12 Surprising Examples of HIPAA Violations in Nursing Homes

Nursing homes handle so many admissions, daily care checks, and family visits every day that protecting resident information often slips into the background.

A single privacy mistake, whether it’s a chart left visible at the nurse’s station or a casual comment in the lobby, can trigger HIPAA violations that lead to fines, investigations, and serious damage to your facility’s reputation.

In this article, we’ll cover 12 examples of unintentional HIPAA violations in nursing homes and how to prevent these issues with better systems and training.

What are HIPAA violations in a nursing home?

Every piece of information about a resident — whether it’s a diagnosis scribbled on a chart or a billing detail shared over email — falls under a critical protection: HIPAA.

In nursing homes, the standard for safeguarding resident data isn’t optional. It’s a legal and operational necessity.

HIPAA defines Protected Health Information (PHI) as any verbal, written, or electronic data that identifies a resident and relates to their health, care, or payment history. That includes diagnoses, treatment plans, billing records, and even casual conversations that reveal personal health details.

Because nursing homes transmit this kind of information electronically, whether through billing systems or hospital referral platforms, they’re classified as covered entities under HIPAA.

That means they must fully comply with the Privacy, Security, and Breach Notification Rules. Failing to meet these standards, even unintentionally, exposes facilities to serious penalties.

Why long-term care settings are especially vulnerable

Protecting resident information in a nursing home isn’t as straightforward as it looks on paper. The realities of daily operations introduce unique vulnerabilities that administrators need to stay ahead of.

Staff turnover is a constant challenge, making it harder to maintain consistent HIPAA training across teams. New hires, temporary staff, and short-handed shifts all increase the risk of lapses.

Meanwhile, personal devices like smartphones and tablets often blur the line between professional and private use, creating new channels for accidental PHI breaches.

Beyond technology, the very design of a nursing home adds complexity: Communal spaces, where staff and residents interact informally, make it easy for private information to be overheard or shared without proper safeguards. And because care coordination often involves outside physicians, specialists, pharmacies, and hospitals, every additional handoff increases the chance of an unintentional disclosure.

The cost of noncompliance

When HIPAA violations happen, the consequences reach far beyond paperwork. For nursing homes, noncompliance can trigger civil penalties ranging from $35,581 per violation for negligence to $2.1 million for willful neglect. In cases involving malicious intent, criminal charges can apply, with fines up to $250,000 and up to 10 years in prison.

However, the financial penalties are only part of the damage. Facilities also face the risk of losing Medicare and Medicaid certification, cutting off critical revenue streams. Even a single reported breach can tarnish a facility’s reputation, eroding trust with hospitals, referral partners, residents, and families.

Lower occupancy rates and lost referral opportunities often follow, creating long-term operational and financial challenges.

12 examples of HIPAA violations in nursing homes

HIPAA violations often don’t start with malice. They start with simple, everyday habits that go unchecked. 

For nursing home administrators, knowing where these risks show up is the first step toward preventing the kind of mistakes that trigger citations, fines, and reputational damage. Let’s walk through these HIPAA violation examples that nursing homes need to monitor closely.

#1 Discussing a resident’s condition in public spaces

In long-term care settings, it's easy for boundaries to blur. A nurse might update a colleague on a resident’s blood pressure in the hallway. A therapist might discuss therapy progress while walking to the dining room. 

However, these casual exchanges can turn into HIPAA violations the moment they’re overheard by someone who is unauthorized.

Real-World Case Study: St. Joseph’s Medical Center

In 2023, St. Joseph’s Medical Center in New York paid an $80,000 HIPAA fine after an investigation by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) revealed improper disclosure of patient information to a reporter.

The investigation began after an Associated Press article was published showing photographs and medical details of three patients being treated for COVID-19.

The images and information that were distributed nationally included sensitive PHI such as diagnoses, vital signs, treatment plans, and prognoses. St. Joseph’s had allowed the reporter access without obtaining patient authorization, a clear violation of the HIPAA Privacy Rule.

Although St. Joseph’s did not admit liability, the medical center agreed to a settlement and adopted a corrective action plan. As part of the CAP, St. Joseph’s was required to review and revise its HIPAA privacy policies, submit them to OCR for approval, and retrain its workforce on compliance standards.

