California HIPAA Violation: Examples, Penalties, and How to Report

Common HIPAA Violation Examples

In California, a HIPAA violation occurs when a covered entity or business associate impermissibly uses or discloses Protected Health Information (PHI), or fails to implement required safeguards. Below are frequent scenarios that trigger investigations and, in some cases, a reportable breach.

• Accessing a patient’s chart without a job-related need (“snooping”), including looking up family, friends, or celebrities.
• Discussing identifiable patient details in public spaces, elevators, or on unsecured messaging apps.
• Posting photos, stories, or screenshots on social media that reveal identifiers or allow reidentification.
• Sending PHI to the wrong recipient (misaddressed emails or faxes) or failing to use “minimum necessary” disclosures.
• Losing an unencrypted laptop, phone, or USB drive containing PHI, or lacking remote-wipe and device management.
• Sharing login credentials, weak access controls, or inadequate audit logging of who viewed or changed records.
• Improper disposal of PHI (e.g., tossing intact paper records or reselling drives without secure wiping), violating PHI Disposal Compliance.
• Using a vendor without a Business Associate Agreement or allowing a vendor to exceed authorized uses of PHI.
• Failing to provide patients timely access to their records or charging unreasonable fees.
• Ransomware or hacking that compromises ePHI; absent a documented low-probability-of-compromise analysis, this is typically a reportable breach.

Whether an incident becomes a reportable breach depends on a risk assessment examining the nature of PHI, who received it, whether it was actually viewed, and mitigation steps (e.g., retrieval, deletion, or encryption).

Civil Penalties for Violations

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA and may impose Civil Monetary Penalties. OCR also resolves many cases through voluntary compliance, technical assistance, and resolution agreements with corrective action plans.

OCR’s penalty tiers

• Lack of knowledge: A violation the organization could not have reasonably known about despite due diligence.
• Reasonable cause: A violation due to reasonable (not willful) neglect of requirements.
• Willful neglect—corrected: A willful neglect violation that the entity promptly corrects after discovery.
• Willful neglect—uncorrected: A willful neglect violation that remains uncorrected; this carries the highest Civil Monetary Penalties.

How OCR sets penalties

• Nature and extent of the violation, the sensitivity of PHI, and the number of individuals affected.
• Duration of noncompliance and the organization’s history, size, and financial condition.
• Cooperation with OCR, speed and completeness of remediation, and sustained compliance improvements.

Penalty caps are adjusted for inflation. Even when fines are not assessed, entities often must implement multi-year corrective action plans with monitoring and audits.

Criminal Penalties Overview

Criminal liability applies when someone knowingly obtains or discloses PHI in violation of HIPAA, uses false pretenses to obtain PHI, or sells/transfers PHI for personal gain, commercial advantage, or malicious harm. The U.S. Department of Justice prosecutes these offenses.

• Knowing violations: fines and potential imprisonment up to 1 year.
• False pretenses: fines and potential imprisonment up to 5 years.
• Intent to sell/transfer/use PHI for gain or harm: fines and potential imprisonment up to 10 years.

Individuals—including employees, executives, contractors, and business associates—can face prosecution. Obstruction, cover-ups, or identity-theft conduct can trigger additional federal or state charges.

California State-Specific Penalties

California layers its own privacy statutes on top of HIPAA, most notably the Confidentiality of Medical Information Act (CMIA) and state data-breach laws. Where California law is more protective, it controls.

CMIA civil remedies and agency fines

Patients may bring civil actions under CMIA to recover damages, potentially including statutory and punitive damages, attorney’s fees, and injunctive relief. Licensed health facilities can face administrative penalties for unauthorized access or disclosure, and must notify patients—and, in specified circumstances, regulators—promptly after detection.

California Attorney General Enforcement

California Attorney General Enforcement can pursue civil actions for violations of CMIA and state consumer privacy statutes. For certain breaches affecting more than 500 California residents, organizations must submit a sample copy of the breach notice to the Attorney General. The California Privacy Protection Agency also enforces consumer privacy obligations outside HIPAA’s scope.

Other state consequences

• Professional licensing actions against clinicians or facility administrators.
• Regulatory sanctions involving health plans and insurers, contract remedies, and oversight requirements.
• Private litigation and reputational harm following reportable breaches.

Processes for Reporting Violations

Start with the organization

If you’re a patient, contact the provider’s or health plan’s privacy officer to request an investigation and a written response. Employees should also use internal compliance hotlines or incident-reporting tools.

File with HHS via the OCR Complaint Portal

Anyone may file a complaint with HHS OCR, including patients, caregivers, and workforce members. You generally must submit within 180 days of learning about the incident, though OCR may extend for good cause. You can file online through the OCR Complaint Portal or by mail or email, and you may request that OCR keep your identity confidential.

