In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a hospital employee sold protected health information (PHI) of over 12,000 patients. The case is a stark reminder that HIPAA privacy violations don't always come from sophisticated cyberattacks — they often start with a single workforce member, a missing safeguard, or a process your organization assumed was working.

After years of helping covered entities and business associates navigate these risks, I can tell you the pattern is remarkably consistent. Organizations don't fail because they've never heard of HIPAA. They fail because they underestimate where the gaps are.

What Qualifies as a HIPAA Privacy Violation

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, establishes national standards for how covered entities and business associates use and disclose PHI. A HIPAA privacy violation occurs whenever PHI is accessed, used, or disclosed in a way that doesn't comply with these standards.

That includes obvious scenarios — a nurse posting patient details on social media — and less obvious ones, like a front desk employee handing a patient the wrong paperwork, or a provider sharing more information with an insurer than the minimum necessary standard permits.

OCR doesn't distinguish between malicious intent and honest mistakes when determining whether a violation occurred. Intent only matters when calculating penalties.

The Five Most Common HIPAA Privacy Violations OCR Investigates

Based on OCR's published enforcement actions and breach reports, these are the violations I see surface repeatedly:

  • Unauthorized access by workforce members. Employees snooping in medical records of coworkers, family members, or public figures. This was central to the UCLA Health System case and dozens of smaller settlements.
  • Impermissible disclosures to unauthorized parties. Sending PHI to the wrong patient, faxing records to an incorrect number, or mailing explanation of benefits documents to an outdated address.
  • Failure to provide patients access to their records. Under 45 CFR §164.524, patients have a right to access their PHI. OCR launched a targeted enforcement initiative in 2019 — the Right of Access Initiative — that has produced over 45 enforcement actions to date.
  • Lack of a valid Notice of Privacy Practices. Covered entities must provide patients with a clear notice explaining how their PHI will be used. Missing or outdated notices create liability.
  • Minimum necessary standard failures. Disclosing an entire medical record when only a specific section was requested by a health plan or another provider.

How OCR Penalizes HIPAA Privacy Violations

The HITECH Act established a four-tier penalty structure that OCR applies to all HIPAA privacy violations:

  • Tier 1: The entity was unaware and could not have reasonably known — $137 to $68,928 per violation.
  • Tier 2: Reasonable cause, not willful neglect — $1,379 to $68,928 per violation.
  • Tier 3: Willful neglect, corrected within 30 days — $13,785 to $68,928 per violation.
  • Tier 4: Willful neglect, not corrected — $68,928 to $2,067,813 per violation.

These amounts are adjusted annually for inflation. The calendar year cap across all identical violations is currently $2,067,813. In severe cases involving criminal violations — such as selling PHI — the Department of Justice can pursue criminal penalties including imprisonment up to 10 years under 42 U.S.C. § 1320d-6.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every covered entity must train all workforce members on its privacy policies and procedures. This isn't a suggestion — it's a regulatory requirement, and "workforce" includes employees, volunteers, trainees, and anyone under your organization's direct control.

Yet in case after case, OCR finds that training was either never completed, wasn't documented, or was so generic it failed to address the organization's actual workflows. A ten-minute video watched once during onboarding in 2018 doesn't meet the standard.

Effective privacy training must be role-specific, updated regularly, and documented with completion records your compliance officer can produce during an OCR investigation. If your organization needs a structured approach, HIPAA training and certification programs designed for healthcare workforces can close this gap efficiently.

Conduct a Risk Analysis Before OCR Does It for You

The single most-cited deficiency in OCR enforcement actions isn't a missing firewall or an unsecured laptop. It's the failure to conduct an adequate and thorough risk analysis as required under 45 CFR §164.308(a)(1)(ii)(A).

A risk analysis isn't a one-time checkbox. Your organization must evaluate risks to the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits — and revisit that analysis whenever operations change. New EHR system? New telehealth platform? New business associate? Each triggers a reassessment.

Healthcare organizations consistently struggle with this because they treat risk analysis as an IT task rather than an organizational one. Privacy risks live in how your front office handles patient intake, how your billing team transmits claims, and how your clinical staff discusses cases in shared spaces.

Business Associate Agreements: Your Liability Extends Beyond Your Walls

Under the Omnibus Rule of 2013, business associates are directly liable for HIPAA privacy violations. But your covered entity isn't off the hook. If you knew or should have known that a business associate was violating HIPAA and failed to take action, you share the liability.

Review your business associate agreements annually. Confirm they include breach notification obligations, permitted uses and disclosures, and return-or-destroy provisions for PHI upon contract termination. Verbal agreements and handshake deals don't satisfy 45 CFR §164.502(e).

Seven Steps to Reduce Your Privacy Violation Risk Today

  • Audit who has access to PHI and revoke access for any workforce member who doesn't need it for their job function.
  • Implement role-based access controls in your EHR and document the rationale.
  • Update your Notice of Privacy Practices to reflect current uses and disclosures, including any telehealth or patient portal changes.
  • Enforce the minimum necessary standard in every internal policy governing PHI disclosure.
  • Document all workforce training with dates, content covered, and attestations of completion.
  • Review and update business associate agreements on an annual cycle.
  • Conduct — or refresh — your organization-wide risk analysis before the end of this quarter.

If your workforce training program hasn't been updated recently, or if you lack documentation that would satisfy an OCR auditor, HIPAA Certify's workforce compliance platform provides structured training, tracking, and certification that aligns with regulatory expectations.

HIPAA Privacy Violations Are Preventable — But Only With Intentional Action

OCR investigated over 1,000 cases in fiscal year 2023 alone. The enforcement trends are clear: organizations that treat HIPAA compliance as a living, operational priority — not a binder on a shelf — avoid the settlements, the corrective action plans, and the reputational damage that follow a violation.

Your covered entity's compliance posture is only as strong as your weakest workflow, your least-trained team member, or your most outdated policy. The cost of prevention is a fraction of the cost of an OCR investigation. Act before the complaint arrives.