Key takeaways for nursing homes:

• Create clear "no-PHI zones" — hallways, dining areas, visitor spaces, and elevators.
  
  

• Remind staff that even vague mentions ("the stroke patient in 412") can qualify as a breach.
  
  

• Post signs in public staff areas reminding teams to move sensitive conversations to private rooms.

Public conversations are one of the fastest ways to breach resident trust and invite regulatory scrutiny. Staff need to treat every shared space as a potential exposure risk.

#2 Accessing records without a valid need

Accessing medical records isn't just about who has the ability. It’s about who has the right. Even if a staff member is credentialed to access PHI, they must have a legitimate, care-related reason to view a resident’s file.

Real-World Case Study: UCLA Health System

In one of the first criminal cases under HIPAA’s privacy provisions, a former UCLA Healthcare System employee, Huping Zhou, was sentenced to four months in federal prison for illegally accessing confidential patient medical records.

Zhou, a licensed cardiothoracic surgeon in China, was working as a researcher at UCLA when he received notice of termination for unrelated performance issues. That same night, and continuing over the next three weeks, Zhou accessed the medical records of his supervisor, coworkers, and over 300 patients, including several high-profile celebrities, without any medical or professional justification.

Although there was no evidence that Zhou sold or otherwise misused the information, the sheer volume of unauthorized access—323 instances—highlighted a serious breach of patient trust.

Zhou pleaded guilty to four misdemeanor HIPAA violations and became the first person in the U.S. sentenced to prison under the law’s privacy provisions. 

Tips to prevent unauthorized access in your facility:

• Conduct regular audits of who accesses resident records and when.
  
  

• Implement role-based access limits for admissions, nursing, and therapy teams so that they only see what they need.
  
  

• Include real-world examples like UCLA in your HIPAA training sessions to show consequences clearly.

In nursing homes, it’s easy to rationalize small breaches ("I just wanted to check on my old neighbor"), but every unauthorized view can trigger legal exposure and a culture where privacy feels optional.

#3 Leaving PHI visible in publicly accessible places

Leaving PHI visible isn’t limited to a misplaced clipboard. In nursing homes, it can take many forms. There may be printed charts left on desks during shift changes, login screens on unattended computers displaying resident data, whiteboards listing names, diagnoses, and room numbers in view of visitors.

Even if people forget that they’ve left this information behind in a place where anyone in the public can easily access the data, it’s a HIPAA violation. 

Each of these situations creates an opportunity for unauthorized eyes, whether family members, vendors, contractors, or even other residents, to access confidential information without consent.

Nursing homes must treat every desk, hallway, and shared space as a potential exposure risk and train staff to secure PHI in both obvious and less obvious areas throughout the facility.

Real-World Case Study: Caney, Kansas

The Caney Nursing Home in Caney, Kansas, was sued for failing to secure personal information of former residents and employees after closing in February 2017. 

The lawsuit charged that the facility left behind files with identifiable medical and financial details, which were accessed by unauthorized individuals, breaching state consumer protection laws, HIPAA requirements, and CMS policies. Vandals broke into the abandoned building and had access to these private files.

Things to keep in mind:

• Securely store or destroy records: Before closing a facility, ensure all personal and medical records are either securely stored or properly destroyed to prevent unauthorized access.

• Conduct regular audits: Perform routine checks on data handling practices to confirm compliance with privacy laws and identify potential vulnerabilities.

• Train staff on privacy protocols: Offer continuous training to employees on safeguarding personal information and following proper record disposal procedures.

• Develop a closure plan: Prepare a detailed strategy for managing personal information during a facility closure, including specific timelines for removing or destroying records.

• Engage legal counsel: Work with legal professionals to ensure all actions align with state and federal privacy regulations, reducing the risk of legal issues.

#4 Sending emails to the wrong recipient

When time is tight, it’s easy for small digital mistakes to cause big problems. Faxing or emailing resident information to the wrong person is one of the most common HIPAA breaches, and one of the most preventable.

Common risks include:

• Relying on outdated contact lists without verifying details.

• Using autocomplete in email systems and sending PHI to similarly named but incorrect recipients.

