Conspiracy to Unlawfully Use Health Information (42 U.S.C. 1320d-6; 18 U.S.C. 371)

Last Updated on: 1st June 2025, 02:55 am

Conspiracy to Unlawfully Use Health Information (42 U.S.C. 1320d-6; 18 U.S.C. 371) – When HIPAA Violations Become Federal Felonies

When HIPAA Goes Criminal – The Statute Nobody Talks About

If you work in healthcare, you’ve sat through those mind-numbing HIPAA trainings where they tell you about patient privacy, and maybe mention some fines. What they don’t tell you–is that violating HIPAA can land you in federal prison for up to 10 years. 42 U.S.C. § 1320d-6 isn’t just some administrative rule, its a federal criminal statute with real teeth. When you combine this with the federal conspiracy statute, 18 U.S.C. § 371, suddenly that conversation you had with a coworker about looking up a celebrity’s medical records becomes a federal conspiracy case. Most medical professionals have no clue they’re committing federal crimes. They think HIPAA is just about getting fired, or maybe the hospital pays a fine. Wrong. The Department of Justice prosecutes these cases, and they’re not playing around. We’re talking about federal prosecutors who’ve spent years putting people in prison, and they view healthcare fraud as their bread and butter. These aren’t civil penalties where your employer writes a check – these are criminal charges where YOU personally face prison time, criminal fines up to $250,000, and a federal conviction that follows you forever. The really twisted part is how easy it is to violate this statute. You don’t need to be selling medical records to identity thieves, or running some elaborate scheme. Simply accessing patient information without a legitimate reason, then mentioning it to someone else – congratulations, that’s conspiracy. The feds love conspiracy charges because theyre easier to prove than the underlying crime, and they carry the same penalties. So even if you never actually used the information, just agreeing to access it illegally is enough for a conviction.

How One Nurse’s Text Message Became a Federal Crime

A nurse in New Jersey sees a local politician admitted to the ER. She texts her friend, “You’ll never guess who’s here with an overdose.” The friend responds, “OMG, can you check what drugs?” The nurse pulls up the record and texts back the medication list.

That’s it – that exchange right there is a federal conspiracy to violate 42 U.S.C. § 1320d-6.

Both the nurse AND her friend who never even worked at the hospital can be charged with conspiracy. To nail you for conspiracy under these statutes, prosecutors need to prove three things. First, that two or more people agreed to violate HIPAA’s criminal provisions. This agreement doesn’t need to be some formal contract – a text exchange, a wink and nod, even implied understanding counts. Second, you knew the conduct was unlawful. They don’t need to prove you knew the specific statute number, just that you knew it was wrong to access or disclose the information. Third, at least one person took an “overt act” toward the conspiracy. In our nurse example, pulling up the patient record is the overt act that completes the crime. What separates criminal HIPAA violations from civil ones comes down to intent. Civil violations can happen by accident – maybe you left patient files visible on your desk, or sent records to the wrong fax number. Those get you fired and maybe the hospital pays a fine to HHS Office for Civil Rights. But criminal violations require “knowingly” using or disclosing health information in violation of HIPAA. Add conspiracy charges, and now the government doesn’t even need to prove you actually disclosed anything – just that you agreed to do it.

The Federal Sentencing Trap Healthcare Workers Fall Into

The sentencing structure for these crimes is where medical staff get blindsided. Under 42 U.S.C. § 1320d-6, if you knowingly use or disclose health information illegally, you’re looking at up to 1 year in federal prison and $50,000 in fines. But here’s where it gets ugly–if you do it for “commercial advantage, personal gain, or malicious harm,” it jumps to a felony with up to 10 years in prison and $250,000 in fines. That “personal gain” doesn’t mean you need to sell the information. Courts have held that satisfying personal curiosity, impressing friends, or even workplace gossip can count as personal gain. Now throw in the conspiracy charges under 18 U.S.C. § 371. The conspiracy carries the same penalties as the underlying offense. So if prosecutors charge you with conspiracy to violate HIPAA for personal gain, you’re facing those same 10 years. But wait, it gets worse. Federal sentencing guidelines often run these sentences consecutively, not concurrently. If they charge you with multiple counts – say one for each patient record you accessed – you could be looking at decades in federal prison. The guidelines also consider “abuse of trust” by medical staff as an enhancement, adding more time to your sentence. They’ll charge you with conspiracy to commit felony HIPAA violations carrying 10 years, then offer a plea deal to misdemeanor charges with 6 months. Sounds like a great deal when you’re staring down a decade in federal prison, right? This is how they get 97% conviction rates – by overcharging, then offering plea deals that still result in criminal convictions. Even that “lenient” 6-month sentence means you’re a convicted federal criminal, you lose your professional license, and you’re excluded from working in healthcare.

