HIPAA Criminal Penalties Explained: Fines, Jail Time, and What Triggers Them

HIPAA criminal penalties apply when someone intentionally accesses, uses, or discloses protected health information in ways the law forbids. This guide breaks down the three criminal tiers, who can be charged, how cases are enforced, and the collateral consequences you need to anticipate.

Tier 1 Knowing Violation Penalties

What the law targets

Tier 1 covers a person who knowingly—meaning they are aware of what they are doing—obtains, uses, or discloses health data in violation of HIPAA. It also includes knowingly misusing a unique health identifier. The government does not have to prove you knew the conduct was illegal; it must prove you knew you were accessing or sharing the information.

HIPAA refers to protected health information, but you may also see it described as “personally identifiable health information (PHI).” Either way, the focus is on data that identifies an individual and relates to their health, care, or payment for care.

Maximum penalties

Conviction can carry up to 1 year in federal prison and a fine of up to $50,000 per offense. Separate acts—such as multiple lookups or disclosures—can be charged as separate counts.

Examples that fit Tier 1

• Snooping in a patient’s chart without a job-related need.
• Exporting a patient roster to a personal device to “work from home” when not authorized.
• Sharing a friend’s lab result with another friend “as a favor.”

Tier 2 False Pretenses Penalties

What the law targets

Tier 2 applies when PHI is obtained under false pretenses—for example, misrepresenting your identity or purpose, social engineering a help desk for access, or using a colleague’s credentials to get into records. These cases are routinely brought through Department of Justice prosecution.

Maximum penalties

Conviction can carry up to 5 years in prison and a fine of up to $100,000 per offense.

Examples that fit Tier 2

• Pretending to be a treating provider to obtain records from another facility.
• Calling a billing office and fabricating an “audit” to elicit patient account data.
• Using another user’s login—without permission—to access PHI.

Tier 3 Intent for Personal Gain Penalties

What the law targets

Tier 3 is reserved for the most serious conduct: obtaining or disclosing PHI with intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm. Prosecutors often pair these charges with identity theft, fraud, or computer crime counts.

Maximum penalties

Conviction can carry up to 10 years in prison and a fine of up to $250,000 per offense. Courts may also order restitution and forfeit criminal proceeds.

Examples that fit Tier 3

• Selling patient lists to a competitor or a marketing firm.
• Using PHI to submit fraudulent insurance claims.
• Doxxing a patient by posting their diagnosis to cause reputational harm.

Covered Entities and Individuals Liability

Who can be charged

Covered entities (health plans, clearinghouses, most providers) and business associates can face organizational criminal liability, and their workforce members—employees, contractors, volunteers—can be charged as individuals. People outside of healthcare can also face exposure if they conspire with, aid, or induce a covered entity or business associate to violate HIPAA.

Organizational exposure

Entities can be charged for acts committed by personnel within the scope of their duties. Monetary penalties can be significant, and courts may impose probation-like oversight, including mandates to strengthen access controls and auditing.

Role of authorization and minimum necessary

Access tied to a legitimate role and “minimum necessary” is central. If you lacked a job-related need to view or share the data, or exceeded what was necessary, you increase the risk that prosecutors will treat the action as knowing or deceptive.

Enforcement and Compliance Actions

How cases move

HHS’s Office for Civil Rights (OCR) investigates privacy and security incidents and refers potential crimes to the Department of Justice for prosecution. OCR handles civil penalties, while DOJ handles criminal cases; the two often coordinate.

Corrective Action Plans (CAPs) and Risk Assessment Requirements

Even when conduct is not criminal, OCR can require settlement agreements with Corrective Action Plans (CAPs). CAPs typically compel you to perform a comprehensive risk analysis, implement risk management, retrain the workforce, tighten sanction policies, and demonstrate ongoing monitoring—core Risk Assessment Requirements under the HIPAA Security Rule.

