Enforcement of the HIPAA Privacy and Security Rules







Prepared for Members and Committees of Congress



P.L. 104-191, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), directed
HHS to adopt standards to facilitate the electronic exchange of health information for certain
financial and administrative transactions. The HIPAA Privacy Rule was adopted by HHS as the
national standard for the protection of individually identifiable health information. It regulates the
use and disclosure of protected health information by health plans, health care clearinghouses,
and health care providers who transmit financial and administrative transactions electronically;
establishes a set of basic consumer protections; permits any person to file an administrative
complaint for violations; and authorizes the imposition of civil or criminal penalties. Enforcement
of the Privacy Rule began in 2003.
On March 16, 2006, the Final HIPAA Administrative Simplification Enforcement Rule went into
effect. The Enforcement Rule has both procedural and substantive provisions, and is applicable to
all HIPAA administrative simplification standards. The Enforcement Rule establishes procedures
for the imposition of civil money penalties on entities that violate rules adopted by the Secretary
to implement the Administrative Simplification provisions of HIPAA. It also amends existing
rules relating to the process for imposition of civil money penalties, and clarifies the investigation
process, the bases for liability, determination of the penalty amount, grounds for waiver, conduct
of the hearing, and the appeal process.
Lawmakers and others are examining the statutory and regulatory framework for enforcement of
the HIPAA Administrative Simplification standards, and ways to ensure that agencies use their
enforcement authority to the fullest extent under HIPAA to address improper uses and disclosures
of protected health information. The privacy and security of health information is also recognized
as a critical element of transforming the health care system through the use of health information
technology. For further information on this topic, See CRS Report RS22760, Electronic Personal
Health Records, by Gina Marie Stevens.
This report discusses enforcement of the HIPAA administrative simplification provisions by HHS
and DOJ, and provides an overview of the HIPAA Administrative Simplification Enforcement
Rule. This report will be updated when warranted.






Backgr ound ..................................................................................................................................... 1
Civil Money Penalties...............................................................................................................1
Criminal Penalties.....................................................................................................................3
Scope of Criminal Enforcement................................................................................................3
The HIPAA Privacy Rule................................................................................................................4
Covered Entities........................................................................................................................5
Protected Health Information....................................................................................................5
Uses and Disclosures.................................................................................................................5
The HIPAA Security Rule...............................................................................................................6
The HIPAA Administrative Simplification Enforcement Rule........................................................7
Voluntary Cooperation..............................................................................................................7
Complaints to the Secretary......................................................................................................7
Compliance Reviews.................................................................................................................7
Responsibilities of Covered Entities.........................................................................................8
Secretarial Action......................................................................................................................8
Affirmative Defenses................................................................................................................8
Civil Money Penalties...............................................................................................................9
Criminal Referrals.....................................................................................................................9
Criminal Enforcement Actions........................................................................................................9
United States v. Gibson...........................................................................................................10
United States v. Ramirez..........................................................................................................10
United States v. Ferrer and Machado.....................................................................................10
HIPAA Enforcement Activity.........................................................................................................11
Author Contact Information..........................................................................................................13






In 1996, Congress enacted the Health Insurance Portability and Accountability Act of 1996 1
(HIPAA) to “improve portability and continuity of health insurance coverage in the group and 2
individual markets.” Congress enacted HIPAA to guarantee the availability and renewability of
health insurance coverage and limit the use of pre-existing condition restrictions. HIPAA also
included tax provisions related to health insurance and administrative simplification provisions
requiring issuance of national standards to facilitate the electronic transmission of health
information.
Part C of HIPAA3 requires “the development of a health information system through the
establishment of standards and requirements for the electronic transmission of certain health 4
information.” Such standards are required to be consistent with the objective of reducing the
administrative costs of providing and paying for health care.
These Administrative Simplification provisions require the Secretary of HHS to adopt national
standards to facilitate the electronic exchange of information for certain financial and
administrative transactions; select or establish code sets for data elements; protect the privacy of
individually identifiable health information; maintain administrative, technical, and physical
safeguards for the security of health information; provide unique health identifiers for individuals,
employers, health plans, and health care providers; and to adopt procedures for the use of 5
electronic signatures.
Health plans, health care clearinghouses, and health care providers who transmit financial and
administrative transactions electronically are required to use standardized data elements and 6
comply with the national standards and regulations promulgated pursuant to Part C. Failure to
comply with the regulations may subject the covered entity to civil or criminal penalties.
This report provides an overview of the statutory and regulatory enforcement scheme (under the
recently issued Final Enforcement Rule) for the Administrative Simplification provisions of
HIPAA. In addition, it summarizes recent enforcement actions by HHS and DOJ.
Under HIPAA, the Secretary is required to impose a civil monetary penalty (CMP) on any person 7
failing to comply with the Administrative Simplification provisions in Part C. The maximum