Why Healthcare Fraud Prosecutors Love This Statute

Federal prosecutors treat HIPAA conspiracy charges like a swiss army knife – its useful for everything. Healthcare fraud cases are often complex, requiring proof of billing schemes, kickbacks, or medical necessity. But HIPAA violations? Those are simple. Did you access records without authorization? Did you share them with someone? Done.

It’s like prosecuting someone for speeding compared to prosecuting securities fraud.

The elements are straightforward, juries understand it immediately, and the evidence is usually crystal clear in audit logs. This statute also gives prosecutors incredible leverage in larger healthcare fraud investigations. Let’s say they’re investigating a medical practice for Medicare fraud, but the billing evidence is complicated. They’ll start hitting employees with HIPAA conspiracy charges – suddenly that medical assistant who accessed records illegally is facing 10 years. That assistant flips and becomes a cooperating witness in the bigger fraud case. Prosecutors use these charges to climb the ladder, flipping smaller fish to catch bigger ones. The conspiracy element makes it even more powerful. In a regular HIPAA violation, maybe only the person who accessed the records gets charged. But with conspiracy, everyone involved faces charges – the person who asked for the information, anyone who helped plan it, even people who just knew about it and didn’t report it. We’ve seen cases where entire departments get swept up because they all knew someone was accessing celebrity medical records, and their silence made them part of the conspiracy. This creates a prisoner’s dilemma where everyone races to cooperate first.

The Government’s Playbook – How They Build These Cases

First thing they do is subpoena electronic health record (EHR) audit logs. Every modern healthcare system tracks who accesses what records and when. These logs are devastating evidence—they show exactly when you accessed a record, what sections you viewed, how long you spent, and whether you had any legitimate reason to be in that patient’s file. Prosecutors love this because it’s black and white evidence thats nearly impossible to dispute. Next comes the digital forensics. They’ll seize your work computer, personal phone, and email accounts. That joke text about a patient? Evidence. That email where you mentioned someones diagnosis? Evidence. They use specialized software to recover deleted messages, and they’ll reconstruct entire conversation threads. Hospital employees always think they’re being careful, but digital footprints are everywhere. We’ve seen cases built entirely on Snapchat messages that defendants thought disappeared – spoiler alert, the feds can recover those too. Once they identify suspicious access patterns, they’ll approach the lowest-level employees involved. “We know you accessed these records. You’re facing 10 years. Want to help yourself?” Then they’ll have that person make recorded calls or wear a wire to meetings. Healthcare facilities are gossip mills, and prosecutors exploit this. They’ll have cooperators bring up patient information in break room conversations, waiting to see who takes the bait. One case in Florida involved an undercover agent posing as a medical records clerk who built cases against 15 employees by offering to pull records for personal reasons.

Defense Strategies That Actually Work

Fighting these charges requires attacking the conspiracy element hard. The government needs to prove an actual agreement to violate HIPAA – not just that multiple people did something wrong independently.

We hammer on this distinction.

Maybe you accessed records improperly, and maybe your coworker did too, but where’s the evidence you agreed to do it together? Parallel conduct isnt conspiracy. If everyone in the ER is inappropriately curious about a celebrity patient, that’s multiple separate violations, not necessarily one conspiracy. The “knowingly and willfully” requirement is another crucial defense angle. The government must prove you knew your conduct was unlawful. This isn’t about knowing HIPAA exists – it’s about knowing your specific actions violated federal criminal law. We’ve won cases by showing clients genuinely believed they had work-related reasons to access records. Maybe you’re a nurse who accessed your own records through the system instead of requesting them formally – technically a violation, but did you know it was criminally unlawful? Training materials that focus only on civil penalties help our defense here. Challenging the “personal gain” enhancement often makes the difference between misdemeanor and felony charges. Prosecutors try to stretch this definition, but we push back hard. Curiosity isn’t commercial advantage. Workplace gossip isn’t personal gain in the criminal sense. The statute was meant for people selling records or using them for identity theft, not employees being nosy. We’ve successfully argued that embarrassing someone or satisfying curiosity, while wrong, doesn’t meet the statutory definition of personal gain that transforms this into a 10-year felony.

