The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services does not issue warnings. It issues fines. Since HIPAA enforcement began in earnest, OCR has collected hundreds of millions of dollars in settlements and civil monetary penalties from covered entities and business associates that failed to protect patient data.
These are not abstract regulatory exercises. Each case below involved real patient records, real investigations, and real financial consequences. Some resulted from stolen laptops. Others from employees snooping through celebrity medical charts. A few came down to something as simple as failing to hand over medical records when a patient asked for them.
This article breaks down 20 real OCR enforcement cases grouped by violation type. For each case, you will find the organization name, the year of settlement, the fine amount, what happened, and which HIPAA provision was violated. More importantly, you will find the lesson that applies to your practice, whether you are a solo provider or a multi-facility health system.
If you have not yet conducted a thorough HIPAA risk assessment, the cases below should make the urgency clear.
20 Real HIPAA Enforcement Cases and What They Cost
Category 1: Unencrypted Devices
Encryption is an addressable specification under the HIPAA Security Rule. That does not mean it is optional. It means a covered entity must either implement encryption or document why an equivalent alternative safeguard is reasonable and appropriate. In practice, OCR has shown little patience for organizations that skip encryption and then lose devices containing electronic protected health information (ePHI).
Case 1: Lifespan Health System (2020). $1,040,000
What happened: In 2017, an unencrypted laptop belonging to a Lifespan employee was stolen. The device contained the ePHI of over 20,000 patients, including names, medical record numbers, demographic information, and medical data. Lifespan filed a breach report with OCR, triggering an investigation.
What OCR found: Lifespan had previously determined that encrypting laptops was reasonable and appropriate but had not followed through. The organization also failed to implement policies and procedures to track or inventory devices accessing its network or containing ePHI.
HIPAA provisions violated: 45 CFR 164.312(a)(2)(iv) (encryption and decryption); 45 CFR 164.310(d)(1) (device and media controls).
Lesson for small practices: If your own risk assessment says encryption is appropriate, implement it. OCR will treat your internal documentation as an admission that you knew it was necessary. Saying “we planned to encrypt” is worse than never having assessed at all. For guidance on encryption requirements, see our breakdown of HIPAA encryption requirements in 2026.
Case 2: Children’s Medical Center of Dallas (2017). $3,200,000
What happened: Two separate breaches triggered this case. In November 2009, an unencrypted, non-password-protected BlackBerry device was lost at Dallas/Fort Worth International Airport, exposing the ePHI of approximately 3,800 patients. A second breach involved an unencrypted laptop. Despite being aware of the risk as early as 2007, Children’s Medical Center failed to deploy encryption for years.
What OCR found: This was a civil monetary penalty, not a negotiated settlement. Children’s Medical Center contested the findings, and OCR imposed the $3.2 million penalty after determining that the hospital had known about the lack of encryption and failed to act for nearly a decade.
HIPAA provisions violated: 45 CFR 164.312(a)(2)(iv) (encryption and decryption); 45 CFR 164.310(d)(1) (device and media controls).
Lesson for small practices: The timeline matters. OCR looked at how long the hospital knew about the vulnerability versus how long it took to fix it. If your practice identified encryption gaps in a previous risk assessment but has not addressed them, the clock is ticking.
Case 3: University of Texas MD Anderson Cancer Center (2017, overturned 2021). $4,348,000
What happened: Between 2012 and 2013, MD Anderson experienced three breaches: two unencrypted USB flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop with ePHI of 29,021 patients was stolen. OCR imposed a civil monetary penalty of $4,348,000, consisting of $1.3 million for the lack of encryption and $3 million for impermissible disclosures of ePHI.
What happened next: MD Anderson appealed, and in January 2021, the U.S. Court of Appeals for the Fifth Circuit vacated the penalty, calling it “arbitrary, capricious, and otherwise unlawful.” The court found that OCR had not properly justified the penalty calculation.
HIPAA provisions at issue: 45 CFR 164.312(a)(2)(iv) (encryption and decryption); 45 CFR 164.502(a) (uses and disclosures of PHI).
Lesson for small practices: Even when a penalty gets overturned on appeal, the legal costs are enormous, and the process takes years. MD Anderson spent years fighting this case. Prevention is cheaper than litigation, every single time.
