United States: Criminal Liability For The Wrongful Use Of Health Information: HIPAA And More

By now, the term "HIPAA" is a household term—but few people have a strong grasp of the possible sanctions one might face for intentionally violating the HIPAA regulations. Recent cases illustrate that individuals and employers whom have wrongfully accessed protected health information face not only possible criminal sanctions under HIPAA, but also prosecution under several other federal criminal laws.

A recent case prosecuted by the U.S. Attorney's office in the Eastern District of Arkansas may indicate an increased level of enforcement by the government of the criminal sanctions contained in the federal medical privacy law. These sanctions are contained in the administrative simplification provisions of the Health Insurance Portability and Accountability Act, ("HIPAA") . In December of 2008, an Arkansas woman was sentenced to probation and community service for her role in disclosing protected health information.

Andrea Smith and her husband were indicted for violations of the HIPAA administrative simplification act, as well as conspiracy to wrongfully use and disclose protected health information. According to the indictment, at the time of offense, Smith was a licensed practical nurse working in a medical clinic located in Jonesboro, Arkansas. She accessed the protected health information of a patient of the clinic, and then shared that information with her husband. Her husband then informed the patient that he was planning to use the information in an upcoming legal proceeding against the patient.

Smith pled guilty to the charge of wrongfully disclosing protected health information for malicious harm or personal gain. In exchange, the government dismissed the conspiracy count against both of them, and also dismissed a remaining count against her husband. Smith faced a maximum penalty of ten years of imprisonment, a fine of no more than $250,000, or both, and a term of supervised release of no more than three years.

This is appears to be the fifth criminal case brought under HIPAA since the privacy rules went into effect in 20031. What makes the case especially interesting is that the government charged the employee of the health care clinic, but not the clinic itself (which terminated Smith upon learning of the charges).

The charges did not include any additional charges for fraud and identity theft. As the prosecuting U.S. Attorney Jane W. Duke explained, criminal prosecution of HIPAA violations is a "fairly new concept," but warned that the federal government intends to pursue HIPAA violations through "vigorous enforcement."2

While HIPAA was enacted in 1996, criminal enforcement of the statute is a relatively recent development. Two federal agencies are charged with enforcing the privacy provisions of HIPAA: the United States Department of Health and Human Services (HHS), the federal agency charged with the civil enforcement of HIPAA, and the U.S. Department of Justice, the federal agency charged with criminal prosecution of HIPAA violations. The two agencies have taken different approaches to enforcing the statute. As a result of this, employees and businesses not originally thought to be covered by HIPAA are now at risk for prosecution. This raises a host of compliance issues for businesses and individuals who have access to protected health information.3

HHS takes the position that only so called "covered entities" are subject to civil penalties under HIPAA. "Covered entities" are health plans, health care providers, sponsors of Medicare drug discount cards, and health care clearinghouses. HHS has made clear that persons or entities who otherwise may have lawful access to protected health information, but who are not covered entities, do not fall within the definition of a "covered entity" are not subject to civil penalties. This would include employees, vendors and third-party administrators. This includes "business associates" of covered entities, as that term is used in the privacy rule.4

However, for the purposes of criminal enforcement, the Department of Justice has traditionally taken a different position. It has demonstrated its position through a handful of criminal prosecutions as well as a memorandum outlining the basis for such prosecutions.

The HIPAA criminal statute, 42 U.S.C.A. § 1320d-6, reads in pertinent part:

"A person who knowingly and in violation of this part—

  1. uses or causes to be used a unique health identifier;
  2. obtains individually identifiable health information relating to an individual; or
  3. discloses individual identifiable health information to another person, shall be punished as provided in subsection (b) of this section."

"This part" refers to the administrative simplification provisions of HIPAA, under which the HIPAA rules were promulgated. In order to "obtain or disclose" protected health information "in violation of this part," one has to be subject to the HIPAA rules. The rules apply only to "covered entities." There are four kinds of covered entities: health care providers that engage in electronic standard transactions, sponsors of Medicare drug discount cards, and health care data clearinghouses.5

Logically, this suggests that only covered entities are subject to criminal prosecution.6 However, in June of 2005, the Office of Legal Counsel ("OLC") of the Department of Justice provided guidance on this exact issue in the form of an opinion discussing prosecution of HIPAA privacy violations.7

The OLC opinion confirmed that covered entities (health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors) may be prosecuted for criminal liability under Section 1320d-6. Id. The opinion then went on to suggest that "depending on the facts of a given case, certain directors, officers and employees of these entities may also be liable directly under section 1320d-6, in accordance with principles of corporate criminal liability. Other persons may not be liable directly under this provision." In this sense, the OLC opinion provides a narrow set of persons whom may be prosecuted directly under the statute.