• Faxing documents to the wrong numbers without confirmation calls.

Real-World Case Study: Lafourche Medical Group

Lafourche Medical Group, a Louisiana-based provider specializing in emergency and occupational medicine, agreed to a $480,000 settlement with the Department of Health and Human Services (HHS) following a 2021 phishing attack that exposed the health information of nearly 35,000 individuals.

The breach occurred when hackers accessed an employee’s email account containing sensitive electronic health data. HHS’ investigation found that Lafourche Medical Group had no policies or procedures in place to regularly review system activity or protect against cyberattacks, violating key HIPAA requirements.

As part of the settlement, the company agreed to implement a two-year corrective action plan, which includes developing written cybersecurity protocols, regularly updating risk assessments, and training staff on cybersecurity best practices.

Best practices to avoid this risk:

• Always double-check recipient addresses or fax numbers before sending.

• Turn off autocomplete functions for emails containing PHI if possible.

• Implement a two-person verification process for outbound faxes containing sensitive data.

#5 Posting about residents on social media

Even when intended as harmless, sharing images, videos, or details about residents on social media without consent is a direct HIPAA violation, and the consequences can escalate fast.

Key risks include:

• Staff posting photos or videos of residents without written authorization.

• Sharing any identifiable information (even in private groups) that could link back to a resident.

• Allowing casual "behind-the-scenes" posting during activities without fully securing privacy boundaries.

Real-World Case Study: Manasa Health Center

Manasa Health Center, a psychiatric provider based in New Jersey, agreed to a $30,000 settlement with the Department of Health and Human Services’ Office for Civil Rights (OCR) after impermissibly disclosing patient information online.

In April 2020, OCR received a complaint that the center had shared a patient’s mental health diagnosis and treatment details while responding to a negative Google review. An investigation found that the center had improperly disclosed the protected health information (PHI) of four patients across multiple online review responses.

As part of the settlement, Manasa Health Center agreed to a corrective action plan requiring them to update and enforce written privacy policies, retrain all staff, issue breach notification letters to the affected individuals, and formally report the breaches to OCR.

While healthcare providers are permitted to respond to online reviews under HIPAA, any response must avoid sharing identifiable health information without patient consent.

What administrators should reinforce:

• Implement a zero-tolerance policy on unauthorized resident imagery.
  
  

• Include social media compliance specifically in new employee orientation and annual training.
  
  

• Require leadership approval for any facility marketing or social media posts involving residents.
  
  

A single inappropriate post can lead to termination, criminal charges, and widespread reputational damage, not just for individual employees, but for the entire facility brand.

#6 Leaving computers unlocked

Unattended computers in nursing homes present an easy opening for HIPAA violations, especially when EHRs are involved.

Screens left unlocked at nurses’ stations, admissions desks, or billing offices expose sensitive resident data to anyone walking by, including visitors, vendors, and unauthorized staff.

Common exposure points administrators should address:

• Nurses or aides stepping away from workstations during rounds without logging out.
  
  

• Admissions or billing staff handling residents at the front desk and leaving systems open.
  
  

• Shared hallway or nurse station computers without automatic time-out settings.

Case study: Yakima valley memorial hospital

Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial) paid a $240,000 HIPAA settlement after failing to prevent unauthorized access to patient records by its own security staff. In 2018, the hospital discovered that 23 security guards had accessed 419 patient records without any valid reason, viewing information like names, treatment notes, and insurance details.

OCR’s investigation found the hospital lacked adequate workstation monitoring and had not properly enforced its HIPAA Security Rule obligations. 

As part of the settlement, Yakima Valley agreed to overhaul its risk analysis, update policies, strengthen security training, and monitor vendor relationships to ensure HIPAA compliance moving forward.

Best practices for reducing this risk:

• Set short timeouts (5 minutes or less) to automatically lock screens after inactivity.

• Train all staff to treat an unattended, unlocked screen as a breach—not just a mistake.

• Conduct random audits of workstations during all shifts, not just during day hours.

#7 Improper PHI disposal

Disposing of resident health information isn’t as simple as tossing old papers in the trash. HIPAA requires that all protected health information, whether on paper, computers, tablets, or phones, be destroyed in a way that protects against unauthorized access.

