That's not actually true. It applies to health care data. If you're a software engineer making a system that includes HIPAA-protected data, you can face individual criminal liabilities for mishandling the data.

No, not really. If you are not a covered healthcare entity, or a business association of a covered healthcare entity, the law simply does not apply to you at all.

Also, I believe (but am not certain) that if there was any criminal case, it would be leadership (C*O) not individual software engineers who would be charged. This is speculation on my part, if anybody has clear facts I'm happy to hear them.