A nurse in Tennessee pulls up her ex-husband's medical records after a custody dispute. A front desk worker in Colorado texts a photo of a patient's chart to a friend. A dental office in New York leaves a box of patient files next to a dumpster. Each of these is a HIPAA privacy violation — and each one triggered an investigation that ended in fines, firings, or both.

I've spent over a decade advising covered entities through these exact scenarios. The specifics change, but the pattern doesn't. Someone accesses, uses, or discloses protected health information (PHI) without authorization. Then the dominoes fall.

If you're searching for what constitutes a HIPAA privacy violation, what the penalties look like, and how to keep your organization off OCR's radar, this is the guide that answers all of it — with real enforcement actions and practical steps you can take this week.

What Exactly Is a HIPAA Privacy Violation?

A HIPAA privacy violation occurs when a covered entity or business associate fails to comply with the Privacy Rule standards set by HHS. That means any impermissible use or disclosure of PHI — whether intentional or accidental — falls under this umbrella.

The HHS Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. It applies to health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions.

The Three Categories That Trigger Investigations

In my experience, most violations land in one of three buckets:

  • Unauthorized access: Staff members looking at records they have no business viewing. This is the most common trigger I see — and the one organizations underestimate most.
  • Impermissible disclosure: Sharing PHI with someone who isn't authorized to receive it, whether through conversation, fax, email, or social media.
  • Failure to safeguard: Leaving ePHI unencrypted on a stolen laptop, mailing records to the wrong address, or disposing of paper records improperly.

Each of these can happen in five seconds. Cleaning up the aftermath takes months — sometimes years.

The $4.3 Million Wake-Up Call from MD Anderson

The University of Texas MD Anderson Cancer Center learned this the hard way. Three data breaches involving unencrypted devices — a stolen laptop and two lost USB drives — exposed ePHI for over 33,500 individuals. OCR pursued enforcement, and a $4.3 million civil money penalty was imposed in 2017.

MD Anderson argued the penalties were excessive. The case went through administrative appeals, but the penalty stood. The core finding? They had written encryption policies on paper but hadn't actually implemented them across the organization.

I've seen this gap dozens of times. Policies exist in a binder on a shelf. Meanwhile, staff carry unencrypted thumb drives in their coat pockets. The policy doesn't protect you if the practice doesn't match.

Snooping: The HIPAA Privacy Violation Nobody Thinks Will Happen to Them

Let me tell you what I call the curiosity breach. A celebrity visits your ER. A coworker gets admitted. Your neighbor's kid shows up in the system. Someone on your team looks — not because they need to for treatment, payment, or operations, but because they're curious.

That's a HIPAA privacy violation. Full stop.

In 2020, OCR settled with URMC (University of Rochester Medical Center) for $3 million partly related to failures involving ePHI on unencrypted devices. But smaller, snooping-related cases hit the news constantly at the state level, often resulting in termination and individual criminal referrals.

The criminal penalties under 42 U.S.C. § 1320d-6 can reach $250,000 and up to 10 years in prison for violations committed with intent to sell or use PHI for personal gain.

Your workforce needs to understand this isn't just an HR issue. It's a federal matter. Our course Accessing Records: If It's Not Your Job, It's a Breach walks through exactly these scenarios with real-world examples your team will remember.

Social Media: Where Good Intentions Become Federal Problems

Here's what happens at least once a quarter in my consulting work: a well-meaning employee posts a photo from the office. Maybe they're celebrating a milestone or showing off a remodeled waiting room. In the background, a computer screen displays a patient name. Or a whiteboard lists the day's appointments.

That's a disclosure of PHI to the entire internet.

I've also seen staff post about difficult patient encounters on private Facebook groups, thinking "private" means protected. It doesn't. If the post contains enough detail to identify a patient — even without a name — it can constitute a HIPAA privacy violation.

Train your team specifically on this. Our Social Media & PHI training covers the exact line between acceptable and actionable — with examples pulled from real enforcement patterns.