In a nursing home setting, improper disposal can happen during everyday activities: cleaning out old files, upgrading computers, or removing outdated medication lists.

Key risks administrators must manage:

• Throwing paper records into standard trash bins without shredding them first.

• Recycling or selling old computers, tablets, or phones without securely wiping the data.

• Storing discarded charts, USB drives, or faxed documents in unsecured locations before disposal.

Real-world case study: Small pharmacy settlements

Several small pharmacies were fined a combined $125,000 after improperly disposing of patient records in open, unlocked dumpsters. OCR found that sensitive information was fully visible and accessible to the public. Even smaller facilities weren't exempt from enforcement.

Nursing homes must maintain strict disposal protocols, including locked shred bins on-site, contracts with certified destruction vendors, and documentation of every disposal process. Failure to do so turns simple housekeeping into a major compliance violation.

#8 Disclosing information to unauthorized family members

Families are often deeply involved in residents’ lives, but HIPAA draws a firm legal line about who can access a resident’s health information. 

Even if a spouse or adult child is familiar or seems "obvious," unless they are legally designated as a personal representative or have power of attorney for healthcare, staff cannot share PHI with them.

Key risks that frequently cause mistakes:

• Staff assuming marriage or family ties automatically give access rights.

• Providing updates to frequent visitors without confirming authorization.

• Discussing billing, medication changes, or diagnoses in front of non-authorized relatives.

Real-world case study: Holy Redeemer Family Medicine

In 2023, Holy Redeemer Family Medicine agreed to pay $35,581 after improperly disclosing a patient’s complete medical record, including sensitive surgical, gynecological, and reproductive health information, to a prospective employer.

The patient had only authorized the release of a single unrelated test result. OCR’s investigation confirmed that Holy Redeemer had no legal basis for such a broad disclosure and violated multiple HIPAA Privacy Rule requirements.

As part of the settlement, Holy Redeemer also agreed to a two-year corrective action plan monitored by OCR.

#9 Using personal devices to store or share PHI

Personal devices like smartphones, tablets, and laptops are common tools in healthcare today. However, when staff use their own devices to access, store, or share resident information without proper security measures, it creates a major HIPAA risk. 

Personal devices are harder to control, harder to secure, and easy to lose.

Key risks that nursing homes must address:

• Staff texting resident updates or care instructions from personal phones without encryption.
  
  

• Downloading referral packets or resident documents to unprotected personal laptops.
  
  

• Losing phones, tablets, or USB drives that contain PHI without any remote wiping capabilities.

Real-world case study: New York Medical Center

After an employee’s unencrypted personal laptop was stolen, a New York medical center faced a $3 million penalty. The breach affected thousands of patients, and regulators found the facility lacked enforceable policies around personal device use.

Nursing homes must develop strict Bring Your Own Device (BYOD) policies or ban personal device use entirely for PHI. Facilities should provide secure, encrypted platforms if mobile access is needed, and require formal permission for any non-facility devices.

#10 Inadequate staff training on privacy practices

Even with the best-written HIPAA policies, staff errors happen without ongoing, real-world training. Many HIPAA breaches are not malicious. They're the result of staff who don't fully understand the rules or how they apply to day-to-day interactions.

Key risks nursing homes face:

• Staff discussing resident information in hallways, elevators, or other public areas out of habit.
  
  

• Employees accessing or disclosing PHI without realizing they are violating HIPAA.
  
  

• Poor understanding of what "protected information" includes beyond obvious medical notes.

Real-world case study: Children's Hospital Colorado

Children’s Hospital Colorado paid a $548,000 settlement after an investigation revealed systemic failures in staff training. Unauthorized record access and casual PHI disclosures were widespread because staff simply weren’t taught HIPAA principles beyond a basic orientation.

For nursing homes, effective HIPAA training must include real examples, scenario-based discussions, and regular refreshers to keep privacy protection alive in day-to-day operations, not just buried in a handbook.

#11 Talking about residents in parking lots or elevators

PHI isn't limited to what’s written down. What’s spoken matters just as much. Under HIPAA’s "minimum necessary" rule, staff must only share PHI when needed for treatment or operations, and always in a secure setting.