1 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq.
2 H.Rept. 104-496, at 1, 66-67, reprinted in 1996 U.S.C.C.A.N. 1865, 1865-66.
3 42 U.S.C. §§ 1320d—1320d-8.
4 110 Stat. 2021.
5 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards for transactions and code
sets, privacy, security, and employer identifiers. See Administrative Simplification Under HIPAA: National Standards
for Transactions, Privacy and Security, at http://www.hhs.gov/news/press/2002pres/hipaa.html.
6 42 U.S.C. § 1320d-4(b) Requires compliance with the regulations within a certain time period byeach person to
whom the standard or implementation specification [adopted or established under sections 1320d-1 and 1320d-2]
applies.”
7 42 U.S.C. § 1320d-5(a).





civil money penalty (i.e., the fine) for a violation of an administrative simplification provision is
$100 per violation and up to $25,000 for all violations of an identical requirement or prohibition 8
during a calendar year.
A number of procedural requirements that are relevant to the imposition of CMP’s for violations 9
of the Administrative Simplification standards are incorporated by reference in HIPAA from the 10
general civil money penalty provision in 42 U.S.C. § 1320a-7a. The Secretary may not initiate a
CMP action “later than six years after the date” of the occurrence that forms the basis for the 11
CMP action. The Secretary may initiate a CMP by serving notice in a manner authorized by
Rule 4 of the Federal Rules of Civil Procedure (Commencement of Action). The Secretary must
give written notice to the person on whom he wishes to impose a CMP and an opportunity for a
determination to made “on the record after a hearing at which the person is entitled to be
represented by counsel, to present witnesses, and to cross-examine witnesses against the 12
person.” Judicial review of the Secretary’s determination and the issuance and enforcement of 13
subpoenas is available in the United States Court of Appeals.
A CMP may not be imposed with respect to an act that constitutes criminal disclosure of 14
individually identifiable information “if it is established to the satisfaction of the Secretary that
the person liable for the penalty did not know, and by exercising reasonable diligence would not 15
have known, that such person violated the provisions”; or if “the failure to comply was due to
reasonable cause and not to willful neglect” and is corrected within 30 days after learning of the 16
violation. The Secretary may provide technical assistance during such period. A CMP may be
reduced or waived “to the extent that the payment of such penalty would be excessive relative to 17
the compliance failure involved.”
Three specific affirmative defenses bar the imposition of civil money penalties: (1) the act is a
criminal offense under HIPAA’s criminal penalty provision—wrongful disclosure of individually
identifiable health information; (2) the covered entity did not have actual or constructive
knowledge of the violation; and (3) the failure to comply was due to reasonable cause and not to
willful neglect, and the failure to comply was corrected during a 30-day period beginning on the
first date the person liable for the penalty knew, or by exercising reasonable diligence would have 18
known, that the failure to comply occurred.
The Office of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule.19 OCR
has said that any civil penalties imposed will only affect covered entities; in other words, a

8 42 U.S.C. § 1320d-5(a)(1).
9 42 U.S.C. § 1320d-5(a)(2).
10 Except for the subsections addressing the imposition of civil money penalties for improperly filed claims, payments
to induce a reduction or limitation of services, and the recovery and use of funds.
11 42 U.S.C. § 1320a-7a(c)(1).
12 42 U.S.C. § 1320a-7a(c)(2).
13 42 U.S.C. § 1320a-7a(e).
14 42 U.S.C. § 1320d-5(b)(1).
15 42 U.S.C. § 1320d-5(b)(2).
16 42 U.S.C. § 1320d-5(b)(3).
17 42 U.S.C. § 1320d-5(b)(4).
18 42 U.S.C. § 1320d-5(b)(1)(4).
19 65 Fed. Reg. 82381.





