For more information on the State of Iowa terms, privacy & warranty information please visit www.iowa.gov/policies/disclaimer.
Legal Sanctions for Improper Disclosure or Use of Confidential Information
DHS employees must use or disclose confidential DHS information only as allowed in federal and state statute and in DHS privacy and security policies. Failure to comply may result in:
- Progressive disciplinary action, up to and including termination of employment.
- Civil and criminal penalties.
Third parties must use or disclose confidential DHS information only as allowed in federal and state statute. Failure to comply may result in:
- Financial sanctions or termination of the relationship and associated privileges of the third party.
- Civil and criminal penalties.
Sanctions related to violations of privacy rights include but are not limited to the following:
State Penalties
Progressive Discipline for DHS Employees
DHS Employee Handbook issued October 2018
These work rules constitute the general work rules applicable to employees of The Department of Human Services. Additional work rules may be promulgated which concern only individual positions, classification and/or work units when such rules are required by the nature of the work performed. Other rules are provided by statute, by Iowa Code, and by administrative procedures established by management to meet specific conditions. Violation of these rules may result in progressive discipline up to and including discharge.
Medicaid applicants and recipients information:
Iowa Code § 217.30(7) – Criminal Sanctions
Violation of this section shall constitute a serious misdemeanor
Iowa Code § 217.31 – Civil Liability
Any person may institute a civil action for damages under chapter 669 or to restrain the dissemination of confidential records set out in section 217.30, subsection 1, paragraph “b”, “c”, or “d”, in violation of that section, and any person, agency or governmental body proven to have disseminated or to have requested and received confidential records in violation of section 217.30, subsection 1, paragraph “b”, “c”, or “d”, shall be liable for actual damages and exemplary damages for each violation and shall be liable for court costs, expenses, and reasonable attorney fees incurred by the party bringing the action. In no case shall the award for damages be less than one hundred dollars.
Any reasonable grounds that a public employee has violated any provision of section 217.30 shall be grounds for immediate removal from access of any kind to confidential records or suspension from duty without pay.
Mental health treatment information:
Iowa Code § 228.7(3) – Criminal Penalty
An employee or agent of a third-party payor or a peer review organization who willfully uses or discloses mental health information in violation of subsection 2 of this section is guilty of a serious misdemeanor, and, notwithstanding section 903.1, the sentence for a person convicted under this subsection is a fine not to exceed five hundred dollars in the case of a first offense, and not to exceed five thousand dollars in the case of each subsequent offense.
HIV/AIDS diagnosis and treatment information:
Iowa Code § 141A.11 – Civil Liability and Criminal Sanctions
A person aggrieved by a violation of this chapter shall have a right of civil action for damages in district court.
A care provider who intentionally or recklessly makes an unauthorized disclosure under this chapter is subject to a civil penalty of one thousand dollars.
A person who violates a confidentiality requirement of section 141A.5 is guilty of an aggravated misdemeanor.
A civil action under this chapter is barred unless the action is commenced within two years after the cause of action accrues.
The attorney general may maintain a civil action to enforce this chapter.
This chapter does not limit the rights of the subject of an HIV-related test to recover damages or other relief under any other applicable law.
This chapter shall not be construed to impose civil liability or criminal sanctions for disclosure of HIV-related test results in accordance with any reporting requirement for a diagnosed case of AIDS or a related condition by the department or the centers for disease control and prevention of the United States department of health and human services.
Substance abuse treatment information:
Iowa Code §§ 125.37, 125.93 – Criminal Penalty found in 42 CFR 2.3
Records of the identity, diagnosis, prognosis, or treatment of a person which are maintained in connection with the provision of substance abuse treatment services are confidential, consistent with the requirements of section 125.37, and with the federal confidentiality regulations authorized by the federal Drug Abuse Office and Treatment Act, 42 U.S.C. §290ee and the federal Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act, 42 U.S.C. §290dd-2.
Consumer personal information:
Iowa Code § 715C.2(9a) – Criminal Sanctions
A violation of this chapter is an unlawful practice pursuant to section 714.16 and, in addition to the remedies provided to the attorney general pursuant to section 714.16, subsection 7, the attorney general may seek and obtain an order that a party held to violate this section pay damages to the attorney general on behalf of a person injured by the violation.
The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under the law.
Child abuse records:
Iowa Code § 235A.20 – Civil Penalty
Any aggrieved person may institute a civil action for damages under chapter 669 or 670 or to restrain the dissemination of child abuse information in violation of this chapter, and any person, agency or other recipient proven to have disseminated or to have requested and received child abuse information in violation of this chapter, or any employee of the department who knowingly destroys assessment data except in accordance with rule as established by the department for retention of child abuse information under section 235A.18 shall be liable for actual damages and exemplary damages for each violation and shall be liable for court costs, expenses, and reasonable attorney’s fees incurred by the party bringing the action. In no case shall the award for damages be less than one hundred dollars.
Iowa Code § 235A.21 – Criminal Penalty
Any person who willfully requests, obtains, or seeks to obtain child abuse information under false pretenses, or who willfully communicates or seeks to communicate child abuse information to any agency or person except in accordance with sections 235A.15 and 235A.17, or any person connected with any research authorized pursuant to section 235A.15 who willfully falsifies child abuse information or any records relating to child abuse information, or any employee of the department who knowingly destroys assessment data except in accordance with rule as established by the department for retention of child abuse information under section 235A.18 is guilty of a serious misdemeanor. Any person who knowingly, but without criminal purposes, communicates or seeks to communicate child abuse information except in accordance with sections 235A.15 and 235A.17 shall be guilty of a simple misdemeanor.
Any reasonable grounds for belief that a person has violated any provision of this chapter shall be grounds for the immediate withdrawal of any authorized access such person might otherwise have to child abuse information.
Federal Penalties
Federal tax information:
26 U.S.C. § 7213 – Unauthorized Disclosure of Information
Any violation shall be a felony punishable by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.
26 U.S.C. § 7213 – Unauthorized Inspection of Returns or Return Information
Any violation shall be punishable upon conviction by a fine in any amount not exceeding $1,000, or imprisonment of not more than 1 year, or both, together with the costs of prosecution.
Health Insurance Portability and Accountability Act:
Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:
- Four categories of violations that reflect increasing levels of culpability
- Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation. A maximum penalty amount of $1.5 million for all violations of an identical provision
Civil Monetary Penalty
Tier 1 - The Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $25,000 for identical provisions during a calendar year
Tier 2 - The HIPAA violation had a reasonable cause and was not due to willful neglect.
$100-$50,000 for each violation, up to a maximum of $100,000 for identical provisions during a calendar year
Tier 3 - The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $250,000 for identical provisions during a calendar year
Tier 4 - The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year Criminal penaltiesCriminal Sanctions
Tier 1 - Offenses committed by covered entities and specified individuals who "knowingly" obtain or disclose individually identifiable health information.
$50,000 fine and imprisonment up to 1 year
Tier 2 - Offenses committed under false pretenses allow penalties to be increased.
$100,000 fine and imprisonment up to 5 years
Tier 3 - Offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm
$250,000 fine and imprisonment up to 10 years