Consider state and other channels

• Report CMIA or consumer-privacy issues to the California Attorney General.
• Notify relevant professional licensing boards for misconduct by licensed personnel.
• Contact law enforcement if identity theft, extortion, or stalking is involved.
• For health-plan issues, consider the Department of Managed Health Care or the Department of Insurance, as applicable.

What to include with your complaint

• Names and contact details of the provider/plan, dates, and locations.
• A clear description of what happened, the type of PHI involved, and how it was accessed, used, or disclosed.
• Copies of notices, emails, screenshots, or photos that document the event.
• Names of witnesses or staff involved, any harm suffered, and the remedy you seek.

If you are a workforce member

HIPAA prohibits retaliation for filing a complaint. Follow your organization’s reporting policies, avoid removing PHI from the workplace, and de-identify any evidence you provide where possible. You may report directly to OCR if internal responses are inadequate.

What happens next

OCR triages complaints, may request more information, and can open a formal investigation. Outcomes range from technical assistance to corrective action plans or penalties. If an event is a reportable breach, the entity must notify affected individuals, OCR, and in some cases the media, within HIPAA’s timelines.

Protective Measures for PHI

Administrative safeguards

• Conduct and document an enterprise-wide risk analysis; manage risks with prioritized remediation plans.
• Adopt clear policies for minimum necessary use, role-based access, and sanctioning workforce violations.
• Train staff routinely, including phishing simulations and privacy awareness refreshers.
• Execute and manage Business Associate Agreements and monitor vendor performance.

Technical safeguards

• Use unique logins, strong authentication (preferably MFA), and automatic logoff.
• Encrypt ePHI at rest and in transit; apply mobile device management and remote-wipe controls.
• Enable audit logs, alerts, and regular access reviews; monitor for anomalous behavior.
• Harden systems with patching, configuration baselines, and data loss prevention for email and cloud apps.

Physical safeguards

• Control facility access, secure record storage, and use privacy screens in clinical and registration areas.
• Track devices, lock ports, and segregate areas where PHI may be overheard or seen by visitors.

PHI Disposal Compliance

Adopt a documented retention and destruction schedule. Shred, pulverize, or pulp paper records; securely wipe or degauss digital media; and obtain certificates of destruction from vetted vendors. Maintain chain-of-custody and spot-audit disposal practices.

Incident readiness

• Maintain an incident response plan with roles, playbooks, and contact trees; test it regularly.
• Perform breach risk assessments to determine if an incident is a reportable breach; document the rationale.
• Use post-incident reviews to close gaps and verify sustained remediation.

Legal Responsibilities of Covered Entities

Covered entities include healthcare providers, health plans, and clearinghouses; business associates handle PHI on their behalf. Both must comply with HIPAA and, where more protective, California law.

Permitted uses and disclosures

HIPAA permits use and disclosure of PHI for treatment, payment, and healthcare operations without authorization, subject to the minimum necessary standard. Authorizations are generally required for marketing, the sale of PHI, and most psychotherapy notes. Certain categories of information can carry extra restrictions under federal and California law.

Patient rights

• Access and obtain copies of records within HIPAA timelines, with reasonable, cost-based fees.
• Request amendments, an accounting of certain disclosures, and confidential communications.
• Request restrictions, including paying out-of-pocket for a service and asking providers not to disclose to a health plan for that service.
• Receive a clear Notice of Privacy Practices describing uses, rights, and complaint options.

Governance, vendors, and breach duties

• Designate privacy and security officials; maintain policies, workforce training, and sanctions.
• Execute Business Associate Agreements and oversee vendor compliance and data flows.
• Notify affected individuals and HHS OCR following a breach; for certain large California incidents, submit a sample breach notice to the Attorney General.

Preemption and California overlay

When California law is more protective than HIPAA, California rules control. Map your operations to both frameworks, document decisions, and refresh risk analyses and policies at least annually.

FAQs

What constitutes a HIPAA violation in California?

A HIPAA violation is an impermissible use or disclosure of PHI or a failure to implement required safeguards, access rights, or breach-notification duties. In California, CMIA and other privacy statutes add stricter protections in some areas, so conduct that might pass under federal rules can still violate state law.

How are HIPAA violations penalized under California law?

Federally, OCR can require corrective action and impose Civil Monetary Penalties; the Department of Justice can bring criminal cases for egregious misconduct. California can add CMIA civil liability, administrative fines for licensed facilities, and California Attorney General Enforcement actions under state privacy and breach laws.

Where can I report a HIPAA violation in California?

Report concerns to the provider’s or plan’s privacy officer first. You can then file a complaint with HHS through the OCR Complaint Portal. For state-law issues, you may also contact the California Attorney General or relevant professional licensing boards.

What evidence is needed to file a HIPAA complaint?

Provide names and contact details for the organization, key dates, a clear description of what happened, and the type of PHI involved. Include copies of notices, emails, or screenshots, the names of witnesses or staff, any harm you suffered, and the remedy you seek. Avoid sending more PHI than necessary to explain the issue.