Conversations in elevators, parking lots, cafeterias, or even front lobbies are dangerous because they often involve unintentional disclosures to unauthorized listeners.

Key risks common in nursing homes:

• Staff casually discussing residents while walking to their cars.
  
  

• Care planning conversations taking place in elevators shared with visitors or delivery staff.
  
  

• Summarizing sensitive updates within earshot of family members not authorized to hear them.

Consequence: Corrective action plans and OCR audits

While individual fines vary, OCR frequently requires facilities involved in these violations to undergo corrective action plans, staff retraining, and sometimes multi-year monitoring agreements. For nursing homes, it’s critical to create formal "no PHI" zones, educate staff about conversational boundaries, and regularly monitor common areas for risky behavior.

#12 Failing to report breaches promptly

When a breach occurs, HIPAA requires covered entities to notify OCR and affected individuals within 60 days of discovery. Failing to meet this timeline—even if the breach is small—can result in higher penalties and worse regulatory scrutiny.

Key risks that cause late reporting:

• No clear internal escalation plan for reporting suspected breaches.

• Leadership underestimating breach severity or delaying investigation.

• Staff not trained to recognize and report breaches immediately.

Real-world case study: CHSPSC LLC

CHSPSC LLC agreed to pay $2.3 million after delays in reporting a cyberattack that exposed the PHI of over six million patients. OCR emphasized that breach size wasn’t the only issue, the delayed notification made the situation worse by exposing patients to longer periods of risk without warning.

Nursing homes must have clear breach reporting protocols, including immediate internal notification channels, legal counsel review, and day-by-day breach tracking once an incident is suspected.

Common causes of HIPAA violations in LTC settings

Understanding where HIPAA violations originate inside nursing homes is key to stopping them before they escalate. In long-term care (LTC) settings, certain operational patterns consistently raise risk levels if they aren’t actively managed.

The main causes of violations include:

• Staff turnover: High turnover rates make it hard to maintain consistent HIPAA training and culture. New staff may only receive basic orientation without deep reinforcement of privacy standards, leading to mistakes like unsecured screens or casual conversations about residents.
  
  

• Unclear or outdated policies: Many nursing homes still operate under privacy policies drafted years ago, before the widespread use of telehealth, mobile messaging apps, or personal devices at work. Outdated guidelines create gray areas where staff are unsure how to handle modern communication tools without violating HIPAA.
  
  

• High workloads: Understaffed facilities or high patient-to-staff ratios can lead employees to cut corners. Common shortcuts include sharing logins, skipping logout procedures, or ignoring system audit requirements, all of which leave facilities wide open to breaches.
  
  

• Poor access controls: Without careful management of user permissions, staff often have broader access to EHRs than necessary for their role. Overly generous access makes it easier for accidental or curious record-snooping to occur.
  
  

• Verbal communication culture: In many LTC facilities, informal, verbal communication is the norm. While efficient, this culture increases the chance of casual PHI disclosures in hallways, elevators, and social spaces, especially if staff aren’t continually reminded where privacy boundaries must be enforced.

Common HIPAA violations prevention tips for nursing homes

Preventing HIPAA violations isn’t just about having the right policies. It’s about embedding strong privacy habits into the day-to-day life of your facility.

Here are key areas administrators should focus on:

• Regular HIPAA training: Hold annual workshops that go beyond standard modules. Include phishing simulations, real-world breach scenarios, and hands-on exercises about verbal disclosure risks. Reinforcement during onboarding and after major incidents should also be mandatory.
  
  

• Use HIPAA-compliant technology: Adopt encrypted messaging platforms for all internal communications involving PHI. Ensure EHR systems are configured with automatic timeouts, biometric logins where possible, and immediate lockouts after inactivity. Mobile device management (MDM) systems can help enforce secure access protocols on approved work devices.
  
  

• Update policies regularly: Create clear, accessible policies about social media use, personal device restrictions, and telehealth procedures. Conduct regular risk assessments to identify areas like unsecured PHI storage, outdated access lists, and software vulnerabilities.
  