member of a workforce who is not a covered entity appears not to be subject to civil sanctions by
OCR.
HIPAA establishes criminal penalties for any person who knowingly and in violation of the
Administrative Simplification provisions of HIPAA uses a unique health identifier or obtains or 20
discloses individually identifiable health information. Enhanced criminal penalties may be
imposed if the offense is committed under false pretenses, with intent to sell the information or
reap other personal gain.
The penalties include (1) a fine of not more than $50,000 and/or imprisonment of not more than 1
year; (2) if the offense is “under false pretenses,” a fine of not more than $100,000 and/or
imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use
individually identifiable health information for commercial advantage, personal gain, or
malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 21
years. These penalties do not affect any other penalties that may be imposed by other federal
programs.
In 2005, the Justice Department Office of Legal Counsel (OLC) addressed which persons may be 22
prosecuted under HIPAA. Based on its reading of the plain terms of the statute, the privacy
regulations, and Executive Order 13,141 (To Protect the Privacy of Protected Health Information
in Oversight Investigations), OLC concluded that only a covered entity could be criminally liable 23
“in violation of this part.” Because Part C applies only to covered entities and mandates

20 42 U.S.C. § 1320d-6(a). Wrongful disclosure of individually identifiable health information
(a) Offense
A person who knowingly and in violation of this part
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
(b) Penalties
A person described in subsection (a) of this section shall—
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned
not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for
commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than
10 years, or both. 42 U.S.C. § 1320d-6.
21 42 U.S.C. § 1320d-6(b).
22 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005 at
http://www.justice.gov/olc/hipaa_final.htm.
23 OLC’s opinion limiting direct liability under the HIPAA criminal statute to covered entities was widely criticized.
Critics believed that such an interpretation would result in weak enforcement of the HIPAA standards. See Robert Pear,
Ruling Limits Prosecutions of People Who Violate Law on Medical Records, New York Times (June 7, 2005); Peter P.
(continued...)





compliance only by covered entities, OLC concluded that direct liability for violations of section
1320d-6 was limited to covered entities (health plans, health care clearinghouses, those health
care providers specified in the statute, and Medicare prescription drug card sponsors); and
depending on the facts of a given case, certain directors, officers, and employees of these entities
may be liable directly under section 1320d-6, based on general principles of corporate criminal 24
liability. Other persons who obtain protected health information in a manner that causes a
covered entity to release the information in violation of HIPAA, including recipients of protected
information, may not be liable directly. The liability of persons for conduct that may not be
prosecuted directly under section 1320d-6 is to be determined by principles of aiding and abetting 2526
liability under 18 U.S.C. § 2 and of conspiracy liability under 18 U.S.C. § 371. OLC also
noted that such conduct may also be punishable under other federal laws, such as the identity 2728
theft under 18 U.S.C. § 1028 and fraudulent access of a computer under 18 U.S.C. § 1030.
The Office of Legal Counsel also considered what the “knowingly” element of the offense
requires and concluded that the “knowingly” element is best read, consistent with its ordinary 29
meaning, to require only proof of knowledge of the facts that constitute the offense.

To carry out the requirements of Part C, the HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164,
was adopted as the national standard for the protection of individually identifiable health 30
information. Enforcement of the Privacy Rule began on April 14, 2003, except that for small

(...continued)
Swire, Justice Department Opinion Undermines Protection of Medical Privacy, Center for American Progress (June 7,
2005), at http://www.americanprogress.org/issues/2005/06/b743281.html; Peter A. Winn, Who Is Subject to Criminal
Prosecution under HIPAA?, at
http://www.abanet.org/health/01_interest_groups/01_media/WinnABA_2005-11.pdf.
24 According to OLC under general principles of corporate criminal liability, the conduct of an entity’s agents may be
imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may
be imputed to the entity when the agents act on its behalf.
25 § 2. Principals
(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its
commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense
against the United States, is punishable as a principal.
26 § 371. Conspiracy to commit offense or to defraud United States
If two or more persons conspire either to commit any offense against the United States, or to defraud the United States,
or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object
of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.
If, however, the offense, the commission of which is the object of the conspiracy, is a misdemeanor only, the
punishment for such conspiracy shall not exceed the maximum punishment provided for such misdemeanor.
27 See CRS Report RL31919, Federal Laws Related to Identity Theft, by Gina Marie Stevens.
28 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related
Federal Criminal Laws, by Charles Doyle.
29 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6, June 1, 2005, at
http://www.justice.gov/olc/hipaa_final.htm.
30 The Privacy Rule went into effect on April 14, 2001. On August 14, 2002, HHS published a modified Privacy Rule.
67 Fed. Reg. 53181 available at http://www.hhs.gov/ocr/hipaa/finalreg.html.





