Jail Terms for HIPAA Violations by Employees
Jail terms for HIPAA violations by employees are relatively rare, but there have been several cases where employee HIPAA violations have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail time for HIPAA violations has only narrowly been avoided.
The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term for violating HIPAA of 10 years plus a further 2 years for aggravated identity theft.
Jail Term for Former Transformations Autism Treatment Center Employee
In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer.
Approximately one month after Luke was terminated, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched and law enforcement was notified, with the latter alerting the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.
Luke’s access rights to Google Drive had been terminated by TACT in accordance with HIPAA Rules; however, after termination, Luke had gained access to a shared Google Drive account and authorized access from his personal Gmail account. It is unclear exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.
Law enforcement discovered this was not the first time Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services. Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution. This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.
Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.
Organ Transplant Coordinator Gets 2-Year Jail Term for Accessing Judge’s Health Records
A former organ transplant coordinator from Virginia who used his access to patient data to take a screenshot of the medical records of Supreme Court Justice Ruth Bader Ginsburg and then attempted to destroy evidence has been sentenced to 2 years in jail.
Trent James Russell, 34, worked at the Washington Regional Transplant Community (WRTC) as an organ transplant coordinator. He received HIPAA training and was aware that accessing patient records without authorization violated the HIPAA Rules. While Judge Ginsburg was undergoing cancer treatment at George Washington University Hospital, Russell accessed and screenshotted her records, even though she had not been referred to WRTC as a potential organ donor.
When Russell’s login credentials were revoked in January 2019, he formatted his home computer in an attempt to destroy evidence of the HIPAA violation. Russell was convicted on the criminal HIPAA violation and destruction of evidence charges but was acquitted on the charge of posting the records online.
54 Month Jail Term for Criminal HIPAA Violations and Aggravated Identity Theft
A former employee of an Arizona medical facility was sentenced to 54 months in jail for criminal HIPAA violations and aggravated identity theft. Rico Prunty, 41 years old, of Sierra Vista, Arizona, unlawfully accessed the medical intake forms of almost 500 patients between July 2014 and May 2017 and copied information such as names, addresses, dates of birth, Social Security numbers, and health information.
The information was provided to his co-conspirators who opened credit card accounts in the victims’ names and attempted to steal $181,000 from those individuals. Prunty faced up to 10 years in jail plus a mandatory 2-year jail term for aggravated identity theft.
The District Court Judge imposed a sentence of 54 months with 2 years of supervised release and an order to pay $132,521.98 in restitution to the victims. His co-conspirators were sentenced to between 121 months and 154 months in jail and were ordered to pay $181,835.77 in restitution.
Pharma Sales Rep Faces up to 10 Years in Jail for PHI Access & Healthcare & Wire Fraud
A pharmaceutical sales rep has pleaded guilty to conspiring to commit healthcare fraud and wrongfully disclosing and obtaining patients’ protected health information in an elaborate healthcare fraud scheme.
Between 2014 and 2016 Keith Ritson, 42, of New Jersey, promoted compound prescription medications and other drugs. The medications were not FDA-approved but could be prescribed by a physician if standard medications were not appropriate for a patient.
Ritson and his conspirators discovered certain insurance companies would reimburse thousands of dollars a month for the drugs and Ritson would receive a percentage of the payments made by the pharmacy benefits administrator for any prescriptions he arranged.
Ritson was provided with access to patient records at the medical practice of Dr. Frank Alario, in violation of the HIPAA Rules, and used that access to identify patients with insurance plans that would pay for the drugs. He would advise Dr. Frank Alario to prescribe medically unnecessary prescriptions for certain patients, and Ritson was even allowed to attend some patient appointments with Dr. Alario.
Ritson pleaded guilty to one count of conspiracy to commit health care fraud and one count of conspiring to wrongfully disclose and obtain patients’ PHI and faces up to 10 years in jail and a fine of up to $250,000. Dr. Alario also pleaded guilty to his charges and faces a fine of up to $50,000 and up to 1 year in jail. Three executives at Central Rexall Drugs were also indicted for their role in the scheme and await sentencing.
