A Nurse Looked Up Her Neighbor's Medical Records. It Cost Her Employer $1.44 Million.
In 2023, the HHS Office for Civil Rights settled with Yakima Valley Memorial Hospital for $240,000 after 23 security guards accessed patient medical records without any treatment, payment, or operational reason. Twenty-three employees. Same organization. Same violation. The hospital also had to adopt a corrective action plan that cost far more than the settlement itself.
That case is one of the clearest HIPAA violation examples in the workplace I've ever seen — and it's far from rare. In my experience consulting with covered entities across healthcare, the violations that trigger OCR investigations almost always start with something mundane. A curious employee. A misplaced printout. A group text that included a patient's name.
This post walks through the most common workplace HIPAA violations, what they actually cost, and what your organization can do right now to prevent them. If you manage staff who touch PHI in any capacity, this is the list you need to internalize.
What Counts as a HIPAA Violation in the Workplace?
A HIPAA violation occurs whenever a covered entity or its workforce fails to comply with any provision of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. In the workplace, that usually means an employee accessed, disclosed, or failed to safeguard protected health information (PHI) in a way that wasn't authorized.
The key thing most people miss: HIPAA doesn't just apply to doctors and nurses. It applies to every member of the workforce — receptionists, billing clerks, IT staff, security guards, even volunteers. If your organization is a covered entity or business associate, every person with access to PHI is a potential compliance liability.
The 8 Most Common HIPAA Violation Examples in the Workplace
1. Snooping in Medical Records
This is the violation I encounter most frequently. An employee looks up a coworker's records. A registration clerk checks on a celebrity patient. A nurse pulls up her ex-husband's chart. None of these access events are related to treatment, payment, or healthcare operations — the only three reasons workforce members are permitted to view PHI.
The Yakima Valley case mentioned above is a perfect example, but it's not isolated. UCLA Health System paid $865,500 in 2011 after employees repeatedly accessed celebrity patient records. These aren't gray areas. They're fireable offenses and reportable breaches. Our course Accessing Records: If It's Not Your Job, It's a Breach was built specifically because this violation is so persistent.
2. Discussing Patients in Public Areas
Elevator conversations. Cafeteria gossip. Hallway consultations within earshot of visitors. I've personally stood in hospital lobbies and overheard staff discuss diagnoses, medications, and patient names — all in the span of five minutes.
The Privacy Rule's minimum necessary standard requires your workforce to limit PHI disclosures to the smallest amount needed. Talking about a patient's condition where unauthorized people can hear it violates that standard. Period.
3. Sharing PHI on Social Media
This one has exploded in the last few years. A medical assistant posts a photo from a treatment room — and a patient's chart is visible in the background. A nurse tweets about a "difficult patient" with enough details that the patient's friends identify them. An EMT shares a crash scene photo that shows a victim's face.
Every one of these is a potential HIPAA violation, and some have led to termination and OCR complaints. If your team hasn't taken dedicated training on this topic, our Social Media & PHI course addresses exactly these scenarios with real examples.
4. Emailing or Texting PHI Without Encryption
The HIPAA Security Rule requires covered entities to implement technical safeguards for ePHI — and that includes transmission security. When your staff sends a patient's lab results over regular SMS or unencrypted email, they've just transmitted ePHI across channels that anyone with the right access can intercept.
I've seen clinics where providers text patient names and diagnoses to each other on personal cell phones every single day. That's not a one-time slip. That's a systemic violation waiting for an OCR audit.
5. Leaving Paper Records or Screens Unattended
Printouts left on a shared printer. A workstation logged in and facing a public hallway. A fax containing PHI sitting in a tray for hours. These physical safeguard failures are among the most common HIPAA violation examples in the workplace because they're so easy to overlook.
The Security Rule requires workstation security measures — and the Privacy Rule requires reasonable safeguards to prevent incidental disclosures. Leaving a screen unlocked while you grab coffee violates both.
6. Improper Disposal of PHI
Tossing patient records into a regular trash can. Recycling printed lab results without shredding. Donating an old hard drive without wiping it. HHS has made clear that covered entities must render PHI unreadable and indecipherable before disposal — see the HHS FAQ on PHI disposal for details.
In 2018, Filefax, Inc. paid a $100,000 settlement to OCR after medical records were found dumped in an unlocked dumpster accessible to the public. That's what happens when disposal procedures aren't enforced.
7. Failing to Report a Breach
Here's the scenario I dread: an employee realizes they accidentally sent a patient's records to the wrong fax number. Instead of reporting it, they hope nobody notices. Weeks later, the recipient files a complaint with OCR.
The HIPAA Breach Notification Rule requires covered entities to report breaches of unsecured PHI. Failing to report doesn't make the breach go away — it makes the penalty worse. If your workforce doesn't know the first steps after an incident, our First 60 Minutes: Incident Response training walks through exactly what to do and when.
8. Sharing Login Credentials
One password shared between three front-desk staff. A provider who gives a medical assistant their EHR credentials "to save time." This destroys audit trail integrity — and audit trails are a required Security Rule safeguard under 45 CFR § 164.312(b). When OCR investigates a breach and finds shared credentials, the organization can't even prove who accessed what.
What These Violations Actually Cost
OCR's penalty structure has four tiers, and the numbers add up fast. Here's the current framework under the HITECH-adjusted penalty tiers at 45 CFR Part 160, Subpart D:
- Tier 1 (Did Not Know): $137 to $68,928 per violation
- Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation
- Tier 3 (Willful Neglect, Corrected): $13,785 to $68,928 per violation
- Tier 4 (Willful Neglect, Not Corrected): $68,928 to $2,067,813 per violation
Annual caps can reach over $2 million per violation category. And remember — these are per violation. A single snooping incident involving 500 records could theoretically generate 500 individual violations.
Beyond OCR penalties, your organization faces state attorney general actions, private lawsuits, reputational damage, and the cost of mandatory corrective action plans that often stretch over two to three years.
The Pattern OCR Investigators Look For
I've reviewed enough resolution agreements to spot a pattern. OCR doesn't just punish the violation itself — they punish the absence of prevention. Almost every major settlement mentions one or more of the following failures:
- No documented workforce training on HIPAA policies
- No risk analysis or an outdated risk analysis
- No audit controls to detect unauthorized access
- No sanctions policy — or a sanctions policy that was never enforced
When your organization can't show that it trained staff, monitored access, and enforced consequences, OCR treats the violation as systemic rather than isolated. That shifts the penalty from Tier 1 to Tier 3 or 4.
How to Prevent Workplace HIPAA Violations Before They Happen
Train Specifically, Not Generically
Annual HIPAA training that consists of a slide deck nobody reads isn't compliance — it's theater. Your workforce needs scenario-based training tied to their actual roles. A billing clerk faces different risks than an ER nurse. A receptionist needs different guidance than an IT administrator.
Explore our full HIPAA training catalog for role-specific courses that address the real-world violations described in this post.
Audit Access Logs Monthly
If you only check access logs after a complaint, you've already lost. Proactive auditing catches snooping before it becomes a breach report. Set a schedule — monthly at minimum — and flag any access that doesn't correspond to a scheduled appointment or active case.
Enforce Sanctions Consistently
Your sanctions policy is meaningless if you fire a medical assistant for snooping but look the other way when a physician does the same thing. OCR looks for consistent enforcement across all workforce levels. Document every sanction. Every warning. Every termination.
Make Reporting Easy and Safe
Employees won't report incidents if they fear retaliation. Build a reporting culture where catching a breach early is rewarded, not punished. Anonymous reporting hotlines, clear escalation procedures, and leadership modeling all contribute to faster breach detection.
The Violation You Haven't Caught Yet
Here's what keeps me up at night as a consultant: the violations happening right now that nobody knows about. The receptionist who looked up her sister's records last Tuesday. The provider who texted a patient's diagnosis to a colleague's personal phone this morning. The printed schedule sitting on a counter in the break room.
These HIPAA violation examples in the workplace aren't hypothetical. They're happening in organizations that believe they're compliant. The difference between a compliant organization and a penalized one isn't the absence of mistakes — it's the presence of systems designed to catch them, report them, and prevent them from recurring.
Your workforce is your greatest asset and your biggest vulnerability. Train them like it matters, because OCR will eventually test whether you did.