health plans with annual receipts of $5 million or less enforcement began April 2004. The Office 31
of Civil Rights (OCR) in HHS is responsible for enforcing the Privacy Rule. The Centers for
Medicare and Medicaid Services (CMS) has delegated authority to enforce the non-privacy 32
HIPAA standards, including the Security Rule.
Because of the explicit language of HIPAA, the Privacy Rule applies only to a specified set of
“covered entities”: (1) health plans, (2) health care clearinghouses, and (3) health care providers
who transmit information in electronic form in connection with standard transactions governed by 33
the Administrative Simplification provisions. Medicare prescription drug sponsors were added 34
to the list of “covered entities” in 2003. Excluded from the definition of covered entities are
employees of covered entities. Business associates of covered entities are subject to certain 35
aspects of the Privacy Rule.
The Privacy Rule applies to protected health information that is individually identifiable health
information “created or received by a health care provider, health plan, or health care
clearinghouse” that “[r]elates to the ... health or condition of an individual” or to the provision of 36
or payment for health care.
The HIPAA Privacy Rule37 governs the use and disclosure of protected health information by
HIPAA-covered entities (health plans, health care providers, and health care clearinghouses) The
Rule requires a covered entity to obtain the individual’s written authorization for any use or
disclosure of protected health information that is not for treatment, payment or health care 38
operations or otherwise permitted or required by the Privacy Rule. A covered entity is required
to disclose protected health information in two situations: (1) to individuals when they request
access to or an accounting of disclosures of their protected health information; and (2) to HHS for
compliance review or enforcement action. The HIPAA Privacy Rule permits use and disclosure of

31 The Secretary of Health and Human Services recently delegated to the Director of OCR the authority to issue
subpoenas in investigations of alleged violations of the HIPAA Privacy Rule. 72 Fed. Reg. 18,999 (April 16, 2007).
32 68 Fed. Reg. 60694.
33 42 U.S.C. §§ 1320d-1(a)(1)-(3) (Any standard adopted under this part shall apply, in whole or in part, to the
following persons: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any
health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(1) of this
title.”).
34 42 U.S.C. § 1320d-1(a); 45 C.F.R. §§ 164.104(a)(1)-(3). The Medicare Prescription Drug Improvement and
Modernization Act of 2003, P.L. 108-173, § 101(a)(2), 117 Stat. 2071, 2144 (2003), codified at 42 U.S.C. § 1395w-
14(h)(6).
35 45 C.F.R. § 164.530(e)(2)(ii)(A).
36 45 C.F.R. § 160.103.
37 45 C.F.R. § 160 and 164.
38 45 C.F.R. § 164.508.





protected health information, without an individual’s authorization or consent, for 12 national 39
priority purposes.

Regulations governing security standards under HIPAA require health care covered entities to
maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity,
and availability of electronic protected health information; to protect against any reasonably
anticipated threats or hazards to the security or integrity of such information, as well as protect 40
against any unauthorzed uses or disclosures of such information. The Centers for Medicare and 41
Medicaid Services (CMS) has been delegated authority to enforce the HIPAA Security Standard.
The Security Rule applies only to protected health information in electronic form (EPHI), and
requires a covered entity to ensure the confidentiality, integrity, and availability of all EPHI the
covered entity creates, receives, maintains, or transmits. Covered entities must protect against any
reasonably anticipated threats or hazards to the security or integrity of such information, and any
reasonably anticipated uses or disclosures of such information that are not permitted or required 42
under the Privacy Rule; and ensure compliance by its workforce.
The Security Rule allows covered entities to consider such factors as the cost of a particular
security measure, the size of the covered entity involved, the complexity of the approach, the
technical infrastructure and other security capabilities in place, and the nature and scope of
potential security risks. The Rule establishes “standards” in three categories—administrative,
physical, and technical—that covered entities must meet, accompanied by implementation
specifications for each standard.
The Security Rule requires covered entities to enter into agreements with business associates who
create, receive, maintain or transmit EPHI on their behalf. Under such agreements, the business
associate must: implement administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity and availability of the covered entity’s
electronic protected health information; ensure that its agents and subcontractors to whom it
provides the information do the same; and report to the covered entity any security incident of
which it becomes aware. The contract must also authorize termination if the covered entity
determines that the business associate has violated a material term. A covered entity is not liable
for violations by the business associate unless the covered entity knew that the business associate
was engaged in a practice or pattern of activity that violated HIPAA, and the covered entity failed
to take corrective action.

