Per section 1177 of HIPAA, a person who knowingly

• uses a unique health identifier, or causes one to be used;

• obtains individually identifiable health information relating to an individual; or

• discloses individually identifiable health information to another person;

is in violation of HIPAA regulations. Such persons are subject to the following penalties:

• a fine of up to $50,000, or up to 1 year in prison, or both;

• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both;

• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both.

HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year.

Last modified: 11-May-2005 [RC]