Contact Us for a Free Consultation (818) 781-1570

HIPAA Violations

Defense Against HIPAA Violations Turned Criminal Prosecution: 42 U.S.C. § 1320d-6

Most healthcare workers think of HIPAA as an employment policy: violate it, and you get written up or fired. Few understand that the same conduct can become a federal felony.

Defense Against HIPAA Violations Turned Criminal Prosecution: 42 U.S.C. § 1320d-6

Under 42 U.S.C. § 1320d-6, knowingly obtaining or disclosing patient health information without authorization is a federal crime, and when that conduct is connected to personal gain, even gain as modest as workplace gossip or personal curiosity, the maximum sentence jumps to ten years in federal prison.

These cases are rare compared to the volume of civil HIPAA enforcement, but when the Department of Justice decides to pursue one, it moves with the same intensity as any other federal prosecution.

What Does 42 U.S.C. § 1320d-6 Actually Prohibit?

The statute makes it a crime for a person who knowingly, and in violation of HIPAA's administrative simplification provisions, uses or causes to be used a unique health identifier, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information to another person.

A person, including an employee or other individual, is considered to have obtained or disclosed health information in violation of the statute if the information is maintained by a covered entity and the individual obtained or disclosed it without authorization

A covered entity in this context means a health plan, healthcare clearinghouse, or healthcare provider who transmits health information electronically.

The Department of Justice's own legal analysis clarifies the mental state required. The knowingly element of section 1320d-6 requires only proof of knowledge of the facts that constitute the offense, not proof that the defendant knew the conduct was contrary to the statute or regulations.

In practical terms, the government does not need to prove the nurse or physician knew they were violating a federal criminal statute. It only needs to prove they knew they were accessing records without authorization.

What Are The Three Penalty Tiers?

The statute's penalty structure escalates sharply depending on the circumstances of the violation, and the gap between the lowest and highest tiers is enormous.

A knowing violation carries up to $50,000 in fines and up to one year in prison. Where the offense is committed under false pretenses, the maximum penalty rises to a $100,000 fine and five years of imprisonment.

The statute reserves its highest penalties, a fine of up to $250,000 and imprisonment of up to ten years, for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

That third tier is where most healthcare worker prosecutions land, and the threshold for "personal gain" is far lower than most people assume.

Courts have held that satisfying personal curiosity, impressing friends, or even workplace gossip can count as personal gain. That phrase does not require selling the information for money.

How Can a Casual Decision Become a Federal Case?

The exposure does not stop with the person who accessed the record.

A nurse who texts a coworker the medication list of a patient out of curiosity, and the coworker who asked for it, can both be charged with conspiracy to violate the statute, even if the coworker never worked at the hospital and never personally accessed any record.

Federal prosecutors often favor conspiracy charges because they are easier to prove than the underlying crime and carry identical penalties. Agreeing to access information illegally is enough for a conviction, even if the information was never actually used.

That dynamic means a single careless message exchange about a patient, a celebrity, an ex-partner, or a coworker's family member can expose multiple people to felony liability under 18 U.S.C. § 371 conspiracy charges layered on top of the underlying HIPAA violation.

How Do These Prosecutions Typically Begin?

Criminal HIPAA cases are prosecuted by the Department of Justice, not HHS, and tend to involve the most egregious conduct:

  • Employees snooping through records of celebrities or ex-partners,
  • Insiders selling patient data, or
  • Schemes to use stolen medical identities for fraudulent billing.

Most enforcement begins with either a complaint or a breach report landing on the desk of HHS's Office for Civil Rights, which can be filed by anyone alleging a covered entity is not complying with HIPAA rules.

For criminal conduct, OCR refers the matter to the Department of Justice for federal prosecution. HIPAA charges also surface frequently as a secondary tool within larger fraud investigations.

Prosecutors may view HIPAA charges as useful tools in larger fraud and kickback investigations, since they can be easier to explain to a jury than a complex fraud scheme.

They can provide leverage to induce lower-level figures to cooperate against others. A HIPAA count can also serve as a fallback charge when kickback or fraud charges are not sustainable.

That dynamic played out in the First Circuit's affirmance of a Massachusetts gynecologist's conviction.

The case arose from a broader investigation of a pharmaceutical company that pleaded guilty to paying kickbacks to doctors through a sham speaker series.

The physician, who had received over $23,000 through the program, was separately convicted of criminal HIPAA violations and obstructing a healthcare investigation after asking a pharmaceutical sales representative to help complete prior authorization forms using patient information in a manner the government found unauthorized.

She was sentenced to probation, but the court noted the conviction could adversely affect her professional standing, beyond the criminal sentence itself.

Frequently Asked Questions (FAQs)

Can a healthcare employee be prosecuted under 42 U.S.C. § 1320d-6 if they did not know their actions violated a federal criminal statute?

Yes. The statutory standard for a "knowing" violation under section 1320d-6 requires only proof that the defendant was aware of the factual circumstances constituting the offense—specifically, that they knowingly accessed or disclosed protected health information without authorization.