39 45 C.F.R. 164.512.
40 HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. Part 164.
41 See generally, Centers for Medicare and Medicaid Services, Security Materials at http://www.cms.hhs.gov/
EducationMaterials/04_SecurityMaterials.asp#TopOfPage.
42 45 C.F.R. § 164.306(a).







On February 16, 2006, HHS published the Final Enforcement Rule, with both procedural and
substantive provisions, applicable to all HIPAA administrative simplification standards in Part 43
C. The final rule went into effect March 16, 2006. The following discussion summarizes the
main provisions of the Enforcement rule.
With respect to ascertaining compliance with and enforcement of the administrative
simplification provisions, the Secretary of HHS is to seek the voluntary cooperation of covered
entities. Enforcement and other activities to facilitate compliance include the provision of
technical assistance, responding to questions, providing interpretations and guidance, responding
to state requests for preemption determinations, and investigating complaints and conducting
compliance reviews.
The Privacy Rule permits any person to file an administrative complaint for violations.44 It did 45
not create a private right of action for individuals to sue to remedy privacy violations.
Individuals must direct their complaints to the HHS Office for Civil Rights (OCR) or to the 46
covered entity. An individual may file a compliant with the Secretary if the individual believes 47
that the covered entity is not complying with the administrative simplification provisions.
Complaints to the Secretary may be filed only with respect to alleged violations occurring on or
after April 14, 2003. The Secretary’s investigation may include a review of the policies,
procedures, or practices of the covered entity, and of the circumstances regarding the alleged acts 48
or omissions.
The Secretary is also authorized to conduct compliance reviews.49 According to OCR, it is
conducting Privacy Rule compliance reviews only where compelling and unusual circumstances 50
demand.

43 71 Fed. Reg. 8390, 45 CFR § 160.300 et seq.
44 45 CFR § 160.306.
45 Several federal district courts have held that HIPAA did not create a privately enforceable right of action, and one
federal appellate court has also recently upheld that finding. See Acara v. Banks, 470 F.3d 569 (5th Cir. 2006).
46 OCR maintains a website with information on the regulation, including guidance at http://www.hhs.gov/ocr/hipaa/.
HHS also issued a 20-pageSummary of the HIPAA Privacy Rule,” at http://www.hhs.gov/ocr/privacysummary.pdf.
47 45 CFR § 160.306.
48 The Secretary has delegated to the Office for Civil Rights (OCR) the authority to receive and investigate complaints
as they may relate to the Privacy Rule. 65 Fed. Reg. at 82,474, 82,487.
49 45 CFR § 160.308.





Covered entities are required to provide records and compliance reports to the Secretary to 51
determine compliance, and to cooperate with complaint investigations and compliance reviews.
In cases where no violation is found, the Secretary is to inform the covered entity and the
complainant in writing. In cases where an investigation or compliance review has indicated
noncompliance, the Secretary is to inform the covered entity and the complainant in writing, and 52
attempt to resolve the matter informally. If the Secretary determines that the matter cannot be
resolved informally, the Secretary may issue written findings documenting the noncompliance.
The covered entity has 30 days to respond to the Secretary’s findings and must be given an
opportunity to submit written evidence of any mitigating factors or affirmative defenses, as it
proceeds to the civil monetary penalty phase. Finally, the Rule includes a provision that prohibits
covered entities from threatening, intimidating, coercing, discriminating against, or taking any
other retaliatory action against anyone who complains to HHS or otherwise assists or cooperates 53
in the HIPAA enforcement process. Actions must be brought by the Secretary within six years
from the date of the violation.
Three specific affirmative defenses would bar the imposition of civil money penalties: (1) the
violation is a criminal offense under HIPAA—wrongful disclosure of individually identifiable
health information; (2) the covered Entity did not have actual or constructive knowledge of the
violation; or (3) the failure to comply was due to reasonable cause and not to willful neglect, and
was corrected during a 30-day period beginning on the first date the person liable for the penalty
knew, or by exercising reasonable diligence would have known, that the failure to comply 54
occurred. With respect to the first two defenses, the Secretary may waive the civil money
penalty if it would be excessive in relation to the violation.

