Prosecutions for relatively small-time violations of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA) are becoming more common, in spite of the fact that larger-scale data breaches and fraud investigations grab all the headlines. One reason: Such violations may be low-hanging fruit that helps federal prosecutors win convictions more easily than more sweeping investigations. The HIPAA “privacy rule” sets standards to protect individuals’ medical records and other personal health information, requiring that healthcare providers have adequate safeguards in place to protect privacy and sets limits on what can be disclosed without the patient’s approval. Criminal liability can be relatively easy to prove, too, and the consequences can be both quick and severe. A Texas hospital employee who pleaded guilty to accessing personal health information with the intention of using it for personal gain got an 18-month prison sentence. It’s not just clinicians who are under scrutiny, either. When a former Warner Chilcott district manager admitted that he wrongfully revealed identifiable health information, he was sentenced to 1 year of probation and had to pay a $10,000 fine; his employer’s punishment was even more heavier, as Warner Chilcott paid $125 million to resolve both criminal and civil liability. The best course of action to avoid such punishments, of course, is to first avoid violating patient privacy. Ensuring proper protocols and security measures are in place is not enough; make sure every staff member, regardless of their role, knows the rules by including the subject is covered in new-employee orientation and manuals.