PRIA Logo
Take the PRIA Score
Title 42The Public Health and WelfareRelease 119-73

§1320d–6 Wrongful disclosure of individually identifiable health information

Title 42 › Chapter CHAPTER 7— - SOCIAL SECURITY › Subchapter SUBCHAPTER XI— - GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION › Part Part C— - Administrative Simplification › § 1320d–6

Last updated Apr 6, 2026|Official source

Summary

Makes it a crime for someone who knowingly breaks the rules to use a unique health ID, get a person’s private health information, or share that private health information with someone else. Unique health identifier means a special ID used for health records. Individually identifiable health information means health details that can be tied to a specific person. Penalties depend on how serious it is. For a basic offense the person can be fined up to $50,000, imprisoned up to 1 year, or both. If done under false pretenses the penalty is a fine up to $100,000, imprisonment up to 5 years, or both. If done to sell, transfer, or use the information for commercial gain, personal profit, or to harm someone the penalty is a fine up to $250,000, imprisonment up to 10 years, or both.

Full Legal Text

Title 42, §1320d–6

The Public Health and Welfare — Source: USLM XML via OLRC

(a)A person who knowingly and in violation of this part—
(1)uses or causes to be used a unique health identifier;
(2)obtains individually identifiable health information relating to an individual; or
(3)discloses individually identifiable health information to another person,
(b)A person described in subsection (a) shall—
(1)be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2)if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3)if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

Amendments

2009—Subsec. (a). Pub. L. 111–5 inserted at end “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization.”

Statutory Notes and Related Subsidiaries

Effective Date

of 2009 AmendmentAmendment by Pub. L. 111–5 effective 12 months after Feb. 17, 2009, see section 13423 of Pub. L. 111–5, set out as an

Effective Date

note under section 17931 of this title.

Reference

Citations & Metadata

Citation

42 U.S.C. § 1320d–6

Title 42The Public Health and Welfare

Last Updated

Apr 6, 2026

Release point: 119-73