Top Criminal HIPAA Violation Examples and a Practical Compliance Checklist

Criminal HIPAA Violations Overview

HIPAA criminal provisions apply when someone knowingly obtains, discloses, or uses Protected Health Information (PHI) without authorization. Covered entities and business associates are on the hook, and individuals—employees, contractors, or vendors—can face prosecution for willful misconduct that crosses the criminal line.

Criminal cases often begin as Department of Justice Referrals from the HHS Office for Civil Rights. While civil rules focus on corrective action and fines, criminal Enforcement Actions address intent and deception, targeting conduct such as access under False Pretenses or the sale of PHI for personal gain.

The law recognizes three escalating tiers: basic knowing misuse (Tier 1), obtaining PHI under False Pretenses (Tier 2), and intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm (Tier 3). Penalties climb from fines and up to one year in prison, to five years, and up to ten years for the most egregious conduct.

Your best defense is prevention: strong access controls, thorough policies, vetted Business Associate Agreements, continuous monitoring, and prompt Data Breach Notification when required.

Tier 1 Criminal Violations

Definition and penalties

Tier 1 covers knowingly obtaining or disclosing PHI without authorization or a permissible purpose. It does not require deceit or profit motive. Penalties can include fines up to $50,000 and imprisonment up to one year.

Common examples

• Snooping in a neighbor’s or celebrity patient’s record out of curiosity.
• Sharing a patient’s diagnosis with friends or family without consent.
• Downloading PHI to a personal device or unapproved cloud storage.
• Accessing records after a legitimate need to know has ended.
• Leaving printed PHI where unauthorized people can view it and then discussing that information.

Prevention tactics

• Role-based access, unique user IDs, and automatic logoff.
• Real-time audit logs with alerts for unusual queries or mass exports.
• Minimum necessary policies and a clear sanctions process.
• Secure printing, clean desk requirements, and controlled disposal of paper PHI.

Tier 2 Criminal Violations

Definition and penalties

Tier 2 applies when someone obtains PHI under False Pretenses—misrepresenting identity, authority, or purpose to gain access. Penalties can include fines up to $100,000 and imprisonment up to five years.

Common examples

• Impersonating a clinician or billing staff to unlock a chart or data feed.
• Using a coworker’s credentials or tailgating into restricted areas to access PHI.
• “Pretext calling” a clinic to elicit PHI by pretending to be a patient’s relative or insurer.
• Forging authorizations or altering forms to justify an impermissible disclosure.

Prevention tactics

• Multi-factor authentication, least-privilege access, and prompt account revocation.
• Identity verification scripts for calls, faxes, and email requests.
• Legal review of subpoenas and court orders before releasing PHI.
• Targeted training on social engineering and credential safeguarding.

Tier 3 Criminal Violations

Definition and penalties

Tier 3 centers on intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Penalties can include fines up to $250,000 and imprisonment up to ten years.

Common examples

• Selling patient lists to identity theft rings or marketing firms.
• Using PHI to commit medical identity theft or file fraudulent claims.
• Exfiltrating PHI to a competitor or to extort payment.
• Blackmailing a patient or public figure with sensitive medical details.

Prevention tactics

• Data loss prevention, egress monitoring, and encryption for data at rest and in transit.
• Segregation of duties and approvals for high-risk reports or exports.
• Exit audits and device/media return checks for departing workforce members.
• Vendor oversight and rapid escalation procedures that include law enforcement coordination when criminal indicators appear.

Notable HIPAA Enforcement Actions

Enforcement Actions illustrate recurring failure patterns. OCR investigates and, when appropriate, makes Department of Justice Referrals for criminal prosecution. Studying these themes helps you prioritize controls that prevent repeat mistakes.

Patterns seen in Enforcement Actions

• Employees repeatedly snooping on records without minimum necessary controls.
• Improper disposal of paper records or unencrypted devices leading to PHI exposure.
• Gaps in Business Associate Agreements or oversight that allow vendors to mishandle PHI.
• Delayed or incomplete Data Breach Notification and poor incident documentation.
• Insufficient access logging and monitoring, allowing long-running misuse to go undetected.
• Lax identity verification processes exploited through social engineering.

