Who Enforces Criminal HIPAA Violations? DOJ Authority and Examples Explained

If you handle Protected Health Information (PHI), understanding who prosecutes criminal HIPAA violations is essential. Civil enforcement is common, but when conduct is intentional or egregious, the Department of Justice (DOJ) takes the lead through DOJ HIPAA investigations that can end in HIPAA criminal indictments.

Department of Justice Criminal Enforcement

The Department of Justice (DOJ) has authority to prosecute anyone who knowingly obtains, discloses, or uses individually identifiable health information in violation of HIPAA. Most cases are handled by United States Attorney’s Offices, often working with the FBI and the Department of Health and Human Services Office of Inspector General (HHS‑OIG).

In practice, DOJ builds cases that show purposeful conduct—such as accessing records without a legitimate reason, lying to gain access (the False Pretenses Offense), or selling PHI for personal gain. Prosecutors frequently add related charges like conspiracy, wire fraud, computer crime, or aggravated identity theft when the facts support them.

• Who can be charged: individuals, workforce members, contractors, business associates, and organizations.
• What DOJ must prove: knowing access/use/disclosure, lack of authorization under HIPAA, and (for higher tiers) false pretenses or intent to sell, transfer, or use PHI for gain or harm.

Types of Criminal HIPAA Violations

Not every breach is criminal. Criminal exposure arises when conduct is intentional or deceitful, or tied to fraud or personal gain. Common fact patterns include the following.

• Unauthorized snooping: viewing a neighbor’s, co‑worker’s, or celebrity’s records without a treatment or operations purpose.
• False Pretenses Offense: posing as another staff member or using someone else’s credentials to access PHI.
• Sale or barter of PHI: transferring patient lists to marketers, tax‑refund schemes, or identity‑theft rings.
• Data theft after termination: keeping or downloading PHI to personal devices and threatening disclosure.
• Misuse for fraud: using PHI to submit false claims, obtain controlled substances, or open lines of credit.

Penalties and Sentencing

Criminal Penalties HIPAA follow three statutory tiers based on intent and purpose. Courts may also impose higher fines under general federal penalty statutes and order restitution to victims.

• Base offense: up to 1 year in prison and fines for knowingly obtaining or disclosing PHI without authorization.
• False pretenses: up to 5 years when the offense involves deceit or misrepresentation to gain access.
• Intent to sell or for gain/harm: up to 10 years for selling, transferring, or using PHI for commercial advantage, personal gain, or malicious harm.

Federal Sentencing Guidelines drive the final sentence. Key factors include number of patients affected, scope and duration of the scheme, means used (e.g., credential theft), obstruction or destruction of evidence, abuse of position of trust, and whether other crimes (such as aggravated identity theft) apply. Organizations can face criminal fines, compliance obligations, and probation; individuals may face incarceration, fines, restitution, and professional licensing consequences.

Role of Office for Civil Rights

The HHS Office for Civil Rights (OCR) leads Office for Civil Rights Enforcement on the civil side—investigating complaints and breaches, auditing compliance, negotiating corrective action plans, and assessing civil money penalties. OCR focuses on whether covered entities and business associates met the Privacy, Security, and Breach Notification Rules.

When OCR uncovers evidence suggesting intentional wrongdoing—such as deliberate snooping, false pretenses, or sale of PHI—it refers the matter to DOJ. OCR continues to coordinate with prosecutors by sharing investigative findings and subject‑matter expertise, but it does not prosecute crimes.

State Attorneys General Enforcement

State Attorneys General (AGs) have State Attorney General Authority under the HITECH Act to bring civil actions in federal court for HIPAA violations affecting their residents. They can seek injunctions and monetary remedies on behalf of consumers, often alongside OCR’s actions.

AGs cannot bring criminal charges under HIPAA itself. However, they may bring state criminal charges under other statutes—such as identity theft, computer crime, or unlawful surveillance—when the same misconduct violates state law. They also coordinate with U.S. Attorneys on parallel state‑federal cases.

Notable Criminal HIPAA Cases

Courts have imposed punishments ranging from probation to multi‑year federal sentences, depending on intent and harm. Illustrative examples show how facts drive outcomes:

• Celebrity snooping at a major academic medical center: a research employee repeatedly accessed patient charts without a job‑related need and received a four‑month federal prison sentence—the first prison term in a HIPAA case.
• Identity‑theft ring: a hospital registration clerk sold hundreds of patient files to a tax‑refund scheme; DOJ charged HIPAA counts plus aggravated identity theft and wire fraud, resulting in a multi‑year sentence and restitution.
• Drug‑seeking disclosure: a pharmacy worker shared PHI with an acquaintance to obtain opioids, producing felony HIPAA and conspiracy convictions.
• Post‑termination data threat: a clinic manager copied PHI to personal devices and demanded payment; prosecutors pursued extortion along with HIPAA charges, ending in a felony plea and court‑ordered compliance conditions.

Referral Process from OCR to DOJ

The path from a privacy complaint to a criminal case is structured and collaborative. Understanding the steps helps you spot when a matter may turn criminal.

• Intake: OCR receives a complaint, breach report, or audit finding; HHS‑OIG tips and FBI cyber referrals are common entry points.
• OCR investigation: record requests, interviews, and technical assessments identify whether conduct appears accidental, negligent, or intentional.
• Criminal indicators: evidence of deceit, sale of PHI, credential misuse, data exfiltration, or fraud triggers escalation.
• Formal referral: OCR sends a referral package to DOJ; HHS‑OIG and/or the FBI open a case and coordinate with an Assistant U.S. Attorney.
• Evidence gathering: subpoenas, search warrants, and forensic imaging collect proof of access, downloads, communications, and money flows.
• Charging: prosecutors present the case to a grand jury for HIPAA criminal indictments and any related fraud or identity‑theft counts.
• Resolution: plea negotiations or trial; sentencing based on statutory tiers and the Guidelines, plus restitution and protective orders.

Conclusion

The DOJ prosecutes intentional HIPAA misconduct, particularly false pretenses and the sale or misuse of PHI, while OCR drives civil compliance and makes criminal referrals. State AGs add civil tools and state‑law crimes, creating a layered enforcement model. If you manage PHI, strong access controls, auditing, and training are the best defense against criminal exposure.

FAQs

What federal agency prosecutes criminal HIPAA violations?

The Department of Justice prosecutes criminal HIPAA violations, typically through U.S. Attorneys, with investigative support from the FBI and HHS‑OIG. OCR handles civil enforcement and refers potential crimes to DOJ.

How does the DOJ determine the severity of charges?

Prosecutors look at intent (base offense, False Pretenses Offense, or intent to sell/use PHI for gain), scope and duration, number of patients, harm caused, and related crimes. These factors determine the specific counts and the applicable Criminal Penalties HIPAA tier.

What role does the Office for Civil Rights play in criminal enforcement?

OCR investigates civil compliance, conducts Office for Civil Rights Enforcement actions, and refers cases showing intentional or deceitful conduct to DOJ. It then supports prosecutors with records, expert input, and coordination.

Can state attorneys general bring criminal charges for HIPAA violations?

No. State attorneys general can bring civil HIPAA actions under federal law but cannot file HIPAA criminal charges. They may, however, pursue state criminal charges under other statutes and coordinate with DOJ on joint matters.