42 USC 1320d-6 (HIPAA Sec. 1177) contains the criminal penalties for violating the HIPAA privacy standards. It states:
"a. Offense.—
A person who knowingly and in violation of this part—
1. uses or causes to be used a unique health identifier;
2. obtains individually identifiable health information relating to an individual; or
3. discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
b. Penalties.—
A person described in subsection (a) shall—
1. be fined not more than $50,000, imprisoned not more than 1 year, or both;
2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
3. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both."