The prosecution need not prove that the defendant knew their conduct violated a specific federal criminal law or crossed statutory lines.

Can an individual who does not work in healthcare be criminally charged under this statute?

Yes. While 42 U.S.C. § 1320d-6 directly regulates covered entities and their employees, outside individuals routinely face identical criminal exposure through federal conspiracy (18 U.S.C. § 371) or aiding and abetting laws.

If an external party encourages, requests, or coordinates with an authorized healthcare insider to illegally extract protected medical records, both individuals can be indicted as co-conspirators.

Does "personal gain" require that the accessed medical data was sold for money?

No. Federal courts have consistently ruled that "personal gain" is not limited to financial transactions.

Satisfying private curiosity, gathering leverage over an ex-spouse, looking up a celebrity's medical chart, or obtaining details to fuel workplace gossip all meet the legal threshold for personal gain under Tier 3 guidelines, exposing the defendant to the maximum 10-year sentencing tier.

How do federal prosecutors prove that access to an EHR or medical record was unauthorized?

Federal investigators rely heavily on immutable electronic audit trails automatically generated by Electronic Health Record (EHR) and Electronic Medical Record (EMR) platforms.

These metadata logs precisely track which user credentials opened a patient's chart, the exact timestamps of access, the specific pages or lab results viewed, and the workstation or network IP address used, creating a digital blueprint that is highly difficult to dispute.

What should a medical professional do if contacted by the HHS Office for Civil Rights (OCR) regarding a data breach?

You should immediately and politely decline to answer substantive questions and retain experienced federal defense counsel before participating in any interviews.

Statements made during early administrative or civil regulatory inquiries can inadvertently establish the mental state (knowledge) required for criminal prosecution, and missteps during these informal stages can easily lead to a formal criminal referral to the Department of Justice.

Defense Strategies for Healthcare Workers Facing HIPAA Charges

Challenging Whether Access Was Actually Unauthorized

Authorized access and disclosure are not subject to prosecution, but the access must fit within a category designated under HIPAA regulations.

A healthcare provider can lawfully provide patient information to another provider for purposes of patient treatment.

 A significant share of HIPAA criminal allegations arises from genuine ambiguity over whether a disclosure fell within a treatment, payment, or operations exception.

The defense examines the regulatory framework closely to determine whether the conduct charged actually exceeded the bounds of authorized use.

Contesting the Personal Gain or Malicious Harm Element

Because the highest penalty tier requires intent for commercial advantage, personal gain, or malicious harm, separating that intent from simple carelessness or a momentary lapse in judgment is often the central question in sentencing exposure.

A healthcare worker who accessed a record out of habit or institutional muscle memory, without any plan to use or share it, has a fundamentally different case than one who sold or weaponized the information.

Attacking Conspiracy Liability for Secondary Parties

Where a person outside the covered entity is charged based on receiving information from an insider, the government must still prove a genuine agreement to violate the statute, not mere curiosity expressed in a private text exchange.

Liability for conduct by persons who cannot be prosecuted directly under section 1320d-6 is determined by principles of aiding and abetting and conspiracy law, which require their own showing of knowing participation, not simple proximity to someone else's violation.

Cooperating Carefully During the Investigative Phase

Statements made to OCR investigators or federal agents during the early stages of a HIPAA inquiry can be used in a subsequent criminal prosecution.

Healthcare workers who are contacted informally about a potential breach should retain counsel before any interview, since obstruction charges, as seen in the Luthra case, can compound the underlying HIPAA exposure significantly.

Conspiracy Charge Resolved Without Conviction

A hospital billing coordinator was contacted by a former coworker asking about a mutual acquaintance's recent emergency room visit.

The coordinator looked up the record, confirmed the visit occurred, and texted back a general description without sharing specific medical details.

The hospital's audit system flagged the access as outside the coordinator's treatment-related duties, and the matter was referred to OCR, then to the U.S. Attorney's Office.

Defense counsel was retained when the coordinator received a target letter referencing both 42 U.S.C. § 1320d-6 and conspiracy under 18 U.S.C. § 371.

Counsel obtained the full text exchange and the coordinator's access logs, establishing that no medical details, diagnosis, or treatment information had actually been disclosed, only confirmation that a visit occurred.

Counsel presented this record to the prosecutor along with evidence that the coordinator had completed annual HIPAA training and had no history of similar access violations.

The government agreed to resolve the matter through a deferred prosecution arrangement requiring completion of additional compliance training and a period of monitored access review, with no criminal conviction entered.

The coordinator retained employment, though under a formal written warning from the hospital's compliance department.

When you are accused of a HIPAA violation that's turned into a criminal case, you need a strong defense. Contact Eisner Gorin LLP today for a confidential consultation.

Related Legal Topics

Contact Us Today

Eisner Gorin LLP is committed to answering your questions about Criminal Defense law issues in Los Angeles, California.

We'll gladly discuss your case with you at your convenience. Contact us today to schedule an appointment.

Make A Payment | LawPay

Menu