A supervisor at a mid-size hospital pulls up a coworker's medical record out of curiosity. A manager at a dental practice mentions an employee's psychiatric diagnosis during a team meeting. A company's HR department stores health information in an unlocked filing cabinet next to the break room. These aren't hypotheticals — I've consulted on variations of every single one.

If you've ever searched for HIPAA violation employer, you're probably trying to answer one of two questions: Can my employer actually violate HIPAA? And if they did, what can I do about it? The answers are more nuanced than most blog posts will tell you. Let's get into it.

Most Employers Aren't Covered by HIPAA — and That's the Uncomfortable Truth

Here's where most people get tripped up. HIPAA only applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — and their business associates. Your average employer? Not a covered entity.

If you work for a marketing firm and your boss tells the whole office about your diabetes diagnosis, that's awful. It might violate the ADA or state privacy laws. But it's probably not a HIPAA violation.

The critical distinction: HIPAA restricts how covered entities and their business associates handle protected health information (PHI). It does not broadly regulate all employers who happen to learn about employee health conditions.

When Your Employer Is a Covered Entity

If you work for a hospital, health plan, physician's office, pharmacy, or any other covered entity, the calculus changes entirely. Your employer is bound by HIPAA's Privacy, Security, and Breach Notification Rules — not just for patients, but in how they handle PHI across the organization.

I've seen this dynamic play out dozens of times. A clinic manager accesses an employee's patient record because they want to verify a sick-day claim. That's a HIPAA violation, full stop. The employee is also a patient, and their medical record is PHI protected under the Privacy Rule.

If your organization employs people who also happen to be patients — and most healthcare employers do — you need crystal-clear policies about when accessing records crosses the line into a breach.

The $4.3 Million Mistake: Real Enforcement That Started with an Employer's Actions

OCR doesn't look the other way when covered entities mishandle employee-related PHI. Consider the University of Texas MD Anderson Cancer Center case. OCR imposed a $4.3 million civil monetary penalty after unencrypted devices containing ePHI were lost or stolen. That ePHI included records that should have been safeguarded under the Security Rule — and the failures were organizational, driven by leadership's refusal to implement encryption despite years of internal recommendations.

You can read the enforcement details directly on the HHS enforcement page for MD Anderson.

When an employer that qualifies as a covered entity fails to protect PHI — whether it belongs to patients, employees, or both — HHS and OCR treat it the same way. The source of the PHI doesn't create a loophole.

What Counts as a HIPAA Violation by an Employer?

This is the question I see most often, so let me answer it directly for anyone skimming.

A HIPAA violation by an employer occurs when the employer is a covered entity (or business associate) and improperly uses, discloses, or fails to safeguard PHI. Common examples include:

  • A supervisor accessing an employee's medical record without a treatment, payment, or operations reason
  • HR sharing an employee's diagnosis with managers who have no need to know
  • Failing to encrypt ePHI on devices used by workforce members
  • Not providing breach notification after a PHI exposure involving employee records
  • Retaliating against an employee who files a HIPAA complaint with OCR

If the employer is not a covered entity, these actions may still violate other laws — but they fall outside HIPAA's jurisdiction.

The Employer Health Plan Trap Nobody Talks About

Here's a scenario I encounter constantly in consulting. A company isn't a healthcare provider. It's a manufacturing firm or a tech startup. But it sponsors a group health plan for employees. That group health plan is a covered entity under HIPAA.

This means the plan itself — and anyone administering it — must comply with HIPAA. If the HR director who manages health plan enrollment also shares claims data with the CEO to make staffing decisions, that's a HIPAA violation by an employer acting in its capacity as a health plan administrator.

OCR addressed this directly in guidance on the relationship between HIPAA and employer health information. The rule requires a firewall between health plan administration functions and employment decisions. Most small employers I've worked with have no idea this firewall is supposed to exist.

Group Health Plan PHI: What Must Stay Separate

If your organization sponsors a health plan, you need clear separation between plan administration and employment functions. PHI received in the plan-administration role cannot be used for hiring, firing, promotion, or discipline decisions.

I've seen companies of 50 employees where the same person processes insurance claims, manages payroll, and sits in on termination meetings. That's a compliance disaster waiting to be reported.

Snooping: The #1 Workforce HIPAA Violation Employers Face

Every year, OCR investigates cases where workforce members access PHI without authorization. In healthcare settings, this often means employees looking up coworkers' records, celebrity patients, family members, or neighbors.

Memorial Hermann Health System paid $2.4 million to settle with OCR after impermissibly disclosing a patient's PHI — including the patient's name — in a press release. While that case involved a patient rather than an employee, the enforcement principle is identical: unauthorized disclosure of PHI triggers HIPAA liability regardless of who the individual is.

If you manage a covered entity, your workforce needs training that goes beyond checkbox compliance. I recommend starting with a module specifically built for this problem — our course on accessing records and why curiosity equals a breach addresses the exact scenarios that lead to OCR complaints.

What to Do If Your Employer Violated Your HIPAA Rights

If you believe your employer — acting as a covered entity or health plan — violated HIPAA, you have a specific path forward:

  • Document everything. Dates, names, what was disclosed, to whom, and how you found out.
  • File a complaint with OCR. You can do this online through the HHS complaint portal. You have 180 days from the date you learned about the violation.
  • Know that HIPAA does not allow private lawsuits. You cannot sue your employer directly under HIPAA. Only HHS/OCR and the Department of Justice can enforce it. But state laws may give you additional avenues.
  • Check for retaliation protections. HIPAA's Privacy Rule prohibits covered entities from retaliating against individuals who file complaints. If your employer punishes you for reporting, that's a separate violation.

Incident Response: Your Organization's First 60 Minutes Matter Most

When a HIPAA violation by an employer is discovered — whether it's a snooping incident, an unauthorized disclosure in a meeting, or a lost device with ePHI — how you respond in the first hour shapes everything that follows.

OCR looks at whether the organization had incident response procedures, whether they were followed, and how quickly the breach notification process kicked in. An employer that catches a violation internally and responds within established protocols looks fundamentally different than one scrambling to cover tracks weeks later.

I built our First 60 Minutes: Incident Response training specifically because I kept seeing organizations freeze when a breach surfaced. The organizations that survive OCR scrutiny are the ones that drilled for it before it happened.

Social Media Makes Employer HIPAA Violations Easier Than Ever

One trend I've watched accelerate: workforce members posting about workplace situations on social media in ways that expose PHI. A nurse vents on Facebook about a difficult shift and includes enough detail to identify a patient. A front-desk employee shares a funny story on TikTok about a caller — who happens to be a coworker seeking treatment.

When an employer fails to train its workforce on social media risks, it creates the conditions for a violation. OCR has repeatedly emphasized that covered entities must train all workforce members — not just clinicians — on PHI protections. If you haven't addressed social media in your training program, our Social Media & PHI course fills that gap.

The Bottom Line for Employers and Employees

HIPAA doesn't regulate every employer. But if your organization is a covered entity, a business associate, or sponsors a group health plan, a HIPAA violation by your employer is absolutely possible — and OCR has the enforcement teeth to prove it.

For employers: audit your access controls, train your workforce on real scenarios, build firewalls between health plan administration and employment decisions, and have an incident response plan that doesn't gather dust in a binder.

For employees: know your rights, document violations, and use OCR's complaint process. HIPAA may not let you sue, but it gives federal investigators a reason to show up at your employer's door.

Either way, the worst strategy is assuming it won't happen to your organization. I've never met a compliance officer who said, "We saw this coming and did nothing." They always say, "We didn't think it could happen here."