However, the OLC opinion suggested that those who may not be prosecuted directly under Section 1320d-6 could still be prosecuted under "principles either of aiding and abetting liability and conspiracy liability." In particular, the OLC opinion referred to language in 18 U.S.C. § 2 (commonly referred to as the "aiding and abetting statute") which allows anyone who "willfully causes an act to be done which if directly performed by him or another would be an offense against the United States," to be punished as a principal.

In addition, the OLC opinion cited the conspiracy statute, 18 U.S.C. § 371, which allows for prosecution "if two or more persons conspire...to commit any offense against the United States...and one or more of such persons do any act to effect the object of the conspiracy." The OLC declined to provide insight into the use of these federal statute to criminally prosecute people under HIPAA, indicating that in the "absence of a specific factual context [it] would be unfruitful" to continue further discussion. Id.

The government typically uses the aiding and abetting statute, 18 U.S.C. § 2 to prosecute parties accountable for their conduct, even if they acted through the agency of others. The statute reads in pertinent part:

"Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal." 18 U.S.C. § 2(b).

Under the aiding and abetting statute then, a defendant may be held guilty for violation of a federal statute, even if he/she was not necessarily in the class of persons to whom a substantive statute is directed.8 For example, courts have applied 18 U.S.C. § 2(b) in various circumstances, including finding an employee of a firearms dealer guilty for causing the violation of 18 U.S.C. § 922, even though the statute applied only to firearms dealers on its face.9

When combining the aiding and abetting statute, Section 2(b), with the HIPAA criminal statue, Section 1320d-6, the result is that if an "employee of a covered entity (who is not himself a covered entity) intentionally causes a wrongful disclosure of a patient's confidential health information, this action, if directly performed by another—that is, by the covered entity—it would constitute an offense against the United States....So long as the underlying conduct would have constituted an offense if it had been committed directly by the covered entity, the employee of the covered entity who was responsible for the conduct is still subject to prosecution as a principal under Section 2(b)." 10

This extension of criminal liability to individuals was recently articulated in the American Recovery and Reinvestment Act ("the Act") signed by President Obama on Feb. 17, 2009. The Act included several important changes to the HIPAA privacy and security regulations. Among other things, the Act brought criminal enforcement in line with the OLC's opinion, by amending the criminal provisions of the HIPAA statute to clarify that a person who obtains or discloses protected health information from a covered entity without authorization commits a violation of the criminal provisions of HIPAA. In addition, the Act increased civil penalties for violations of HIPAA, and now includes penalties for violations due to "willful neglect" to observe the obligations of the statute.11

The OLC opinion also suggested that "depending on the specific facts and circumstances, such conduct may also be punishable under other federal laws." These laws include, for example, those statutes dealing with identity theft and fraudulent access of a computer. The computer fraud and abuse statute ("CFAA") states in pertinent part:

"Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5000 in any 1-year period; shall be punished as provided in subsection (c) of this section." 18 U.S.C. § 1030(a)(4). The maximum penalty for violations of 18 U.S.C. § 1030(a)(4) is five years imprisonment. 18 U.S.C. § 1030(c)(3).

It is easy to see how the computer fraud statute could be used in conjunction with the HIPAA criminal statute, since HIPAA violations often involve the unauthorized use of a computer system. For example, an individual can be held liable under the CFAA for "exceeding authorized access" if initial access to a computer is permitted, but access of certain information is not permitted.12 The statute sets forth a minimum damage requirement of $5,000, which can easily be satisfied by taking into account forensic and related costs.13

Likewise, the federal identity fraud statute is suited to prosecuting conduct that might also involve a HIPAA violation. The federal identity fraud statute makes it a crime to "knowingly transfer an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority."14 Thus, the transfer of protected health information in order to facilitate identity theft would implicate this statute, as well.