(...continued)
50 U.S. Department of Health and Human Services, Fiscal Year 2008, Office for Civil Rights, Justification of Estimates
for Appropriations Committees, p. 37, at http://www.hhs.gov/ocr/CJFY2008.pdf. For more recent information on the
activities of OCR, see, Fiscal Year 2009 Justification of Estimates for Appropriations Committees at
http://www.hhs.gov/ocr/CJ2009.pdf.
51 45 CFR § 160.310.
52 45 CFR § 160.312. Presumably it was pursuant to this authority that HHS entered into the resolution agreement with
Providence Health & Services.
53 45 CFR § 160.316.
54 45 CFR § 160.410.





The Enforcement rule provides that the “Secretary will impose a civil money penalty upon a
covered entity if the Secretary determines that the covered entity has violated an administrative 55
simplification provision.”
The Secretary is required to provide notice of a proposed penalty to the covered entity, including 56
the respondent a right to request a hearing within 90 days before an Administrative Law Judge.
If the respondent fails to request a hearing, the Enforcement Rule states that “the Secretary will 57
impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5.” Once a
penalty has become final, the Secretary is obligated to notify the public, state, and local medical
and professional organizations; state agencies administering health care programs; utilization and
quality peer review organizations; and state and local licensing agencies and organizations.
To determine the number of “violations” to compute the amount of the civil penalty, the Secretary
is to base the decision upon the nature of the covered entity’s obligation to act or not under the 58
violated provision. The Rule also provides that HHS may consider the following aggravating or
mitigating factors when determining the amount of the penalty: the nature of the violation; the
circumstances under which the violation occurred; the degree of culpability; any history of prior
compliance, including violations; the financial condition of the covered entity; and such “other 59
matters as justice may require.” The Secretary is authorized to settle any issue or case or to
compromise any penalty.
HHS refers to the DOJ for criminal investigation appropriate cases involving the knowing
disclosure or obtaining of individually identifiable health information in violation of the Privacy
Rule.

Criminal convictions have been obtained in three cases involving employees of covered entities
who improperly obtained protected health information. Two of the HIPAA criminal cases were 60
brought after the OLC legal opinion limiting direct liability for violations to covered entities.

55 45 CFR § 160.402.
56 Provision is also made for an administrative appeal of the ALJ’s decision to the HHS Departmental Appeals Board,
and judicial review of the Board’s final decision.
57 45 CFR § 160.422.
58 45 CFR § 160.406.
59 45 CFR § 160.408.
60 Atlantic Information Services, Inc., HIPAA Criminal Cases Against Individuals Proceed Despite DOJ Memo, at
http://www.aishealth.com/Compliance/Hipaa/RPP_HIPAA_Cases_Proceed.html





The first case prosecuted by a U.S. Attorney’s Office under the HIPAA criminal statute involved a
Seattle phlebotomist employed at a cancer center who was sentenced to 16 months in prison and 3
years of supervised release in 2004 for stealing credit card information from a cancer patient,
charging $9,000 worth of merchandise on it, and using that information to get credit cards in the 61
defendant’s name. The defendant was ordered to pay restitution in the amount of $15,000. The
U.S. attorney’s office in Seattle chose to prosecute the identity theft as a criminal HIPAA 62
violation because the information had been collected from a patient, instead of prosecuting the 63
defendant for identity theft. Specifically, the defendant was charged with and pled guilty to the
wrongful disclosure of individually identifiable health information for economic gain in violation
of 42 U.S.C. § 1320d-6(a)(3) and (b)(3). It is notable that the defendant was not a covered entity
but a member of the covered entities workforce not acting within the scope of his employment.
The OLC legal opinion was issued after the defendant’s conviction.
In 2006, a Texas woman employed in the office of a doctor who had a contract to provide
physicals and medical treatment to FBI agents was convicted of selling an FBI agent’s medical 64
records for $500. The defendant pled guilty to the federal felony offense of wrongfully using a
unique health identifier intending to sell individually identifiable health information for personal 65
gain, 42 U.S.C. § 1320d-6(a)(1) and (b)(3), and of violating 18 U.S.C. §2. She was sentenced to
six months in jail and four months of home confinement to be followed by a two-year term of 66
supervised release. The defendant was also ordered to pay a criminal money penalty of $100.
Two aggravating factors were found by the court. First, the defendant had sold the confidential
medical record, and second, the record belonged to a federal agent.
The defendant was an employee of a medical clinic and improperly obtained Medicare
information and other patient information for more than 1,100 clinic patients and sold that
information to the owner of a medical claims business for $5 to $10 each. The information was

