The Health Law Sidebar
September 4, 2014

Expanding Their Arsenal: Criminal Prosecution of HIPAA Breaches on the Rise

Over the past year, the Office of Civil Rights (“OCR”) has taken a more aggressive stance in enforcing the provisions of the Health Insurance Portability and Accountability Act (HIPAA).  The largest settlement for a data breach to date was just announced earlier this year between OCR and New York Presbyterian Hospital and Columbia University. However, high civil penalties are not the only concern anymore – individuals who commit a breach are also subject to criminal prosecutions.

Earlier this year, the U.S. Attorney for the Eastern District of Texas, John M. Bales, announced that his office had indicted Joshua Hippler, a former employee of an East Texas hospital, for criminal violations of HIPAA.  The indictment alleges that the individual, then an employee of the hospital, obtained protected health information (“PHI”) and sought to use it for his own personal gain. (Press release can be found here.) On August 29, 2014, the U.S. Attorney Bales announced that Mr. Hippler has pleaded guilty to the criminal violation of HIPAA and faces up to ten years in prison. (Press release can be found here.)

Individuals can be charged with criminal violations of HIPAA pursuant to 42 U.S.C. §1320d-6 when “[a] person who knowingly…(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or  (3) discloses individually identifiable health information to another person.”.  Criminal penalties include “(1) be[ing] fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”

While the prosecution of Hippler is not the first criminal enforcement for a HIPAA breach, it is notable because it is the first in some time and, with his plea, Hippler faces stiffer penalties than seen before.  Previous convictions include Chelsea Stewart who was sentenced to more than three years in prison for stealing PHI of more than 4,000 patients from an Alabama hospital (Press release is located here), as well as Matthew Paul Brown, posing as a fake doctor, who was sentenced to over 5 years for health care fraud and wrongful disclosure of PHI.  (Press release can be found here.)  Other convictions have included pleas for misdemeanors for providers accessing a patient’s record without a legitimate purpose (here), probation for an individual disclosing names and social security numbers in filing unauthorized tax returns (here), and six years in prison for an individual who “engaged in criminal conspiracy to commit health care fraud that resulted in HIPAA violations and aggravated identify theft” (here).

The recent case of Mr. Hippler is a prime example of more aggressive enforcement of HIPAA breaches and shows the other types of criminal penalties individuals could face in addition to fines.  In addition to the criminal conviction or plea, which has serious consequences on its own, the criminal penalties violators are now facing are substantial and recent enforcements indicate that prosecutors are seeking stiffer penalties for criminal violations.  So far only individuals have been prosecuted criminally for HIPAA violations but entities are not immune from prosecution.  With the shift towards electronic records, it could be a prime area for enforcement against corporate entities who knowingly fail to take proper security measures as required.

For more information, please contact the author, Danielle Holley.  She can be reached by calling (518) 462-5601 or by email at