Category 2: Failure to Conduct a Risk Assessment
The Security Rule requires every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. No exceptions. No grace period. If you have not done yours, visit our risk assessment page to understand what is required.
Case 4: CHSPSC, LLC (2020). $2,300,000
What happened: In April 2014, the FBI notified CHSPSC (a business associate providing IT, accounting, and health information management services to hospitals owned by Community Health Systems) that hackers had compromised its information systems. The attackers, using stolen administrative credentials, continued to access the system until August 2014. The breach ultimately exposed the ePHI of 6,121,158 individuals.
What OCR found: The investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule, including failure to conduct a risk analysis, failure to implement information system activity reviews, failure to establish security incident procedures, and failure to implement access controls.
HIPAA provisions violated: 45 CFR 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR 164.308(a)(1)(ii)(D) (information system activity review); 45 CFR 164.308(a)(6)(ii) (response and reporting of security incidents); 45 CFR 164.312(a) (access controls).
Lesson for small practices: Business associates are held to the same standards as covered entities. If your IT vendor, billing company, or cloud storage provider has not conducted a risk analysis, their compliance gap is also your liability. For a deeper look at how one massive breach rippled across the healthcare industry, read our analysis of the Change Healthcare breach one year later.
Case 5: CardioNet (2017). $2,500,000
What happened: A laptop belonging to a CardioNet employee was stolen from a parked vehicle outside the employee’s home. The device contained the ePHI of 1,391 individuals. CardioNet, a wireless health services provider specializing in cardiac monitoring, filed the required breach notification.
What OCR found: CardioNet had conducted a risk analysis, but OCR determined it was not comprehensive. Policies and procedures related to the HIPAA Security Rule existed only in draft form and had never been implemented.
HIPAA provisions violated: 45 CFR 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR 164.308(a)(1)(ii)(B) (risk management).
Lesson for small practices: A half-finished risk analysis is not a risk analysis. OCR does not give credit for good intentions or draft documents. If your policies exist only on paper (or only in someone’s email drafts), they will not protect you in an investigation. Learn more about what a proper assessment involves through our gap analysis service.
Case 6: Fresenius Medical Care North America (2018). $3,500,000
What happened: Five separate FMCNA-owned covered entities experienced data breaches in 2012. The entities included dialysis facilities and a vascular care provider across multiple states. The breaches involved stolen computers, missing USB drives, and an unencrypted laptop.
What OCR found: The FMCNA entities failed to conduct accurate and thorough risk analyses to identify potential risks to ePHI. They also failed to implement device and media controls, failed to establish facility access controls, and impermissibly disclosed ePHI.
HIPAA provisions violated: 45 CFR 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR 164.310(a)(1) (facility access controls); 45 CFR 164.310(d)(1) (device and media controls); 45 CFR 164.502(a) (uses and disclosures of PHI).
Lesson for small practices: If you operate multiple locations, each one needs to be covered by your risk analysis. OCR will not accept a single-site assessment applied to an entire organization with different physical environments, different staff, and different risks.
Category 3: Unauthorized Access and Snooping
These cases involve employees who accessed patient records without any treatment, payment, or healthcare operations justification. Snooping is one of the most common HIPAA violations, and it is one of the hardest to catch without proper audit controls and HIPAA training.
Case 7: UCLA Health System (2011). $865,500
What happened: Between 2005 and 2008, UCLA Health System employees repeatedly accessed the electronic protected health information of patients without authorization. The snooping involved records of celebrity patients including Farrah Fawcett, Britney Spears, and Maria Shriver. One employee, Lawanda Jackson, was fired for accessing records and selling information to the National Enquirer. Another employee pleaded guilty to four federal counts of illegally reading confidential medical records and was sentenced to four months in federal prison.
What OCR found: UCLA Health System failed to implement security measures sufficient to reduce the risks of impermissible access to ePHI by unauthorized users to a reasonable and appropriate level.
HIPAA provisions violated: 45 CFR 164.530(c) (administrative requirements, safeguards); 45 CFR 164.308(a)(1)(ii)(D) (information system activity review).
Lesson for small practices: Audit logs are not optional. You need to monitor who is accessing what, and you need a process for reviewing that access. Even in a five-person practice, someone should be reviewing EHR access logs regularly. Training your staff to understand what constitutes unauthorized access is equally important. See our HIPAA training page for options.