Since the OLC opinion was published, the government has prosecuted a handful of employees of "covered entities" using exactly the mechanism suggested in the opinion---the aiding and abetting statute. In addition, in certain cases, the government has also alleged violations of computer and identity fraud criminal statues as additional ammunition in its fight against HIPAA privacy violations. The government has also cited conspiracy charges but, as is typical in criminal cases, these charges have been used as leverage against co-conspirators who are willing to testify against the target defendant.

For example, in January of 2007, the first criminal HIPAA jury verdict was entered in the case U.S. v. Ferrer. A Florida jury found the defendant, Mr. Fernando Ferrer, guilty of one count of wrongful disclosure of individually identifiable health information, five counts of aggravated identity theft, one count of computer fraud, and one count of conspiring to defraud the United States.15

Mr. Ferrer owned a healthcare administrative company at the time of the violations, and misappropriated the protected data of more than 1,400 patients of a satellite Cleveland Clinic operation. He worked with his cousin, who was an employee of Cleveland Clinic, in order to obtain the protected health information. Ferrer used the information to submit more than $7,000,000 in fraudulent Medicare claims. His cousin pled guilty to conspiracy and testified at trial against Ferrer. Ferrer was sentenced to 87 months in prison, 3 years of supervised release, and ordered to pay more than $2.5 in restitution.16

The other criminal HIPAA cases brought by the government against employees have resulted in guilty pleas. In a 2006 Texas case, an employee of a doctor's office pled guilty to selling the confidential medical information of an FBI agent to a person she believed was working for a drug trafficker. The employee accepted $500 for the information, which she was charged solely with a HIPAA criminal violation, and not a computer fraud violation, as well.17

And in what was the first criminal conviction under HIPAA, a Seattle man pled guilty to the wrongful disclosure of individually identifiable health information for economic gain. The defendant was an employee of the Seattle Cancer Care Alliance, and admitted that he obtained a cancer patient's name, date of birth and social security number. He used that information to obtain four credit cards in the patient's name, and purchased a variety of items on those cards, totaling more than $9000.18 Although this was a classic case of identity theft, the defendant was charged only a criminal HIPAA violation. Interestingly, he never actually disclosed the patient's medical information, but rather used the demographic information contained in medical records to commit identity theft.

In the latest "HIPAA twist," in at least one government investigation we are aware of, the government has alleged that reviewing patient files with a sales representative could potentially expose a company to criminal liability under HIPAA. At best, this is a tortured interpretation of HIPAA, but it may also reflect the government's increasing use of potential HIPAA violations as an "add on" to larger criminal cases.

Celebrities are often the victims of privacy violations. In April of this year a former administrative specialist at UCLA medical center was indicted by federal grand jury for allegedly selling private medical information about actress Farah Fawcett to a national media news outlet, in violation of 1320d-6 and 18 U.S.C. § 2(b). According to the indictment, Ms. Jackson received at least $4,600 from a national news publication through checks made out to her husband. Ms. Fawcett and her lawyers alleged that Ms. Jackson leaked protected health information about her fight with cancer to certain tabloids. The former employee faces up to 10 years in prison. It is not clear whether the government will prosecute the national media outlet (widely believed to be the National Enquirer), but the company could potentially face conspiracy charges for aiding and abetting Jackson.19

In the same month, 14 UCLA workers resigned, retired or were fired and nine physicians were suspended, after an internal audit found they had unlawfully accessed Britney Spears' health records. Apparently an internal audit conducted by the university health system revealed that hospital workers had improperly viewed health records of more than 60 patients, mostly celebrities and politicians.20

Part of the problem may have been shared records between the various hospitals within the UCLA health system, including the UCLA Medical Center. An audit conducted by the California Department of Public Health ("CDPH") revealed that within two days of Spears' admission for the birth of her first son at the Santa Monica facility, workers there and at the UCLA Medical Center (whom had access through a shared medical records system) accessed her records.21

As a result of these actions on the part of employees, the UCLA health system was cited by the CDPH for a number of deficiencies, including 1) failure to maintain the privacy and confidentiality of a patient's medical records; 2) failure to report a breach of confidentiality to CDPH; 3) failure to maintain a separate and distinct medical records information system; and 4) failure to safeguard medical records against use by unauthorized individuals.