61 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004).
62 See ABA Health eSource, Interview with Susan Loitz, Assistant U.S. Attorney (October 2004), at
http://www.abanet.org/health/esource/vol1no2/loitz.html.
63 See Atlantic Consulting Services, Inc., Synergy Between the Identity Theft Issue And Privacy, Security Grows
Stronger, at http://www.aishealth.com/Compliance/Hipaa/RPP_identity_patient_ID_theft.html. (Noting thatIdentity
theft is now the number one financial crime in the country, and health care organizations are prime targets because of
their vast reservoirs of personal data, such as Social Security numbers.)
64 United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006).
65§ 2. Principals
(a) Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its
commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly performed by him or another would be an offense
against the United States, is punishable as a principal.
66 U.S. Department of Justice, Alamo, Texas Woman Convicted of Selling FBI Agent’s Medical Record Sentenced, at
http://www.usdoj.gov/usao/txs/releases/March2006/060307-Ramirez.pdf.





then used by medical providers to fraudulently bill Medicare for services not rendered and
equipment not supplied, resulting in a $7 million fraud to Medicare and the payment of 67
approximately $2.5 million to providers and suppliers. The defendants were charged with
conspiracy in violation of 18 U.S.C. § 371, with computer fraud in violation of 18 U.S.C. §
1030(a)(4)and (c)(3)(A), wrongful disclosure of individually identifiable health information in
violation of 42 U.S.C. § 1320d-6(a)(2) and (b)(3), and aggravated identity theft in violation of 18
U.S.C. § 1028A(a)(2). Because the clinic-employer was a cooperating witness and the defendant
was acting outside the scope of her lawful employment, the clinic was not charged.
In January 2007, Florida defendant Machado pled guilty to conspiracy to commit computer fraud,
conspiracy to commit identity theft and conspiracy to wrongfully disclose individually 68
identifiable health information. The defendant testified against her co-defendant. The defendant
was sentenced on April 27, 2007, and faced a maximum of 5 years imprisonment, $250,000 fine,
and possible restitution. Defendant Machado was sentenced to 3 years probation, including 6
months of home confinement, and also ordered to pay restitution in the amount of $2,505,883.
Co-defendant Ferrer, owner of the medical claims business, was convicted by a jury of all eight
counts (one count of conspiring to defraud the United States, one count of computer fraud, one
count of wrongful disclosure of individually identifiable health information, and five counts of 69
aggravated identity theft). Defendant Ferrer was also sentenced on April 27, 2007, and faced a
maximum statutory term of imprisonment of 5 years on the conspiracy count; a maximum
statutory term of imprisonment of 5 years on the computer fraud count; a maximum statutory
term of imprisonment of 10 years on the wrongful disclosure of individually identifiable health
information count; and a maximum statutory term of imprisonment of 2 years on each count of
aggravated identity theft. Ferrer was sentenced to 87 months in prison, 3 years of supervised
release, and ordered to pay restiution in the amount of $2,505,883. According to DOJ, this is the 70
first HIPAA violation case that has gone to trial. The two other cases resulted in guilty pleas.

According to recently released data from HHS, from April 2003, when enforcement of the
Privacy Rule began, to May 31, 2008, approximately 36,374 health information privacy 71
complaints were filed with HHS. In 19,997 cases, HHS did not find enforcement authority 72
under HIPAA. HHS found authority to investigate and resolve 6,392 cases. In those cases, HHS

67 The United States Attorney’s Office Southern District of Florida, Cleveland Clinic Employee Pleads Guilty to
Superseding Fraud Indictment, January 11, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/070111-03.html.
68 United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006).
69 The United States Attorney’s Office Southern District of Florida, Naples Man Convicted In Cleveland Clinic Identity
Theft and Medicare Fraud Case, January 24, 2007, at http://www.usdoj.gov/usao/fls/PressReleases/070124-02.html.
70 Id.
71 U.S. Department of Health and Human Services, Compliance and Enforcement: Privacy Rule Enforcement
Highlights, at http://www.hhs.gov/ocr/privacy/enforcement/05312008.html.
72 Id. Either because of lack of jurisdiction (the violation occurred prior to the effective date of the Rule or the entity
was not subject to the Privacy Rule); the complaint was untimely, withdrawn, or not pursued by the complainant; or the
activity being complained of did not violate the Privacy Rule.