Case 8: Shasta Regional Medical Center (2013). $275,000
What happened: Two senior leaders at Shasta Regional Medical Center met with members of the media and disclosed protected health information about a patient. The hospital also sent an email to its entire workforce that included details of the patient’s medical condition, diagnosis, and treatment. The incident came to light after a Los Angeles Times article referenced the patient’s information.
What OCR found: SRMC intentionally disclosed PHI to multiple media outlets on at least three separate occasions without a valid written authorization from the patient.
HIPAA provisions violated: 45 CFR 164.502(a) (uses and disclosures of PHI); 45 CFR 164.530(c) (administrative requirements, safeguards).
Lesson for small practices: The HIPAA Privacy Rule applies to everyone in the organization, including senior leadership. A practice owner or office manager who discusses a patient case with the media, in a public setting, or in an all-staff email has committed an impermissible disclosure. Period.
Category 4: Impermissible Disclosures
These cases go beyond snooping. They involve organizations that actively disclosed patient information to parties who had no right to see it, whether through press releases, mailings, or carelessness.
Case 9: Memorial Hermann Health System (2017). $2,400,000
What happened: In September 2015, a patient visited a Memorial Hermann clinic and presented a fraudulent identification card. Staff identified the fraud, notified law enforcement, and the patient was arrested. Disclosing the patient’s name to law enforcement was permissible under HIPAA. However, Memorial Hermann then issued a public press release that included the patient’s name in the title.
What OCR found: The press release constituted an impermissible disclosure of PHI. OCR also found that Memorial Hermann failed to document the sanctions imposed against workforce members who were not in compliance with the HIPAA Privacy Rule.
HIPAA provisions violated: 45 CFR 164.502(a) (uses and disclosures of PHI); 45 CFR 164.530(e) (sanctions).
Lesson for small practices: This was the first settlement involving the PHI of a single patient. You do not need a massive data breach to trigger a seven-figure penalty. One careless press release, one social media post, one conversation in a waiting room with a reporter present is enough.
Case 10: Aetna (2020). $1,000,000
What happened: Aetna committed three HIPAA breaches within a six-month period in 2017. In the first breach, two web services displayed plan-related documents that were accessible without login credentials and were indexed by internet search engines, exposing the information of 5,002 individuals. In the second breach, benefit notices were mailed in envelopes with large windows that exposed the words “HIV Medications,” revealing the HIV status of approximately 12,000 plan members to anyone who handled the mail, including mail carriers, roommates, and family members. A third breach involved a mailing related to a clinical research study.
What OCR found: All three disclosures were impermissible. In each instance, Aetna failed to limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure.
HIPAA provisions violated: 45 CFR 164.502(b) (minimum necessary); 45 CFR 164.530(c) (administrative requirements, safeguards).
Lesson for small practices: Physical mailings are still a major risk vector. If your practice sends statements, appointment reminders, or EOBs by mail, the information visible through the envelope window must be reviewed. Also remember: Aetna paid an additional $17 million in a class action settlement and millions more to state attorneys general over the same incidents. The OCR fine is only the beginning.
Category 5: Lack of Business Associate Agreements
Under the HIPAA Privacy and Security Rules, covered entities must have written business associate agreements (BAAs) with any vendor or contractor that creates, receives, maintains, or transmits PHI on their behalf. No BAA means no compliance, regardless of how well the vendor actually handles the data.
Case 11: North Memorial Health Care (2016). $1,550,000
What happened: North Memorial Health Care of Minnesota gave its business associate, Accretive Health, Inc., access to a hospital database containing the ePHI of 289,904 patients. There was no business associate agreement in place.
What OCR found: North Memorial failed to execute a BAA as required under both the HIPAA Privacy and Security Rules. OCR also found that North Memorial had not conducted an organization-wide risk analysis.
HIPAA provisions violated: 45 CFR 164.502(e) (disclosures to business associates); 45 CFR 164.308(a)(1)(ii)(A) (risk analysis).
Lesson for small practices: Every vendor that touches patient data needs a BAA. Your EHR vendor, billing service, IT support company, cloud storage provider, answering service, shredding company. If you are not sure who qualifies, our HIPAA consulting team can help you build a complete vendor inventory.