Mistrial Declared in Criminal HIPAA Case Involving Disclosure to Suspected Russian Agent
On September 28, 2022, two doctors were charged in an 8-count indictment for conspiring to cause harm to the United States by disclosing the protected health information of U.S. citizens associated with the government and military to Russia. The charges included criminal HIPAA violations related to disclosures of patient data starting on August 17, 2022. While the couple believed they were disclosing patient data to a Russian agent, their communications to the Russian embassy had been intercepted and they instead met with an undercover FBI agent and provided patient data at the request of the FBI agent.
Dr. Anna Gabrielian. 37, a former anesthesiologist at Johns Hopkins, and her spouse, Jamie Lee Henry, 40, a doctor and U.S. Army Major previously stationed at Fort Bragg, faced up to 10 years in jail for the criminal HIPAA violations and up to 5 years in jail for the conspiracy charge. At trial, the jury was unable to reach a unanimous verdict and a mistrial was declared. The U.S. Attorney’s Office sought a retrial; however, the case was dismissed with prejudice by a federal judge.
48-Month Jail Term for Medical Clinic Worker Who Stole Patient Data
Stacey Lavette Hendricks, 49, of Leesburg, FL, was employed by a medical clinic in Florida. She was provided with access to patient information to complete her work duties but used her access to obtain patient information which was sold to identity thieves and used to defraud businesses.
The case was investigated by the U.S. Secret Service. Hendricks was apprehended when she attempted to sell stolen patient data to an undercover law enforcement officer. When her home was searched, law enforcement officers found the records of 113 patients. Hendricks faced a maximum jail term of 20 years for wire fraud and 2 years for aggravated identity theft. She pleaded guilty and was sentenced in 2020 to serve 48 months in federal prison.
Hospital Clerk Sentenced to Six Months for Grand Larceny
In May 2015, the New York Police Department informed Montefiore Medical Center – a non-profit hospital system based in New York City – that there was evidence of theft of a specific patient’s medical information. The incident prompted Montefiore Medical Center to conduct an internal investigation. The investigation uncovered that, two years prior, one of their employees – Monique Walker, 32, an assistant clerk at the hospital – had stolen the electronic PHI of 12,517 patients and sold the information to an identity theft ring for $3 per record. The identity theft ring used the records to obtain credit at stores such as Macy’s, Victoria’s Secret, and Bergdorf Goodman.
Walker and other members of the identity theft ring were arrested and indicted on charges that included grand larceny, identity theft, and criminal possession of a forged instrument. Walker pleaded guilty to the charge of grand larceny and, in June 2016, was sentenced to six months in jail. The ringleader – Fernando Salazar – was sentenced to 3½ to 7 years. The incident did not go unnoticed by HHS’ Office for Civil Rights and – following further data breaches attributable to malicious insiders (reported here and here) – the agency fined Montefiore Medical Center $4.75 million for failing to conduct an effective risk analysis and failing to implement procedures to review system activity for insider theft.
3 Year Jail Term for VA Worker Who Stole Patient Data
A clerk at the Veteran Affairs Medical Center in Long Beach, CA has been sentenced for the theft of the protected health information of more than 1,000 patients. Albert Torres, 51, was pulled over by police over an anomaly with his license plates. The officers found prescriptions in the vehicle in other people’s names, and the Social Security numbers and other PHI of 14 individuals. When police officers searched his home, they found hard drives containing the ePHI of 1,030 veterans and goods that had been stolen from the hospital. Torres was sentenced to three years in state penitentiary in 2018.
New York Dental Practice Receptionist to Spend 2-6 Years in Jail for Stealing Patient Data
In 2018, a former receptionist at a New York dental practice was sentenced to serve between 2 and 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access rights to patient data to perform her work duties but abused those rights and stole the data of at least 653 patients. The information was passed to her co-defendant, Devin Bazile, via email. Bazile obtained credit lines in the victims’ names and made high-value purchases.
