According to a journal article from the Innovations in Clinical Neuroscience, “The Department of Justice (DOJ) is responsible for the investigation and prosecution of criminal violations of the HIPAA regulations. Under HIPAA, the maximum criminal penalties are $250,000 and 10 years imprisonment.”
Criminal enforcement by the DOJ is typically triggered when HIPAA violations involve conduct that is egregious, intentional, or done for personal or commercial gain. The DOJ’s authority comes into play once the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) refers cases with potential criminal elements for further investigation and prosecution by the DOJ.
The referral process signifies that the breach involves a willful violation or fraudulent behavior, such as obtaining or disclosing protected health information (PHI) "knowingly" and "in violation of HIPAA," often with malicious intent or for financial gain. The scope of the DOJ’s criminal enforcement is narrower than civil HIPAA enforcement, focusing on violations meeting the requirements of intentional wrongdoing as defined by federal statutes.
While OCR typically investigates and enforces HIPAA compliance violations through civil penalties, the DOJ is responsible for criminal prosecution when the violations involve intentional wrongdoing or criminal conduct under HIPAA’s criminal provisions.
The criminal enforcement role of the DOJ is specifically triggered in cases where there is willful neglect, knowing disclosure, or the malicious misuse of PHI, which sets the threshold much higher than ordinary compliance failures or inadvertent breaches.
Under the HIPAA statute, particularly Title II, criminal violations include knowingly obtaining or disclosing PHI without authorization, using the information for personal gain or malicious harm, or in violation of HIPAA regulations.
The DOJ’s jurisdiction arises when investigations uncover that an individual or entity committed these actions willfully or with malicious intent. Once OCR or other agencies detect potential criminal conduct during their investigations, they typically refer the case to the DOJ for further review and prosecution.
An Arnold Porter study notes that the DOJ and OIG are not the only responsible agencies, “DOJ and OIG are not the only agencies that investigate health care fraud. Other agencies that conduct investigations include state Medicaid Fraud Control Units (MCFUs), the Internal Revenue Service (IRS), the Postal Inspection Service, Department of Defense (DOD), and the Federal Bureau of Investigation (FBI).”
The above mentioned Innovations in Clinal Neuroscience goes on to state, “Civil enforcement of the Privacy and Security Rules is limited to those healthcare providers who are “covered entities” under HIPAA”
It also expresses that, “However, as discussed below, even those providers who are not covered entities can still face liability for breach of patient confidentiality under the criminal provisions of HIPAA as well as under state law.”
The DOJ assesses the evidence and can bring charges under federal criminal statutes, such as 18 U.S.C. § 1320d-6, which outlines criminal penalties for HIPAA violations. These penalties increase in severity based on the violation’s circumstances, ranging from misdemeanor charges and fines for lesser offenses to felony charges with prison sentences up to 10 years for breaches involving intent to sell protected health information or to cause harm.
Examples of DOJ criminal cases demonstrate the focus on prosecuting egregious abuses of patient privacy. Early criminal cases centered around employees misusing patient information for financial gain, such as selling medical records or using stolen PHI to commit identity theft or tax fraud.
Over time, the DOJ expanded its scope to prosecute individuals who improperly accessed or disclosed PHI even without financial motives. For instance, prosecutions have involved healthcare workers snooping through medical records without authorization, resulting in penalties like jail time, fines, community service, and mandatory HIPAA training.
When the DOJ receives a referral, it initiates a comprehensive investigative process that may involve coordination with other law enforcement agencies that regularly investigates cybercrimes and data breaches related to healthcare information. The investigation focuses heavily on digital forensic analysis as email breaches inherently involve the electronic transmission and possible unauthorized access or interception of electronic PHI (ePHI).
Investigators collect and analyze email logs, metadata, server access records, and communication traffic to ascertain the origin, scope, and method of the breach. Forensic examination seeks to establish whether the breach occurred due to phishing, hacking, employee misconduct, or system vulnerabilities. The technical evaluation helps in determining if the breach was intentional or negligent, and whether personal or financial gain was involved. The DOJ prioritizes cases where HIPAA email breaches demonstrate deliberate wrongdoing, such as insider threats, criminal hacking activities, or fraudulent schemes to exploit patient information.
Evidence gathering in these investigations involves collecting digital evidence from multiple sources including email servers, healthcare provider networks, cloud services, and devices used by implicated individuals. Subpoenas and search warrants are typically employed to access preserved electronic data and communications. Witness interviews and cooperation with the affected covered entity help to reconstruct the breach timeline and understanding organizational compliance practices or failures. Investigators also assess whether affected entities followed HIPAA’s required safeguards like encryption of emails, employee training on phishing risks, and incident response protocols, which helps determine institutional responsibility alongside individual culpability.
One notable investigation approach is the risk assessment of the email breach incident as an ongoing and evolving process. The DOJ works closely with cybersecurity experts and healthcare compliance professionals to identify vulnerabilities exploited during breaches, thereby focusing on prosecutorial outcomes and promoting improved security practices industry-wide through enforcement actions and public awareness. This collaboration often leads to shared intelligence and the development of guidance to prevent similar breaches in the future.
A notable incident occurred in May 2024, when the DOJ settled with Insight Global LLC (a staffing firm serving health-related clients) over allegations that they sent PHI via unencrypted email and stored it insecurely, unrelated to HIPAA specifically, but in violation of federal expectations for patient data protection.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Healthcare organizations must notify the HHS within 60 days for breaches affecting 500 or more individuals, notify affected patients, and report to state agencies as required. Notification to law enforcement may also be necessary if criminal activity is involved.
Maintaining detailed, accurate records of all investigative steps, findings, and communications is essential for regulatory compliance, audits, potential legal actions, and improving future breach response strategies.
Yes, engaging external cybersecurity specialists or forensic investigators often enhances the technical depth and impartiality of investigations