Case 12: Care New England Health System (2016). $400,000
What happened: Women & Infants Hospital of Rhode Island reported the loss of unencrypted backup tapes containing ePHI in 2012. During the investigation, OCR discovered that the BAA between Women & Infants Hospital and Care New England Health System had not been updated since March 2005. It was not revised until August 2015, after OCR’s investigation had already begun. The agreement did not incorporate the revisions required under the HIPAA Omnibus Final Rule, which took effect in 2013.
HIPAA provisions violated: 45 CFR 164.502(e) (disclosures to business associates); 45 CFR 164.504(e) (business associate contracts).
Lesson for small practices: BAAs are not a “sign it once and file it” document. They must be reviewed and updated when regulations change. The HIPAA Omnibus Rule required all BAAs to be updated by September 2014. If your agreements have not been reviewed since then, they are out of compliance.
Category 6: Insufficient Access Controls
Access controls are foundational to the HIPAA Security Rule. They determine who can access ePHI, under what circumstances, and through what mechanisms. When access controls fail, the scale of exposure can be staggering.
Case 13: Anthem, Inc. (2018). $16,000,000
What happened: In 2015, Anthem disclosed what was at the time the largest health data breach in U.S. history. Hackers compromised the ePHI of nearly 79 million individuals, including names, Social Security numbers, dates of birth, addresses, and employment information. The breach began when at least one employee opened a phishing email, giving the attackers access to Anthem’s IT systems.
What OCR found: Anthem failed to conduct an enterprise-wide risk analysis prior to the breach. It also failed to implement sufficient procedures for regularly reviewing information system activity, failed to identify and respond to suspected or known security incidents, and lacked technical policies and procedures for access to information systems containing ePHI.
HIPAA provisions violated: 45 CFR 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR 164.308(a)(1)(ii)(D) (information system activity review); 45 CFR 164.312(a)(1) (access controls).
Lesson for small practices: Phishing emails do not discriminate by organization size. A single employee clicking a malicious link can expose your entire patient database. Multi-factor authentication, workforce security awareness training, and network segmentation are not luxuries. They are baseline requirements. For what to do when an attack is already underway, see our guide on the first 72 hours of ransomware response.
Case 14: Banner Health (2023). $1,250,000
What happened: On July 13, 2016, Banner Health detected that hackers had gained access to its systems. The subsequent investigation confirmed unauthorized access beginning on June 17, 2016, affecting the ePHI of 2.81 million individuals. The attackers initially targeted food and beverage payment card processing systems before pivoting to health plan and patient data.
What OCR found: Banner Health failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to ePHI. It also failed to implement an adequate authentication process and failed to install sufficient security measures to protect electronic health records when transmitted.
HIPAA provisions violated: 45 CFR 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR 164.312(d) (person or entity authentication); 45 CFR 164.312(e)(1) (transmission security).
Lesson for small practices: Attackers do not always enter through the front door. Banner’s breach started with food service payment systems and moved laterally into clinical systems. If your practice shares a network between operational systems (billing, scheduling) and clinical systems (EHR, lab interfaces), segmentation is essential.
Category 7: Right of Access Failures
In 2019, OCR launched the HIPAA Right of Access Initiative to crack down on providers who fail to give patients timely access to their medical records. Under 45 CFR 164.524, covered entities must provide requested records within 30 days (with a possible 30-day extension). The fines may seem smaller here, but OCR has pursued these cases relentlessly, and many targets are small practices.
Case 15: Cignet Health of Prince George’s County (2011). $4,300,000
What happened: Between September 2008 and October 2009, Cignet Health denied 41 patients access to their medical records. When OCR investigated, Cignet refused to cooperate from March 2009 to April 2010.
What OCR found: Cignet violated patients’ right of access under the Privacy Rule. The penalty of $1.3 million was assessed for the access denials. An additional $3 million was added for Cignet’s willful neglect in failing to cooperate with the federal investigation.
HIPAA provisions violated: 45 CFR 164.524 (access of individuals to PHI); 45 CFR 160.310 (compliance reviews and cooperation).
Lesson for small practices: This was the first civil monetary penalty OCR ever imposed under the Privacy Rule. The access denials alone were expensive. The refusal to cooperate tripled the penalty. If OCR contacts you, respond promptly and cooperate fully. Stonewalling is the most expensive possible strategy.