Vuong was arrested in February 2015 after a 2-and-a-half-year investigation was found guilty on 189 counts and was sentenced to serve between 2 and 6 years in jail. Bazille was sentenced to between 3 and 9 years in jail, with up to 4 years in jail for one other co-defendant and 5 years probation for the other.
UPMC Patient Care Coordinator Gets 1-Year Sentence for Theft of PHI
A former patient care coordinator at the University of Pittsburgh Medical Center (UPMC) was sentenced to 1 year in jail for accessing the medical records of patients without authorization and using the information to cause malicious harm.
Sue Kalina, 62, of Butler, PA, had accessed patient records without authorization for more than a year between 2016 and 2017, including old friends, classmates, and individuals she had a grievance with, and conducted a campaign of vengeance. One of the victims was a woman who had been hired by a previous employer to replace her. Kalina accessed that woman’s medical records and disclosed gynecological information to her former employer in a voicemail. Kalina was fired for the HIPAA violation but was later hired by Allegheny Health Network and recommenced her campaign. U.S. prosecutors sought a jail term of between 2 and 6 years. Kalina was sentenced to 1 year in jail, and 3 years’ probation, and was prohibited from contacting any of the 111 victims.
Massachusetts Gynaecologist Spared Jail in Criminal HIPAA Violation Case
Gynecologist Rita Luthra, 65, of Longmeadow, MA, has been convicted of criminal violations of the HIPAA Privacy Rule and obstructing a federal investigation into a kickback scheme. Luthra gave a pharmaceutical sales representative access to patient health information to complete pre-authorization forms for insurance companies that were refusing to approve prescriptions for Warner Chilcott’s osteoporosis drugs.
Luthra was also accused of being paid $23,500 to prescribe Warner Chilcott’s osteoporosis drugs, but maintained the payment was for speaker’s fees at medical educational events and for writing a research paper. The events took place in her office and the research paper was never finished. Luthra lied to federal investigators and also instructed the pharmaceutical sales representative to lie to back up her story.
Luthra faced up to 6 years in jail, one year of supervised release, and $300,000 in fines, including a $50,000 fine for the HIPAA violation. The judge was lenient due to Luthra’s work with disadvantaged women in impoverished areas of Springfield. Luthra escaped a fine and was sentenced to 1 year of probation and has permanently lost her license to practice.
Former Berkeley Medical Center Employee Sentenced
A former Berkeley Medical Center Employee has escaped a jail term after pleading guilty to one count of identity theft. Angela Dawn Roberts, also known as Angela Dawn Lee, 42, of Stephenson, Virginia, admitted unlawfully acquiring the protected health information of 10 individuals, including their names, dates of birth, and Social Security numbers, and providing that information to her co-defendant, Ajarhi Savimbi Roberts. Her partner in crime was sentenced to 24 months in jail after pleading guilty to bank fraud. Roberts was fortunate to escape a jail term, and instead was sentenced to 5 years of probation and was ordered to pay $22,000 in restitution.
Nursing Home Employee Pleads Guilty to Theft of Credit Card Numbers
A former employee at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers. Shaniece Borney, 29, of St. Louis County, was employed at an NHC Health Care nursing home between 2016 and 2017. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used to make purchases for herself and her family members. Borney faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud.
Former Nurse Jailed for 37 Months for Tampering with and Stealing Medications
Kelsey A. Mulvey worked as a registered nurse at the Roswell Park Comprehensive Cancer Center in Buffalo, NY, between February 2018 and June 2018. On June 27, 2018, Mulvey was observed accessing an automated medication dispensing machine in a room where she was not assigned to work and leaving the room carrying a backpack.
