[dragonwriter]

> The punishment for violating HIPPA is not placed on the individual, it's placed on the company.

Be careful believing that; it's true that direct liability under HIPAA is almost exclusively for be covered entity as such, but individuals may be criminally liable for HIPAA violations in two ways:

(1) Certain directors, officers, and employees may be liable under general principles of corporate criminal liability, and

(2) Individual employees (and other inbividuals) not criminally liable under (1) for direct HIPAA violations that have a role in it may be liable for conspiracy or aiding and abetting (the latter of which has identical punishment to the crime it relates to) related to the underlying crime committed by the covered entity that is their employer.

So, yes, actually knowingly leaking PHI that subjects the company to crimination penalties under HIPAA would likely also subject you to criminal penalties tied to that HIPAA violation.