In February 2024, a small dental practice in New England agreed to a $50,000 settlement with the Office for Civil Rights after a former patient filed a complaint alleging unauthorized disclosure of their treatment records to a family member. The practice had no written authorization on file, no documented policies governing disclosures, and no evidence of workforce training. That single HIPAA privacy violation — a disclosure that likely took less than a minute — triggered an investigation that consumed months of staff time and ended with a corrective action plan lasting two years.

This is the pattern I see repeatedly in my work with covered entities. The violation itself is often mundane. The consequences are not.

What Constitutes a HIPAA Privacy Violation Under the Privacy Rule

A HIPAA privacy violation occurs when a covered entity or business associate uses or discloses protected health information (PHI) in a manner not permitted by the Privacy Rule at 45 CFR Part 164, Subpart E. That rule establishes the conditions under which PHI may be used, disclosed, or requested — and it is far more granular than most organizations realize.

Common categories of violations include:

  • Unauthorized disclosures — sharing PHI with individuals or entities without a valid authorization, treatment/payment/operations justification, or applicable exception.
  • Failure to apply the minimum necessary standard — disclosing more PHI than needed for a specific purpose, a requirement under 45 CFR §164.502(b).
  • Impermissible access by workforce members — employees accessing patient records out of curiosity, personal interest, or for non-job-related reasons (often called "snooping").
  • Failure to provide the Notice of Privacy Practices — not informing patients of their rights or your organization's privacy practices as required under §164.520.
  • Denial of patient access rights — refusing or unreasonably delaying a patient's request to access their own records, a violation OCR has specifically targeted through its Right of Access Initiative.

Each of these represents a distinct failure point. And each one can independently trigger an OCR complaint or investigation.

How OCR Investigates a HIPAA Privacy Violation Complaint

OCR receives between 25,000 and 35,000 complaints per year. Not every complaint results in a formal investigation, but every complaint is reviewed. When OCR opens an investigation, the process typically follows a predictable path.

First, OCR requests documentation: your policies, your training records, your risk analysis, your authorization forms, and any incident reports related to the alleged violation. If your organization cannot produce these documents — or if they reveal additional gaps — the investigation scope expands.

Second, OCR evaluates whether the violation resulted from willful neglect, which carries the highest penalty tier under the HITECH Act's enforcement framework. Penalties for violations due to willful neglect that are not corrected within 30 days range from $50,000 to over $2 million per violation category, per calendar year.

Third, OCR determines whether a corrective action plan, resolution agreement, or civil monetary penalty is appropriate. In recent years, OCR has favored resolution agreements that require organizations to implement specific compliance measures over defined periods — typically one to three years.

The Documentation Gap That Sinks Organizations

Healthcare organizations consistently struggle with one aspect of OCR investigations more than any other: producing evidence that compliance measures were in place before the violation occurred. A policy written after the complaint arrives carries no weight. Training conducted the week after an employee improperly accessed records does not demonstrate prior compliance.

This is why ongoing, documented HIPAA training and certification for your entire workforce is not optional — it is your most defensible evidence during an investigation. OCR explicitly looks for training documentation when evaluating whether a violation resulted from reasonable cause or willful neglect.

Five Steps to Reduce Your HIPAA Privacy Violation Risk

Preventing violations requires more than good intentions. It requires infrastructure. Here are the measures I recommend to every covered entity and business associate I work with:

1. Conduct and Update Your Risk Analysis Annually

The Security Rule requires a thorough risk analysis under §164.308(a)(1)(ii)(A), but the Privacy Rule's administrative requirements also demand that you evaluate risks to PHI in all forms — electronic, paper, and verbal. Many organizations complete a risk analysis once and never revisit it. OCR treats a stale risk analysis as a red flag.

2. Enforce the Minimum Necessary Standard in Every Workflow

Review how PHI moves through your organization. Who has access to what? Are role-based access controls in place? Does your EHR limit visibility based on job function? The minimum necessary standard applies to internal uses, not just external disclosures.

3. Train Every Workforce Member — Including Volunteers and Contractors

Under §164.530(b), covered entities must train all members of the workforce on policies and procedures related to PHI. "Workforce" under HIPAA includes employees, volunteers, trainees, and any person under your organization's direct control. A comprehensive workforce HIPAA compliance program ensures no one falls through the cracks.

4. Implement and Audit Access Controls

Snooping violations are among the most common privacy complaints. Implement audit logging on your EHR and review access logs proactively — not just after a complaint. Random audits serve as both a detection tool and a deterrent.

5. Document Everything in Real Time

Every authorization, every training session, every policy update, every access review — document it when it happens. Retroactive documentation is unreliable and unpersuasive to OCR investigators.

The Real Cost of a HIPAA Privacy Violation Goes Beyond Fines

Organizations that experience a HIPAA privacy violation often focus on the financial penalty. But the operational costs are typically far greater. Staff time consumed by the investigation, legal fees, reputational damage, and the burden of a multi-year corrective action plan create a compounding impact that strains small and mid-size practices especially hard.

Between 2019 and 2024, OCR resolved over 150 cases with monetary settlements or civil monetary penalties, with individual resolution amounts ranging from $3,500 to $4.75 million. The organizations at the lower end of that range almost always had one thing in common: they could demonstrate good-faith compliance efforts, including documented training and current policies.

Your organization does not need to be perfect. But it does need to be prepared. The difference between a technical assistance closure and a six-figure settlement often comes down to whether you can prove — with documentation, not assertions — that your workforce understood the Privacy Rule before something went wrong.