She was placed on administrative leave while the event was investigated and later resigned. The investigation found that Mulvey had stolen hydromorphone, methadone, oxycodone, and lorazepam from the medication dispensing machine and replaced the hydromorphone in the vials with water to hide the theft resulting in six patients falling ill with waterborne infections over the following month.
The cancer center reported the theft to law enforcement agencies Mulvey was charged with tampering with a consumer product, acquiring controlled substances by fraud, and criminal violations of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, Mulvey was sentenced to 37 months of HIPAA violation prison time following a plea agreement.
Five Healthcare Workers Indicted for Criminal Violations of HIPAA
Five healthcare workers have been indicted by a federal grand jury in Memphis for criminal violations of HIPAA after being found to have impermissible accessed the protected health information of patients and providing the information to another individual – Roderick Harvey – for financial gain. Harvey, 40, was also indicted for seven counts of obtaining patient information with the intent to sell the information for financial gain.
The five healthcare workers – Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 30, Melanie Russell, 41, and Adrianna Taber, 26 – were found to have obtained information from Methodist Le Bonheur Healthcare relating to patients who had been involved in motor vehicle accidents between November 2017 and December 2020. The information was then passed to Harvey, who sold it to personal injury lawyers and chiropractors.
Methodist Le Bonheur Healthcare discovered the unauthorized access, terminated the employees for the HIPAA violations, and reported the employees to law enforcement. The five healthcare workers each faced a maximum penalty of one year in jail, one year of supervised release, and a fine of up to $50,000, while Harvey faced up to 10 years in jail for violating HIPAA, a fine of up to $250,000, and three years of supervised release.
United States District Judge Thomas L. Parker sentenced Harvey to 5 years of probation, including one year of home detention, and fined him $50,000. Kirby Dandridge was sentenced to 1 year of probation and must pay a $2,500 fine, Sylvia Taylor was sentenced to 1 year of probation and must pay a $3,000 fine, Kara Thompson was sentenced to 2 years of probation, Melanie Russell was sentenced to 1-year probation and must pay a $1,000 fine, and Adrianna Taber was sentenced to time served plus 6 months on supervised release
Woman Receives 30 Month Jail Time for HIPAA Violations on Behalf of Fraud Ring
In July 2021, Amanda Lowry from Sherman, TX, was convicted of stealing protected health information from a physician´s EHR system and sentenced to 30 months of jail time for HIPAA violations on behalf of a fraud ring. The stolen data was sold to medical equipment manufacturers and suppliers by other members of the fraud ring and the proceeds were used to purchase luxury items such as off-road vehicles and jet skis.
Two other members of the fraud ring have also been charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. Demetrius Cervantes of McKinney, TX, was sentenced to serve 48 months for his role in the fraud ring after pleading guilty to the charges, while Lydia Henslee – who is named in a separate indictment with three men from Florida is awaiting sentencing.
Iowa Doctor Jailed for Unlawful Medical Record Access of Romantic Partners
An Iowa doctor has been sentenced to 1 month in jail without parole for accessing the medical records of romantic partners without authorization. Dr. Gabriel Alejandro Hernandez-Roman, 31, from Isla Verde, Puerto Rico, worked at two Iowa hospitals where he impermissibly accessed the medical records of two romantic partners without authorization, including the psychological records of one woman and her records when she was a minor. He also took a medically unnecessary photograph of a patient’s prolapsed rectum and sent it to his mother via Snapchat as a warning about the importance of fiber intake.
Dr. Hernandez-Roman was investigated by the Iowa Board of Medicine over the privacy violations and his unprofessional behavior and was fined $7,500 and had his license suspended. He faced criminal HIPAA violations and entered a guilty plea to one count of wrongfully obtaining individually identifiable health information relating to an individual under false pretenses and was sentenced to one month in jail and three years of supervised release and was ordered to pay a $1,000 fine.
Jail Terms for HIPAA Violations by Employees: FAQs
What are the HIPAA violation penalties for employees?
The HIPAA violation penalties for employees vary depending on the nature of the violation, the content of the employer´s sanctions policy, the previous compliance history of the employee, and whether the violation involved the knowing and willful disclosure of individually identifiable health information.
For example, if you fail to give a patient the opportunity to object to their details being included in a hospital directory, and it is your first violation of your employer´s HIPAA policies, the likely sanction will be a verbal warning. If you have already received a verbal warning for the same violation, you will likely be given a written warning and required to take more HIPAA training.
If you are a persistent offender, you could be given a final written warning by your employer and lose your job (and potentially your license); while if the violation involves the knowing and willful disclosure of PHI, the violation could be referred to the Department of Justice and you could face criminal charges. If found guilty of the charges, you could be fined and sentenced to prison.
Can you go to jail for violating HIPAA?
You can go to jail for violating HIPAA if you knowingly and wrongfully disclose individually identifiable health information for an impermissible use without authorization. It is important to be aware that the DOJ interprets “knowingly” as requiring only knowledge that the disclosure constitutes an offense. It is not necessary for the perpetrator to be aware they are violating HIPAA.
What is the maximum jail time for a HIPAA violation?
The maximum jail time for a HIPAA violation is ten years according to 42 USC §1320d-6. However, depending on how the PHI was disclosed and the motive for the disclosure, prosecutors can ask for additional charges to be added to the charge for the HIPAA violation. For example, if found guilty of aggravated identity theft, the maximum jail time could be increased to twelve years.
What HIPAA violation fines apply to employees?
HIPAA violation fines do not usually apply to employees because employees (as members of the workforce) are considered “under the control” of a Covered Entity or Business Associate. Consequently, a Covered Entity or Business Associate is liable for civil violations of HIPAA by one of their employees.
However, criminal HIPAA violation fines apply to employees if they are found guilty of the knowing and wrongful disclosure of PHI contrary to 42 USC §1320d-6 of the Social Security Act. In such cases, there are three tiers of HIPAA violation fines for employees:
- Tier 1 – If an individual obtains PHI, discloses PHI, or enables a third party to obtain/disclose PHI, the maximum fine is $50,000 plus up to one year in prison.
- Tier 2 – If an individual commits a Tier 1 crime under false pretenses, the HIPAA violation fines for employees increase up to $100,000 and up to five years in prison.
- Tier 3 – If an individual commits a Tier 1 or Tier 2 crime with the intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm, the maximum fine increases to $250,000, and the maximum jail time for violating HIPAA to ten years.
What are the three tiers of HIPAA violation prison time?
The three tiers of HIPAA violation prison time dictate the length of a sentence a judge can impose for a violation of HIPAA that involves the knowing and wrongful disclosure of individually identifiable health information. The sentence can be imposed for obtaining health information, using the information, or enabling somebody else to obtain, use, or disclose the information.
The first tier of up to one year in prison (plus a fine of up to $50,000) can be imposed for just committing the crime. The second tier of up to five years in prison (plus a fine of up to $100,000) can be imposed if you committed the crime under false pretenses, and the third tier of up to ten years in prison (plus a fine of up to $250,000) applies if you intended to sell, transfer, or use the information to get a commercial advantage or personal gain, or to cause malicious harm.
Can HIPAA violations result in jail time?
HIPAA violations can result in jail time, but only if it can be proved you knowingly obtained, disclosed, or used PHI without authorization in violation of a workplace policy (not necessarily HIPAA). It is not often that HIPAA violations result in jail time; but, as ignorance of the law is no defense against a criminal prosecution, healthcare providers must ensure they know what PHI is and when it can be used and disclosed permissibly.
Can you get arrested for violating HIPAA?
You can get arrested for violating HIPAA if you are a member of a Covered Entity´s or Business Associate´s workforce, and you are reported to law enforcement for knowingly and willfully using or disclosing PHI impermissibly without authorization or enabling somebody else without authorization to obtain individually identifiable health information.
Even if you are not reported to law enforcement by the organization you work for, you can still get arrested for violating HIPAA if a patient makes a complaint to HHS´ Office for Civil Rights, the agency conducts a compliance investigation, identifies the impermissible use or disclosure of PHI, and refers the case to the Department of Justice.
What happens if an employee violates HIPAA?
If an employee violates HIPAA, what happens first depends on whether or not the employee works for a Covered Entity or Business Associate. If they don´t, HIPAA does not apply. However, if they do, the consequences depend on the nature of the violation, the employee’s previous history of compliance, and the employer´s sanctions policy.
For minor violations, the employee will likely get a verbal warning provided they have had no previous history of violating HIPAA. Thereafter, the penalties for violating HIPAA usually range from written warnings to the loss of employment – unless the violation involves the wrongful use or disclosure of PHI, in which case the employee could face criminal charges.
Are criminal HIPAA fines and jail time only for employees?
Criminal HIPAA fines and jail time are not only for employees. Any member of the workforce that violates 42 USC §1320d-6 of the Social Security Act can be fined and sent to jail for a criminal violation of HIPAA – as can employers if, through their negligence, they enable a third party to obtain, use, or disclose PHI without authorization.
What are the HIPAA criminal penalties?
The HIPAA criminal penalties are the penalties a judge can impose on a Covered Entity, a Business Associate, or a member of either´s workforce for knowingly and wrongfully using or disclosing individually identifiable health information for an impermissible purpose without authorization. The HIPAA criminal penalties range from a fine of up to $50,000 and/or up to one year in prison to a fine of up to $250,000 and up to ten years in prison depending on the motive for the crime.
Are there HIPAA violation fines for individuals?
There are HIPAA violation fines for individuals – but only individuals who work for a Covered Entity or Business Associate who are found to have knowingly used or disclosed PHI without authorization for a purpose not permitted by the HIPAA Privacy Rule. Individuals who are not members of a Covered Entity´s or Business Associate´s workforce are not required to comply with HIPAA and cannot be fined for a violation of HIPAA.
What are the penalties for HIPAA non-compliance?
The penalties for HIPAA non-compliance depend on the nature of the violation and the non-compliant party. Violations of HIPAA that do not result in a breach of unsecured PHI are normally resolved by technical assistance or a corrective action plan. Violations of HIPAA that do result in a breach of unsecured PHI are mostly resolved this way as well when a Covered Entity or Business Associate has made a good faith effort to mitigate the consequences of the breach.
When a failure to comply with HIPAA is attributable to “willful neglect” by a Covered Entity or Business Associate, or due to knowingly disclosing PHI without authorization by a member of either´s workforce, HHS´ Office for Civil Rights has the authority to impose a Civil Monetary Penalty of up to $1,919,173 per violation. Alternatively, the agency can refer the case to the Department of Justice for a criminal investigation with penalties of up to $250,000 and ten years in jail.
What is the maximum penalty for violating HIPAA?
The maximum penalty for violating HIPAA varies according to whether a penalty is being imposed for a civil violation or a criminal violation. Civil violations carry a maximum penalty of $1,919,173 per violation, while criminal violations for the wrongful disclosure of individually identifiable health information carry a maximum penalty of $250,000 and ten years in jail.
What types of penalties accompany HIPAA violations?
The types of penalties that accompany HIPAA violations range from a verbal warning to a substantial fine and up to ten years in prison. The penalty for employees that accompanies each type of HIPAA violation is usually stipulated by a Covered Entity´s sanctions policy – although if the Covered Entity is found negligent by HHS´ Office for Civil Rights, financial penalties can be imposed according to a sliding scale depending on the level of culpability.
Prison sentences are usually only imposed when there is evidence an individual knowingly and wrongfully obtained or disclosed – or allowed somebody else to obtain or disclose – individually identifiable health information without authorization. In such circumstances, the penalties range from a fine of up to $50,000 and/or up to one year in prison to a fine of up to $250,000 and/or up to ten years in prison depending on the motive for illegally disclosing PHI.