UCLA is now obligated to develop and maintain a corrective action plan, which includes a new training module focused solely on patient privacy that reinforces HIPAA requirements, a new process for handling high-profile patients' permanent aliases, and a new portal in the medical records system that give a HIPAA compliance warning and includes a "reason for access" question that asks the user why he or she is accessing the record. 22

Given the government's newfound enforcement mechanism to criminally prosecute employees who wrongfully disclose individually identifiable health information for economic gain, health care providers need to review their privacy and information security programs to ensure patients' privacy. As these cases reveal, small physician practices and clinics are just as likely to be targeted as larger hospitals and medical groups.

It is vitally important for health care entities to implement an effective and flexible information security compliance program. Any such program should seek to reduce the ability of employees to engage in criminal conduct. As such, a compliance program should include, at the minimum, a strong message that the employer will not tolerate privacy violations and distribution of materials regarding the criminal implication for intentional HIPAA violations and the misuse of computer systems.


1 See Amy Lynn Sorrel, American Medical Association, July 14, 2008, "Criminal HIPAA case targets employee, not clinic, for breach."

2 U.S. Department of Justice Press Release, April 15, 2008, "Nurse Pleads Guilty to HIPAA Violation."

3 John Aloysius Cogan, Jr., "Federal Agencies Diverge on the Application of HIPAA's Civil and Criminal Penalties," New England In-House, October 2004.

4 In a very recent and noteworthy civil investigation brought by HHS and the Federal Trade Commission ("FTC"), CVS Pharmacy settled allegations against for improper disposal of identifying patient information on pill bottle labels for $2.25 million, The company also signed a consent order which applies to all of its 6,000 pharmacies to implement a robust corrective action plan, including safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

5 The privacy regulations also seek to protect the confidentiality of medical information that is disclosed to business associates—those companies that perform important functions for covered entities— by requiring a covered entity to enter in a written agreement guaranteeing the same level of confidentiality for medical information as the covered entity is required to provide. See 42 C.F.R. § 164.504(e)(2)(ii)(A)

6 This issue is discussed by Peter A. Winn, Assistant United State Attorney, "Who is Subject to Criminal Prosecution under HIPAA", available on http://www.abanet.org/health/01_interest_groups/01_ehealth.html .

7 See U.S. Department of Justice, "Memorandum for Alex M. Azar, II General Counsel, Department of Health and Human Services, from Timothy J. Coleman, Senior Counsel to the Deputy Attorney General, Re: Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6 (June 1, 2005).

8 United States v. Odem, 736 F. 2d 150 (5th Cir. 1984).

9 See U.S. v. Scannapieco, 611 F. 2d 619 (5th Cir. 1980).

10 Winn, infra note 5.

11 Previously, civil violations of HIPAA could only be enforced through the Secretary of Health and Human Services. Under the new Act, HIPAA violations are now enforceable in civil actions brought by state attorney generals, both to enjoin violations and to obtain damages.

12 Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962R (D.C. Ariz. 2008).

13 18 U.S.C. §1030(a)(4) is the only section of the computer fraud statute which has been used in HIPAA criminal convictions.

14 18 U.S.C. § 1028(a)(2).

15 United States Attorney's Office, Southern District of Florida, Press Release, May 3, 2007.

16 Id.

17 Department of Justice Press Release, "Alamo Women Convicted of Selling FBI Agent's Medical Records," March 7, 2006; see also Indictment for United States v. Liz Arlene Ramirez, Case No. M-05-708, United States Southern District of Texas.

18 Plea Agreement, United States v. Richard W. Gibson, case number CR04-0374 RSM, United States District Court, Western District of Washington.

19 Charles Ornstein, "Ex Worker Indicted in Celebrity Patient Leaks," Los Angeles Times, April 30, 2008.

20 Jennifer Steinhauer, "California Hospital Faces Sanctions After Workers Wrongly Looked at Patient Records," New York Times, April 8, 2008.

21 Atlantic Information Services Health Business Daily, "UCLA System Facilities are Cited by State for Patient Privacy Breaches," June 23, 2008.

22 Id.


This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions