Responding to a HIPAA Violation

Case Study: A nurse on the floor reported that the husband of a patient was looking at his wife’s chart and placing orders. Although the husband is a physician on the medical staff, he is not a member of the patient’s treatment team. The nurse asks you, as the chief medical officer, “Is he allowed to do this?”

WHAT IS HIPAA?

This case highlights the importance of HIPAA, which stands for the Health Insurance Portability and Accountability Act of 1996. This federal law was created to protect sensitive patient health information from being shared without the patient’s consent. This law protects patient privacy, which, in turn, promotes trust in healthcare.

Before 1996, there was widespread concern that with the rapid expansion of electronic health data, individual personal health information was not secure and could easily be accessed by people they did not want to share their information with. Additionally, there were growing concerns that employers or insurers might discriminate against individuals based on their private health information.

Health information privacy was akin to the Wild West. There was no federal rule governing the confidentiality and protection of health information. While most providers acted within reason, no one had defined what protecting your sensitive information meant or how it was going to be regulated.(1)

Imagine you are being considered for a promotion at work. You’re the most qualified candidate, but your anxiety has started to affect your work performance. Instead of seeking medical help and likely being put on medication, you pretend everything is ok. You fear that if you see a professional, your employer may be notified, and your chance of being promoted would be out the window. Ultimately, your anxiety over hiding your anxiety takes an even greater toll – the promotion goes to someone else.(1)

Advertisement

Consequently, HIPAA responded by enacting strict privacy rules that limited the use and disclosure of health data.

KEY COMPONENTS OF HIPAA

HIPAA has four key components or rules:(2)

1. Privacy Rule: Sets standards for protecting patients’ medical records and other personal health information.

The Privacy Rule lists 18 personal identifiers that must be removed from a designated record set before the set can be considered de-identified and no longer subject to HIPAA standards.(3)

• Names or part of names

• Any other unique identifying characteristic

• Geographical identifiers

• Dates directly related to a person

• Phone number details

• Fax number details

• Details of email addresses

• Social Security details

• Medical record numbers

• Health insurance beneficiary numbers

• Account details

• Certificate or license numbers

• Vehicle license plate details

• Device identifiers and serial numbers

• Website URLs

• IP address details

• Fingerprints, retinal, and voice prints

• Complete face or any comparable photographic images

2. Security Rule: Defines technical and non-technical standards for archiving or electronic transfer of PHI (ePHI).(4) Requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.(5)

3. Breach Notification Rule: Requires covered entities to notify individuals, the government, and sometimes the media when unsecured PHI is breached.(5)

4. Enforcement Rule: Establishes procedures for investigations and penalties for non-compliance.(5,6)

IS IT POSSIBLE TO OVERRIDE EHR RESTRICTIONS?

Yes, in emergencies or exceptional situations, one can intentionally over-ride access restrictions to view a patient’s electronic health record (EHR). This is referred to as “breaking the glass.”

In many healthcare systems, certain patient records are restricted or flagged for extra privacy — for example, VIP patients, hospital employees, psychiatric patients, or high-profile individuals, as well as family members of staff.

If a healthcare provider needs to access these sensitive records, the system may prompt a “break the glass” warning, requiring a deliberate override, a reason for access (which is logged), or a higher level of accountability.

It is important to note that breaking the glass does not exempt someone from HIPAA requirements. In other words, it does not make unauthorized access legal; it simply records that the user bypassed standard barriers.

Improper or unjustified use of break-the-glass access is itself a HIPAA violation and can lead to internal disciplinary action, termination, fines, or legal consequences. While it’s a built-in system feature, those utilizing this feature must still comply with HIPAA rules. “Breaking the glass” is highly monitored and audited to prevent misuse.

EXAMPLES OF REAL PENALTIES

There have been some high-profile cases where a celebrity’s personal health information has been accessed when it should not have been. Listed here are six well-known cases and the penalties incurred by those who violated HIPAA.(7)

1. George Clooney – In 2007, the famed actor was being treated at Palisades Medical Center in New Jersey for injuries sustained in a motorcycle accident. Twenty-seven workers peeked at Clooney’s medical records and were suspended for one month without pay.

2. Brittney Spears – In 2008, Brittney Spears was hospitalized at UCLA Medical Center for psychiatric reasons. Thirteen hospital employees were fired and six others suspended for inappropriately accessing her files.

3. Farrah Fawcett and Maria Shriver – In 2008, an employee at UCLA Medical Center was fired after the hospital learned of widespread breaches of privacy. The employee had improperly looked at 61 patients’ medical records, including those of Farrah Fawcett, Maria Shriver, and 31 other high-profile patients. The breach was leaked after Farrah Fawcett set up a sting operation to prove her private information was being leaked. The head of the hospital system issued an apology for the “rogue” worker.

4. Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger – In 2010, also at UCLA, cardiothoracic surgeon and researcher Huping Zhou pled guilty to accessing the medical records of these and other celebrities. He was sentenced to four months in federal prison.

5. Gabrielle Giffords – In 2011, three employees at Tucson’s University Medical Center were fired after looking at Gabrielle Gifford’s medical records. The congresswoman was injured in the high-profile shooting rampage that killed six people.

6. Kim Kardashian – In 2013, six employees of Cedars-Sinai Medical Center in Los Angeles were fired after improperly accessing the medical records from Kardashian’s hospital stay following the birth of her child.

Insurance companies and other entities that have people’s personal health information and fail to secure their systems are at risk of having a data breach, which can be catastrophic and costly, as was the case with Anthem, which resulted in a $16 million settlement.

WHAT IS THE PENALTY FOR BREACHING HIPAA?

A HIPAA violation is a serious offense that can result in civil and criminal penalties.