obtained changes in the investigated entity’s privacy practices or other corrective actions.73 HHS 74
found no violation of the Privacy Rule in 3,156 cases. Almost 6,800 cases remain unresolved.
According to HHS, the compliance issues most frequently investigated were for impermissible
use or disclosure of protected health information, lack of adequate safeguards for protected health
information, lack of patient access to his or her protected health information, the disclosure of
more information than is minimally necessary to satisfy a particular request for information, and 75
failure to have an individual’s authorization for a disclosure that requires one. The covered
entities most commonly required to take corrective action by HHS, in order of frequency, include 76
private practices, general hospitals, outpatient facilities, health plans, and pharmacies.
According to its enforcement website, HHS did not report any civil penalties during the five-year 77
period of 2003-2008. HHS reported that more than 435 cases were referred by HHS to DOJ for
criminal investigation of knowing disclosure or access to protected health information in violation
of the Privacy Rule. An additional 247 cases were referred to the Centers for Medicare and
Medicaid Services (CMS) for investigation of cases that involve a potential violation of the
HIPAA Security Rule. Although information on criminal convictions was not reported by HHS,
criminal convictions were obtained in three cases involving employees of covered entities who 78
improperly obtained protected health information.
Concerns have been raised by some that the HIPAA Privacy Rule is being underenforced by the 79
U.S. Departments of Health and Human Services (HHS) and Justice (DOJ). Privacy advocates
have been critical of HHS’ enforcement of the HIPAA Privacy Rule which has focused on
technical assistance and voluntary cooperation fo the covered entity with HHS. According to
HHS, several factors contribute to the number of enforcement actions taken by it for violations of
the HIPAA Privacy Rule. First is HHS’s preference for voluntary compliance, corrective action, 80
and/or resolution agreement. Second, HIPAA applies only to certain groups, defined as covered
entities, health plans, health care clearinghouses, and health care providers who transmit financial
and administrative transactions electronically. HIPAA does not cover all types of entities that
maintain personal health information (e.g., life insurers, employers, workers compensation
carriers, schools and school districts, state agencies such as child protective service agencies, law 81
enforcement agencies, and municipal offices). Third, HIPAA does not cover of all types of

73 Id.
74 Id.
75 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By
Issue, at http://www.hhs.gov/ocr/privacy/enforcement/casebyissue.html.
76 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case Examples Organized By
Covered Entity, at http://www.hhs.gov/ocr/privacy/enforcement/casebyentity.html.
77 The U.S. Department of Health and Human Services (HHS) recently announced an enhanced website to make it
easier to get information about how the Department enforces health information privacy rights and standards. HHS
Launches New Web site on HIPAA Privacy Compliance and Enforcement, April 20, 2007, at http://www.hhs.gov/ocr/
privacy/enforcement/announcement.html.
78 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004); United States v. Ramirez,
Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex. 2006); United States v. Ferrer and Machado, 2006 WL
4005632 (S.D.Fla. 2006).
79 Rob Stein, “Medical Privacy Law Nets No Fines,The Washington Post, June 5, 2006 at A01.
80 U.S. Deptartment of Health and Human Services, Compliance and Enforcement: How OCR Enforces the HIPAA
Privacy Rule, at http://www.hhs.gov/ocr/privacy/enforcement/hipaarule.html.





health transactions. Fourth, the statute does not create a private right of action, but rather public
enforcement by HHS and DOJ. Fifth, the complained-of activity might not be a violation of the
Privacy Rule.
In July 2008, the first time since the Privacy Rule went into effect in 2003, HHS required a
resolution agreement from a covered entity (a contract signed by HHS and the covered entity) for 82
violations of the HIPAA Privacy and Security Rules. HHS entered into a resolution agreement
with Providence Health & Services requiring the covered entity to pay $100,000 and to
implement a corrective action plan to safeguard identifiable electronic patient information to
settle potential violations of the HIPAA Privacy and Security Rules. In this case the violations
involved the loss of backup tapes and theft of laptops containing individually identifiable health
information.
Gina Marie Stevens
Legislative Attorney
gstevens@crs.loc.gov, 7-2581


(...continued)
81 HHS’s approach to the regulation of the privacy of health informationis also significantly informed by the limited
jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health
information, but not many key stakeholders who receive that health information from a covered entity. 65 Fed. Reg.
82462, 82471 (2000).
82 See, Resolution Agreement HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health
Information, at http://www.hhs.gov/ocr/privacy/enforcement/agreement.pdf.