We apply Reason’s GEMS typology to study privacy breach incidents in healthcare organizations. An interpretive analysis of transcripts of interviews with privacy officers of healthcare organizations in the U.S. Midwest helps discern the underlying causes of human error and develop a framework for error management. The study finds that organizational factors causing human error constitute a greater impediment to HIPAA Privacy Rule compliance than do human factors.