Civil Penalties (Fines)

Civil penalties are typically imposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and are based on a four-tier system: tier/description/fine per violation/annual cap.

The four categories used for the penalty structure are as follows:(8)

Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided had a reasonable amount of care been taken to abide by HIPAA rules/ Minimum fine of $100 per violation up to $50,000.

Tier 2: A violation that the covered entity should have been aware of but could not have avoided, even with a reasonable amount of care, but falling short of willful neglect of HIPAA rules. Minimum fine of $1,000 per violation, up to $50,000.

Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation, up to $50,000.

Tier 4: A violation of HIPAA rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days. Mini-mum fine of $50,000 per violation, up to $1,500,000.

These penalties can stack up if there are multiple violations or affected individuals.

Criminal Penalties (Incarceration)

Criminal charges may apply in cases of intentional misuse or theft of protected health information (PHI). These are enforced by the U.S. Department of Justice (DOJ).

The three tiers of criminal penalties for HIPAA violations are:(8)

Tier 1: Reasonable cause or no knowledge of a breach. Up to one year of incarceration.

Tier 2: Obtaining PHI under false pretenses. Up to five years of incarceration.

Tier 3: Obtaining PHI for personal gain or with malicious intent. Up to 10 years of incarceration.

HIPAA violations carry steep civil and criminal penalties, especially when they involve willful neglect or malicious intent. When a patient’s personal health information is accessed and used, it must be justified, minimal, and adequately secured.

RESOLUTION OF THE CASE STUDY

HIPAA is very clear: A physician should not access or write orders for their spouse’s electronic medical record unless there is a legitimate medical need and they are formally involved in the spouse’s care as part of the treatment team.

HIPAA permits personal health information to be used without patient consent for treatment, payment, or healthcare operations.(9) Release of information for any other purpose may be made only with the patient’s specific authorization unless otherwise permitted by HIPAA. It permits disclosure to a friend or family member if the patient agrees or if the patient is unable to consent, provided that the disclosure is in the patient’s best interests.(10)

A physician accessing their spouse’s medical record without being assigned to their care team and without their spouse’s consent is a breach of HIPAA, regardless of intent. This access is not justified as “treatment” if it’s done out of personal curiosity or concern rather than professional necessity. Additionally, we are unaware of the status of their relationship at the time of the event and their possible motives, therefore, ensuring the spouse’s approval is paramount.

Most hospitals and professional ethics guidelines discourage or prohibit physicians from treating close family members (including spouses) except in emergencies. The American Medical Association (AMA) advises against treating immediate family members due to the potential for compromised care and a lack of objectivity.

Hospitals typically have strict policies and auditing tools to track access to electronic health records. Unauthorized access, even by a credentialed physician, can result in disciplinary action (including termination), mandatory reporting to state licensing boards, or civil or criminal penalties for HIPAA violations.

The only possible exception is in an emergency where no other qualified provider is available. Immediate care is necessary to prevent serious harm, and even then, documentation and post-event reporting are required.

In summation, a physician should not access or write orders for their spouse’s medical record unless they are officially assigned to the care team and have a legitimate medical role. Doing so otherwise risks violating HIPAA, ethical standards, and institutional policies.

In this case, the physician was reprimanded, and a record of this incident was placed in the physician’s folder in the medical staff office. He was informed that if this incident occurred again, he would be at risk of termination from the medical staff and would be reported to HHS, potentially resulting in fines.

Since this physician claimed he was unaware of the consequences of his behavior, it was assumed that other physicians on the medical staff likely did not know about the seriousness of this offense either. Subsequently, education on what is allowed and what isn’t in terms of HIPAA was provided to the entire medical staff and nursing staff. No further recurrences of such behavior have occurred since.

Excerpted from Difficult Dilemmas for Chief Medical Officers: 30 Case Studies , (American Association for Physician Leadership, 2026).

REFERENCES

1. Life Before HIPAA. Abyde blog. October 8, 2020. https://abyde.com/life-before-hipaa .

2. Mancini E. Privacy and Security Analysis of mHealth Apps. Diss., Universita Degli Studi di Padova, 2023. https://thesis.unipd.it/retrieve/b9695699-efc7-42d6-9b0f-8ebc683e6369/Tesi_Eleonora_Mancini.pdf .

3. Johnson L. HIPAA for dummies. The HIPAA Guide. https://www.hipaaguide.net/hipaa-for-dummies/ .

4. Health Information Technology Infrastructure, Standards and Security in Information Technology for Healthcare Managers, Ninth Edition, ed. GL Glandon, DH Smaltz, and D Slovensky. AUPHA/HAP; 2020: 218.

5. Why is staying HIPAA compliant crucial for medical businesses? Dymin Systems blog. August 7, 2024. https://www.dyminsystems.com/about/blogs/hipaa-compliance/why-is-staying-hipaa-compliant-crucial-for-medical-businesses/ .

6. Popoola OJ. Designing a Privacy-Aware Framework for Ethical Disclosure of Sensitive Data. Diss., Sheffield Hallam University, 2025. https://shura.shu.ac.uk/35463/ .

7. 8 high-profile celebrity HIPAA violations. Thrive AP. https://provider.thriveap.com/blog/8-high-profile-celebrity-hipaa-violations .

8. HIPAA compliance and secure file sharing. ShareVault blog. https://sharevault.com/blog/secure-file-sharing/hipaa-compliance-and-secure-file-sharing/ .

9. Alexander B. Patient Care in The Fundamentals of Health Law, Sixth Edition, ed. American Health Lawyers Association; 2014:79–80.

10. Showalter JS. Health Information Management in The Law of Healthcare Administration, Seventh Edition. AUPHA/HAP; 2011: 309.