State Attorneys General Civil Actions

State Attorneys General Civil Actions—authorized under HITECH—let AGs pursue civil remedies for residents harmed by HIPAA violations. They cannot bring HIPAA criminal charges, but they frequently coordinate with OCR and, when warranted, refer matters for criminal review.

HITECH Act reexamination

Following the HITECH Act reexamination of HIPAA enforcement, OCR has emphasized recognized security practices when evaluating civil penalties and resolution terms. That consideration may mitigate civil exposure, but it does not eliminate criminal liability when intent and knowing conduct are present.

Exclusion from Medicare Participation

How exclusion risk arises

A HIPAA criminal conviction can trigger the Office of Inspector General’s Medicare exclusion authority. While HIPAA violations are not always a mandatory exclusion category, related offenses often charged alongside HIPAA—such as health care fraud, identity theft, or obstruction—can lead to mandatory or permissive exclusion from federal health care programs.

Consequences and mitigation

Exclusion bars you or your organization from Medicare, Medicaid, and other federal program participation, which can be economically devastating. Robust remediation—completing CAP obligations, reinforcing access controls, and documenting culture-of-compliance improvements—can be important in negotiating scope and duration, but exclusion decisions remain discretionary within statutory limits.

Criminal Liability Interpretation

How prosecutors view the tiers

“Knowing” generally means you intended the access or disclosure itself, not necessarily that you understood HIPAA’s legal intricacies. “False pretenses” adds deception—lying about who you are or why you need PHI. “Intent for personal gain” requires proof you sought commercial advantage, profit, or malicious harm.

Evidence commonly used

Access logs, badge and system records, emails and messages, financial trails, audit findings, and witness statements often form the backbone of a case. Repetition (a pattern of snooping) and attempts to conceal conduct can elevate how prosecutors charge it.

Practical takeaways

• Authorize access narrowly and enforce the minimum necessary standard.
• Log, monitor, and promptly investigate anomalous access.
• Train, sanction, and retrain—then document it.
• Scrutinize vendor and business associate access; verify contractual and technical controls.

Conclusion

HIPAA criminal penalties escalate from knowing violations (up to 1 year and $50,000) to false pretenses (up to 5 years and $100,000) and, at the top tier, intent for personal gain or harm (up to 10 years and $250,000). DOJ prosecutes criminal cases, while OCR and State AGs drive civil enforcement, CAPs, and oversight. Strong risk analysis, access governance, and culture-of-compliance reduce both the likelihood of an incident and your exposure if one occurs.

FAQs.

What actions trigger HIPAA criminal penalties?

Intentional misconduct triggers criminal exposure: deliberately accessing PHI without authorization; obtaining PHI under false pretenses (e.g., misrepresenting identity or purpose); selling, transferring, or using PHI for personal gain, commercial advantage, or malicious harm; or knowingly misusing a unique health identifier. Aiding and abetting or conspiring with others to do these things can also create liability.

How are HIPAA criminal penalties different from civil penalties?

Criminal penalties require proof of intent and are pursued by the Department of Justice, with potential prison time and criminal fines. Civil penalties are enforced by HHS OCR and State Attorneys General, focus on negligent or willful noncompliance, and typically involve monetary penalties, Corrective Action Plans, and long-term monitoring. Recognized security practices may mitigate civil outcomes but do not erase criminal exposure.

Who is liable for HIPAA criminal violations?

Covered entities, business associates, and their workforce members (employees, contractors, volunteers) can be charged directly. Individuals outside healthcare can face criminal risk if they knowingly induce a violation or participate in a scheme (for example, buying stolen PHI), and organizations can be held criminally responsible for acts committed within the scope of employment.

What are the maximum fines and jail terms for each criminal penalty tier?

• Tier 1 (knowing violation): up to 1 year in prison and up to $50,000 per offense.
• Tier 2 (false pretenses): up to 5 years in prison and up to $100,000 per offense.
• Tier 3 (intent for personal gain/malicious harm): up to 10 years in prison and up to $250,000 per offense.