumented controls.

Enforcement Considerations

Build Proof of Compliance, Not Just Policies

• Conduct an enterprise-wide risk analysis and maintain a living risk register with owners, timelines, and status.
• Implement risk management plans that tie safeguards to identified risks; update after material changes or incidents.
• Document workforce training, sanctions, periodic access reviews, and audit log monitoring.
• Harden identity and access: role-based access, MFA, session timeouts, and alerts for anomalous access to PHI.

Strengthen Vendor and Technology Governance

• Execute and maintain business associate agreements; verify downstream subcontractor obligations.
• Validate cloud and application configurations; disable unnecessary tracking and ensure minimum necessary PHI flows.
• Test data loss prevention, encryption at rest and in transit, and backup/restore processes aligned to your recovery objectives.

Reduce Criminal Exposure

• Implement identity verification to deter false pretenses and social engineering.
• Detect and escalate intentional misuse quickly with real-time alerts and documented investigations.
• Preserve evidence, segregate involved accounts, and coordinate with counsel to prepare for possible referral to DOJ.

Respond Effectively to Incidents

• Follow a written incident response plan with clear roles, containment steps, and external reporting workflows.
• Perform root-cause and corrective action analyses; tie lessons learned to risk management updates.
• Communicate with OCR candidly and timely; thorough documentation can shift findings from willful neglect to reasonable cause.

Conclusion

OCR drives civil enforcement of the HIPAA Privacy Rule and HIPAA Security Rule, while DOJ pursues criminal cases when intent and deception are present. Your best defense is a documented, risk-based program that prevents violations, detects misuse, and demonstrates good-faith compliance. Align controls to the minimum necessary standard, manage vendors rigorously, and be prepared to cooperate if matters escalate through the referral policy to criminal review.

FAQs

What are the main differences between DOJ and OCR enforcement?

OCR enforces HIPAA civilly—investigating, negotiating corrective action, and assessing civil monetary penalties for failures to meet Privacy Rule and Security Rule requirements. DOJ handles criminal enforcement, charging knowing violations such as obtaining PHI under false pretenses or using PHI for personal gain, which can carry imprisonment and fines. The same incident can involve both agencies in parallel.

How does the DOJ determine criminal penalties for HIPAA violations?

Penalties escalate based on intent and harm: knowing violations form the baseline; obtaining PHI under false pretenses carries higher penalties; and using PHI for commercial advantage, personal gain, or malicious harm is the most severe. DOJ also considers volume and sensitivity of PHI, number of victims, financial impact, obstruction, and acceptance of responsibility when recommending sentences.

When does OCR refer cases to the DOJ?

OCR refers matters when facts indicate potential criminal conduct—intentional misuse of PHI, access or disclosures under false pretenses, schemes to sell or monetize PHI, or other deceptive acts. After referral, OCR coordinates with DOJ and may pause or stage civil steps to avoid interfering with the criminal investigation.

Can state attorneys general enforce HIPAA violations?

Yes. State attorneys general may bring civil actions in federal court to stop violations and obtain damages for residents, often coordinating with OCR and leveraging state consumer protection or breach laws. Their involvement can increase exposure through multistate investigations and combined remedies.