Case Study: Case:  “T”   works at a major medical center.”T” was pulled over because his license plate did not match the car’s  VIN number.  Police found  prescriptions in the  car in other people's names, Social Security numbers,  and other PHI of 14 individuals.  After obtaining a search warrant for “T” apartment, police found hard and flash drives  containing the personal information of an additional 1,014 patients.

Question: Can Dept. of HHS’ OCR penalize this HIPAA violation with jail time?

Response:

1. Absolutely
2. No
3. No. HIPAA violations never result in jail time.

Answer: Absolutely

Note: This is a true HIPAA violation case

Why: If healthcare professionals knowingly misuse or unlawfully obtain PHI, they are held criminally liable. The Department of Justice (DOJ), not the OCR, handles criminal penalties for HIPAA violations. The DOJ interprets "knowingly" as requiring only knowledge that the disclosure constitutes an offense, and the perpetrator doesn't need to be aware they are violating HIPAA.

Criminal penalties can  lead  to jail time depending on severity.

The decision for jail time is based on  one of the following:
·      Wrongful disclosure of PHI
·      Wrongful disclosure of PHI under false pretenses
·      Wrongful disclosure of PHI under false pretenses with malicious intent.


The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6.

·       The Dept. of Health and Human Services’ OCR investigates HIPAA complaints and can impose civil penalties like fines for violations, but they cannot initiate criminal charges leading to jail time. However, OCR can refer to DOJ.

DLH-Enterprises5150.com

March, 2025