  

• Audit access logs consistently: Perform monthly reviews of EHR access logs to detect unusual access patterns or potential snooping. Build audits into your regular compliance calendar so they’re not overlooked during busy periods. Your human resources policies especially can improve data privacy.
  
  

• Establish and drill breach protocols: Designate a breach response team that includes clinical, IT, compliance, and administrative representatives. Practice incident response drills annually to ensure staff know exactly how to report, contain, and document suspected breaches under HIPAA’s required timelines.

Strong systems alone don’t prevent violations — habits do. Nursing homes that create a culture of daily vigilance around privacy will be better protected when small risks inevitably surface.

Frequently asked questions

What’s the most common HIPAA violation in nursing homes?

One of the most common HIPAA violations in nursing homes is the improper disclosure of resident information through casual conversations. Staff often discuss residents’ health status, treatment plans, or room assignments in hallways, dining areas, or other public spaces where unauthorized individuals may overhear.

These seemingly harmless exchanges can expose protected health information (PHI) and lead to citations, fines, and reputational damage if not carefully controlled.

Can nurses be individually liable for HIPAA violations?

Yes, nurses and other healthcare employees can be held individually liable for HIPAA violations. There are many nurse HIPAA violation cases that have resulted in penalties. Depending on the severity and intent behind the violation, consequences can range from employer disciplinary action to civil fines or even criminal charges.

Cases involving malicious intent, such as unauthorized snooping into records, can result in significant penalties, including imprisonment under federal law.

Is it a violation to mention a resident’s name in the hallway?

Mentioning a resident’s name alone is not automatically a HIPAA violation, but if it is combined with health information, such as a diagnosis, treatment details, or room assignment—it can quickly cross the line into an impermissible disclosure.

Even without detailed medical information, mentioning names casually in public areas can raise concerns about minimum necessary standards and increase the risk of privacy breaches.

What should you do after a suspected breach?

After discovering a suspected breach, it’s critical to act immediately. The incident should be reported internally to the designated HIPAA privacy or compliance officer, who will investigate the scope and nature of the breach.

If protected health information was exposed, the facility must assess whether it triggers HIPAA’s breach notification requirements, notify affected individuals if necessary, and report the incident to the Department of Health and Human Services within the mandated timelines.

Can families request access to records without consent?

Family members cannot automatically access a resident’s medical records without proper authorization. Under HIPAA, only individuals who are legally recognized as a personal representative (such as through a healthcare power of attorney or legal guardianship) can request and receive full access to a resident’s PHI.

Nursing homes must verify documentation before sharing any sensitive information, even if the family member is closely involved in the resident’s care.

What tools can help reduce privacy risk?

Several tools can help nursing homes reduce privacy risks, including encrypted messaging platforms for internal communication, automatic EHR logoff features to prevent unauthorized access, and mobile device management systems to secure any work-related smartphones or tablets.

Regular HIPAA training, access control systems, and monthly audit reviews of record access are also critical parts of a strong privacy and security strategy.

ExaCare supports privacy in the referral screening process

HIPAA compliance in nursing homes isn’t just about avoiding fines. It’s about building a culture of respect, trust, and operational excellence. These examples of HIPAA violations in nursing homes point to the issues that most often occur and the need to proactively reinforce safeguards through training, technology, and daily practices.

Part of that protection starts with the systems facilities rely on to handle sensitive data. When admissions processes involve scattered documents, unsecured communications, and manual handoffs, the risk of a privacy breach rises with every step.

That’s where a purpose-built solution like ExaCare can help: by providing a centralized, secure way to manage hospital referrals, automate document review, and make faster, more confident admissions decisions without compromising resident privacy.

ExaCare is built with privacy protection at its core. Facilities using ExaCare can rely on secure, role-based access to admissions and care coordination data.

Here’s what we offer:

• AI-powered referral screener that reviews hospital packets in minutes, enabling quick and accurate admissions decisions
  
  

• Centralized referral management that brings all your sources into one platform
  
  

• Built-in analytics to help you track performance and optimize your referral relationships
  
  

• A unified communication hub to streamline decision-making with colleagues.

If you're looking for a way to accelerate admissions, reduce operational risks, and protect sensitive resident information, ExaCare is ready to help. Talk with our team to learn more.

Schedule a demo.