What Are the Actual Penalties for a HIPAA Privacy Violation?

OCR uses a tiered penalty structure, updated under the HITECH Act. Here's the current breakdown:

  • Tier 1 — Unknowing: $137 to $68,928 per violation
  • Tier 2 — Reasonable cause: $1,379 to $68,928 per violation
  • Tier 3 — Willful neglect, corrected: $13,785 to $68,928 per violation
  • Tier 4 — Willful neglect, not corrected: $68,928 to $2,067,813 per violation

The annual cap for identical violations is $2,067,813. These numbers are adjusted for inflation annually. You can review current penalty amounts on the HHS enforcement page.

But here's what the penalty tables don't tell you: the investigation itself is brutal. OCR reviews your policies, your training records, your risk analyses, your incident logs. If they find systemic gaps — and they usually do — the corrective action plan can dictate how you run your compliance program for two to three years.

The First 60 Minutes After Discovery Determine Everything

When a potential HIPAA privacy violation surfaces, your response in the first hour sets the trajectory for everything that follows. I've watched organizations handle it well and organizations handle it terribly. The difference almost always comes down to whether they had a response plan — and whether anyone had practiced it.

What Your Team Should Do Immediately

  • Document exactly what happened: who, what, when, what PHI was involved, how many individuals affected.
  • Contain the breach — revoke access, retrieve disclosed information if possible, isolate affected systems.
  • Notify your Privacy Officer and begin the formal breach risk assessment under the Breach Notification Rule.
  • Do not delete logs, alter records, or instruct staff to stay quiet. That turns an incident into a cover-up.

Our First 60 Minutes: Incident Response course gives your team a step-by-step playbook for exactly this situation. It's the single most practical training I recommend for any covered entity.

Why Most Violations Start with a Training Gap

Here's the uncomfortable truth: most HIPAA privacy violations aren't committed by hackers. They're committed by your workforce. The medical assistant who shares a login. The billing clerk who takes work home on an unencrypted USB. The receptionist who confirms a patient's appointment to an unverified caller.

OCR has made workforce training a centerpiece of almost every corrective action plan they've issued. When Anthem settled for $16 million in 2018 — the largest HIPAA settlement in history at that time — failures in workforce training and access controls were front and center in OCR's findings.

Annual training isn't enough if it's a checkbox exercise. Your people need scenario-based education that sticks. They need to see themselves in the examples. Browse our full HIPAA training catalog for courses designed to do exactly that.

Five Steps to Reduce Your HIPAA Privacy Violation Risk Right Now

1. Run an Actual Risk Analysis

Not a questionnaire you downloaded three years ago. A current, thorough assessment of every place PHI lives in your organization — electronic and paper.

2. Audit Access Logs Monthly

If you're not reviewing who accessed what, you won't catch snooping until a patient complains or OCR shows up.

3. Encrypt Everything That Moves

Laptops, USB drives, mobile devices, email attachments. Encryption is a safe harbor under the Breach Notification Rule. If an encrypted device is lost or stolen, it's not a reportable breach.

4. Train Beyond the Basics

Cover social media, insider snooping, and incident response — not just the definition of PHI. Make it specific to your workflows.

5. Document Relentlessly

If it's not documented, it didn't happen. OCR doesn't give credit for policies you remember writing but can't produce during an investigation.

Your Organization Is One Bad Day Away

Every covered entity I've ever worked with believed their team "knew better." Most of them were right — until they weren't. A single HIPAA privacy violation can cost you millions in penalties, months of OCR oversight, and damage to patient trust that takes years to rebuild.

The organizations that survive intact aren't the ones with the thickest policy manuals. They're the ones whose staff can tell you — without looking it up — what to do when something goes wrong. That comes from training that's practical, specific, and ongoing.

Start with your biggest gaps. Build from there. And don't wait for OCR to tell you what you should have done differently.