Key lessons

• Designate accountable leaders, document decisions, and test controls regularly.
• Investigate promptly, preserve logs, and escalate to legal counsel when intent or deception is suspected.
• Remediate root causes, not just symptoms; verify fixes with measurable checks.

HIPAA Compliance Checklist Components

Use this practical checklist to operationalize compliance and reduce criminal exposure. Each item should be documented, assigned to an owner, and reviewed on a cadence.

Governance and policies

• Appoint privacy and security officers with clear authority.
• Publish Privacy Rule and Security Rule policies, including sanctions and minimum necessary standards.
• Maintain current Business Associate Agreements for all vendors that handle PHI.
• Define retention, disposal, and media handling procedures for electronic and paper PHI.

Technical and physical safeguards

• Perform a Security Risk Assessment and track remediation to completion.
• Implement encryption, MFA, endpoint protection, and mobile device management.
• Segment ePHI systems, apply least privilege, and enable comprehensive audit logging.
• Control facility access; securely store, transport, and dispose of devices and media.

Operational processes

• Workforce onboarding, access provisioning, and timely offboarding with exit audits.
• Vendor due diligence, monitoring, and documented BAA compliance checks.
• Incident response with playbooks for insider misuse and exfiltration.
• Data Breach Notification workflows with clock starts, approvals, and message templates.
• Processes for patient rights: access, amendments, restrictions, and accounting of disclosures.

Documentation and oversight

• Training curricula, attendance, and competency verification records.
• Risk register, vulnerability scans, penetration tests, and remediation evidence.
• Access reviews, audit reports, and sanction logs.
• Breach investigation files, notification proofs, and corrective action plans.

Risk Assessment and Employee Training

How to run a Security Risk Assessment

• Inventory systems, apps, devices, and vendors that create, receive, maintain, or transmit PHI.
• Map PHI data flows and classify sensitivity; identify threats and vulnerabilities.
• Rate likelihood and impact, then prioritize risks with a treatment plan and deadlines.
• Validate fixes, track residual risk, and schedule reassessments or trigger-based reviews.

Employee training essentials

• Orientation plus annual refreshers covering privacy, security, and minimum necessary.
• Role-based scenarios for front desk, clinical, billing, IT, and executives.
• Social engineering defenses, secure remote work, and reporting expectations.
• Clear sanctions and recognition programs that reinforce desired behaviors.

Measure and improve

• Monitor metrics: audit anomalies, access violations, phishing failure rates, and time to contain incidents.
• Run tabletop exercises for insider misuse and pretext calling; refine playbooks.
• Escalate promptly when criminal indicators arise, coordinating with counsel and considering Department of Justice Referrals when warranted.

Conclusion

Criminal HIPAA risks concentrate around unauthorized access, deception, and monetization of PHI. Strong governance, rigorous Security Risk Assessment, vigilant monitoring, tight Business Associate Agreements, and disciplined Data Breach Notification practices form a durable defense. Train your workforce well, test often, and document everything.

FAQs

What are examples of criminal HIPAA violations?

Examples include snooping in a record without a need to know (Tier 1), obtaining PHI under False Pretenses such as impersonating staff (Tier 2), and selling or using PHI for personal gain or to cause harm, like identity theft or extortion (Tier 3). Employees, contractors, and third-party vendors can all be involved.

How severe are penalties for HIPAA breaches?

Criminal penalties range by tier: up to $50,000 and one year in prison for knowing misuse; up to $100,000 and five years for False Pretenses; and up to $250,000 and ten years for intent to sell, transfer, or misuse PHI for gain or harm. Civil penalties and corrective actions may also apply to organizations.

What is included in a HIPAA compliance checklist?

A practical checklist covers governance roles, policies, and Business Associate Agreements; technical and physical safeguards verified by a Security Risk Assessment; workforce training; access and audit controls; incident response; and Data Breach Notification procedures, all backed by thorough documentation.

When must data breaches be reported under HIPAA?

For breaches of unsecured PHI, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. You must also notify HHS (immediately for incidents affecting 500 or more individuals in a jurisdiction; annually for smaller breaches) and follow any applicable media and business associate notice requirements.