Case 16: Bayfront Health St. Petersburg (2019). $85,000
What happened: In October 2017, a patient requested prenatal health records for her unborn child from Bayfront Health. Nine months later, she still had not received a complete copy. A partial response was provided in March 2018, and a full set of records was not delivered until February 2019, over 15 months after the initial request.
What OCR found: Bayfront failed to provide the patient with timely access to her medical records as required by the HIPAA Privacy Rule.
HIPAA provisions violated: 45 CFR 164.524 (access of individuals to PHI).
Lesson for small practices: This was the first case under OCR’s Right of Access Initiative. It set the tone: even a single patient complaint about delayed records access can result in a five-figure fine and a corrective action plan. Make sure your staff knows the 30-day requirement and has a system to track requests.
Case 17: Riverside Psychiatric Medical Group (2020). $25,000
What happened: In March 2019, a patient filed a complaint with OCR alleging that Riverside Psychiatric had not provided her with a copy of her medical records despite multiple requests. Riverside Psychiatric argued that because the records included psychotherapy notes, it was not required to comply.
What OCR found: Riverside’s interpretation was wrong. While psychotherapy notes have separate protections under 45 CFR 164.508(a)(2), the patient’s general medical record (including session dates, diagnoses, treatment plans, and medications) must still be provided upon request.
HIPAA provisions violated: 45 CFR 164.524 (access of individuals to PHI).
Lesson for small practices: Psychotherapy notes are a narrow exception. The designated record set, which includes most of what a patient asks for, must be provided. If you are unsure what qualifies, get training before you deny a request. Wrong interpretations of the rule are not a defense. Our HIPAA compliance services for medical practices include guidance on exactly this type of issue.
Category 8: Social Media and Public Disclosure Violations
Social media has created an entirely new category of HIPAA risk. Healthcare workers posting about patients, practices responding to online reviews, and organizations sharing “success stories” without authorization have all resulted in enforcement actions.
Case 18: Elite Dental Associates (2019). $10,000
What happened: In June 2016, a patient filed a complaint with OCR alleging that Elite Dental Associates had responded to a Yelp review and publicly disclosed the patient’s last name, health condition, treatment plan, insurance information, and cost details.
What OCR found: Elite Dental had no policy or procedure governing disclosures of PHI on social media. The practice also lacked a compliant Notice of Privacy Practices.
HIPAA provisions violated: 45 CFR 164.530(i) (policies and procedures); 45 CFR 164.502(a) (uses and disclosures of PHI); 45 CFR 164.520 (notice of privacy practices).
Lesson for small practices: Never include any patient details when responding to an online review. You cannot even confirm that someone is your patient. The safest response to a negative review is a generic statement inviting the reviewer to contact the office directly. Better yet, have a written social media policy and train your team on it.
Case 19: Manasa Health Center (2024). $30,000
What happened: In April 2020, OCR received a complaint that Manasa Health Center, a New Jersey-based psychiatry practice serving adults and children, had disclosed a patient’s mental health diagnosis and treatment information when responding to a negative online review. OCR’s investigation revealed that the PHI of four patients total had been impermissibly disclosed in responses to negative Google Reviews.
What OCR found: Manasa Health Center had no HIPAA Privacy policies and procedures in place. The practice disclosed patients’ mental health diagnoses, treatment details, and other PHI in its public responses to reviews.
HIPAA provisions violated: 45 CFR 164.530(i) (policies and procedures); 45 CFR 164.502(a) (uses and disclosures of PHI).
Lesson for small practices: Mental health information carries heightened sensitivity. Responding to a negative Google review by referencing a patient’s psychiatric diagnosis is both a HIPAA violation and a potential state law violation. The instinct to defend your practice must be overridden by the legal obligation to protect patient privacy.
Case 20: Cadia Healthcare Facilities (2025). $182,000
What happened: In September 2021, OCR received a complaint alleging that Cadia Healthcare Facilities, a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware, had disclosed a patient’s name, photograph, and information about the patient’s conditions, treatment, and recovery in a “success story” posted to the organization’s website. OCR’s investigation found that the PHI of 150 patients had been published on Cadia’s websites without valid HIPAA authorizations.
What OCR found: Cadia had posted patient stories, photos, and treatment outcomes as marketing content without obtaining written authorization from the patients. This constitutes a clear violation of the Privacy Rule.