What Triggers a Criminal Investigation

Criminal investigations don’t start randomly–specific events trigger federal attention.

The biggest trigger is when facilities self-report breaches to HHS Office for Civil Rights. Hospitals are required to report certain breaches, and OCR refers cases with criminal indicators to DOJ. What makes a case criminal? Large-scale breaches, celebrity victims, evidence of selling records, or organized schemes. But increasingly, we’re seeing criminal referrals for smaller violations when facilities want to make examples of employees. Whistleblower complaints are another major trigger. Former employees with axes to grind love reporting HIPAA violations. They know it gets federal attention and can destroy their former colleagues. The False Claims Act even provides financial incentives for reporting healthcare fraud, including HIPAA violations connected to billing fraud. These whistleblowers often provide inside information about access patterns, workplace culture, and specific incidents that give prosecutors a roadmap for building cases. HIPAA violations connect to other investigations too. Maybe the DEA is investigating pill mills and discovers staff accessing records to identify patients to sell drugs to. Or the FBI is investigating medical identity theft and finds hospital employees providing patient information. These parallel investigations are deadly because prosecutors are already engaged and looking to add charges. HIPAA conspiracy charges become add-ons that increase leverage and potential sentences.

The Collateral Damage Nobody Warns You About

Even if you avoid prison, a HIPAA conspiracy conviction destroys healthcare careers. Professional licensing boards treat federal convictions as automatic grounds for revocation.

Doesn’t matter if you pled to a misdemeanor with no jail time – you’re now a medical professional with a federal criminal conviction.

Nursing boards, medical boards, pharmacy boards, they all have mandatory reporting requirements. Your conviction gets reported, and your license gets pulled. Twenty years of education and experience, gone. Then comes exclusion from federal healthcare programs. The HHS Office of Inspector General maintains an exclusion list barring convicted individuals from any job where federal healthcare dollars are involved. Medicare, Medicaid, TRICARE, VA benefits – if the facility takes any federal money, they can’t employ you. This isn’t just clinical roles either. Excluded individuals can’t work in billing, administration, housekeeping, or even food service at facilities that accept federal programs. One conviction effectively bans you from the entire healthcare industry. Federal criminal convictions can’t be discharged in bankruptcy. Those $250,000 fines? You’ll be paying them forever. Restitution orders to victims add more debt. Professional liability insurance won’t cover criminal acts, so any civil lawsuits hit your personal assets. Student loans for nursing or medical school still need repayment, but now you can’t work in your field. We’ve seen clients forced into minimum wage jobs while paying thousands monthly in federal criminal debt.

Your Move When the FBI Shows Up

When federal agents knock on your door, every word matters. They’ll be friendly, saying things like “We just need to clear something up” or “You’re not in trouble, we just need your help understanding something.” This is a lie. If FBI agents are asking about healthcare records, you’re already a target or a subject of investigation.

Whatever you say becomes evidence, and they’re trained to get you talking before you realize the danger you’re in.

Medical professionals think they can explain their way out of trouble. “I only accessed those records because I was concerned about the patient.” “I mentioned it to my coworker because I needed clinical advice.” Stop. These explanations are confessions. You’re admitting to accessing records and sharing information. Maybe you think you’re providing innocent context, but prosecutors will use these statements to prove elements of the crime.

The ONLY correct response is: “I need to speak with my attorney before answering any questions.”

You need a criminal defense attorney who specifically handles healthcare fraud and HIPAA violations – not your cousin who does DUIs, not a general criminal lawyer. Federal healthcare prosecutions are specialized, with unique statutes, sentencing guidelines, and defense strategies. At Spodek Law Group, we’ve defended nurses, doctors, and hospital staff nationwide against HIPAA conspiracy charges. We know how prosecutors build these cases, which defenses work, and how to minimize both criminal penalties and professional consequences. When your career, freedom, and future are on the line, you need attorneys who’ve been in these exact fights before.

The conspiracy to unlawfully use health information statute turns everyday healthcare workers into federal criminals. One bad decision, one moment of poor judgment, and you’re facing years in federal prison. But with the right defense strategy and experienced attorneys, these charges can be beaten.

If you’re under investigation for HIPAA violations or healthcare fraud, contact Spodek Law Group at 888-997-5177.