HIPAA provisions violated: 45 CFR 164.502(a) (uses and disclosures of PHI); 45 CFR 164.508(a) (uses and disclosures for which an authorization is required); 45 CFR 164.404 (notification to individuals).
Lesson for small practices: Patient testimonials and “before and after” stories require a valid, signed HIPAA authorization. A verbal “okay” is not sufficient. A general consent form is not sufficient. You need a specific, written authorization that describes exactly what information will be disclosed and to whom. If your marketing team or social media manager does not understand this, schedule HIPAA training immediately.
Penalty Tiers Under the HITECH Act: 2026 Adjusted Amounts
The Health Information Technology for Economic and Clinical Health (HITECH) Act established four tiers of penalties for HIPAA violations, based on the level of culpability. These amounts are adjusted for inflation annually under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The most recent adjustment took effect January 28, 2026.
For a detailed breakdown of how fine amounts have escalated, see our analysis of HIPAA fines in 2025 and the 2026 penalty increases.
2026 Penalty Amounts Per Violation
| Tier | Culpability Level | Minimum Per Violation | Maximum Per Violation |
|---|---|---|---|
| 1 | Lack of knowledge (the entity did not know and, by exercising reasonable diligence, would not have known of the violation) | $145 | $73,011 |
| 2 | Reasonable cause (the violation was due to reasonable cause, not willful neglect) | $1,461 | $73,011 |
| 3 | Willful neglect, corrected within 30 days | $14,602 | $73,011 |
| 4 | Willful neglect, not corrected within 30 days | $73,011 | $2,190,294 |
These per-violation amounts are defined in 45 CFR 160.404.
Annual Caps Per Identical Provision
The statutory annual cap for violations of an identical provision is $2,190,294 across all four tiers. However, since April 2019, OCR has exercised enforcement discretion to apply lower annual caps for Tiers 1 through 3:
| Tier | Enforcement Discretion Annual Cap |
|---|---|
| 1 | $36,506 |
| 2 | $146,053 |
| 3 | $365,052 |
| 4 | $2,190,294 |
This enforcement discretion, originally announced in a 2019 Federal Register notice, remains in effect indefinitely but is not legally binding. OCR could rescind it at any time, reverting all tiers to the full $2,190,294 annual cap.
What This Means in Practice
Most of the cases in this article fell into Tier 3 or Tier 4 territory. Willful neglect, whether corrected or not, accounts for the largest settlements. Organizations that knew about vulnerabilities and failed to act (Children’s Medical Center, Lifespan), that systemically ignored compliance requirements (CHSPSC, Fresenius), or that intentionally disclosed PHI (Memorial Hermann, Shasta Regional) all faced penalties at the higher end of the scale.
Tier 1 and Tier 2 violations are real but rare in OCR enforcement actions, because by the time OCR investigates, there is usually evidence that the entity should have known better. The risk assessment requirement under 45 CFR 164.308(a)(1)(ii)(A) is the baseline. If you have not done one, you have already moved beyond Tier 1.
The Common Thread Across All 20 Cases
Look at these cases collectively and a pattern emerges. The organizations that paid the largest fines were not necessarily the ones with the biggest breaches. They were the ones that:
Knew about the problem and did not fix it. Children’s Medical Center knew about encryption gaps for nearly a decade. Lifespan’s own assessment identified encryption as necessary. CHSPSC had systemic gaps for years before the breach.
Had no risk assessment at all, or had one that was incomplete. CardioNet’s risk analysis was deemed insufficient. North Memorial had never conducted an organization-wide analysis. Anthem lacked an enterprise-wide assessment before the largest health data breach in history.
Failed to cooperate with OCR. Cignet Health’s refusal to cooperate added $3 million to its penalty. Full cooperation with OCR investigations is consistently treated as a mitigating factor.
Treated compliance as a one-time event. Care New England’s BAA sat untouched for a decade. Fresenius’s five covered entities each had gaps. Compliance is an ongoing program, not a project with a completion date.
If your practice has not conducted a current risk assessment, does not have updated BAAs with every vendor, has not trained staff within the last 12 months on HIPAA requirements, or lacks written policies covering social media, access requests, and breach notification, you are carrying the same risks that cost these organizations millions.
The difference between a $10,000 fine and a $16 million fine often comes down to whether you can demonstrate, with documentation, that you took reasonable steps to protect patient data before something went wrong.
Start with the risk assessment. Everything else builds from there.