How HIPAA Violations Lead to Enforcement Action
In October 2024, OCR settled with Cascade Eye and Skin Centers for $250,000 after a phishing attack exposed the ePHI of 291,000 patients. OCR found the practice had failed to conduct a risk assessment or implement security measures - violations that turned a preventable incident into a six-figure penalty.
That settlement is not unusual. When OCR opens an investigation, they already have evidence that something went wrong. The question shifts from “did a violation happen?” to “how bad is it, and did you try to prevent it?”
What Triggers an OCR Investigation?
Most OCR investigations do not start with a government audit team showing up unannounced. OCR can conduct spot audits on their own, but they do not employ that approach as much these days. They do not actually want a “gotcha” situation.
Instead, investigations typically begin with one of four triggers:
- Patient complaints filed directly with OCR. This is the most common trigger. Any patient can file a complaint through the HHS website. You can learn more about how to respond to a HIPAA complaint if one is filed against your practice.
- Breach reports. Any breach affecting 500 or more individuals must be reported to OCR within 60 days. These reports automatically trigger scrutiny. With healthcare breaches doubled in 2025, OCR’s enforcement workload is growing.
- Whistleblower complaints. Current or former employees who report violations to OCR are protected under federal law.
- Random audits. OCR has the authority to conduct random audits, but these are rare and account for a small fraction of enforcement actions.
If OCR does come knocking, you will typically receive a certified letter requesting information or a warning that tells you exactly where you are lacking. If the behavior does not change, auditors will come to find you.
The Most Common Violations in Small Practices
The violations that sink small and mid-sized practices are rarely exotic. They are the basics, like having written policies. Trouble comes when the daily rush prevents you from getting around to DOCUMENTING your well-intended procedures.
Password sharing is one of the most persistent problems. Staff share login credentials for convenience, but shared passwords destroy audit trails and make it impossible to track who accessed what record and when.
No audit logs is another common gap. Without logs showing who accessed patient records, a practice has no way to demonstrate compliance during an investigation, or detect unauthorized access before it becomes a breach.
Technical safeguards represent the biggest gap overall. Encryption, access controls, automatic logoff, and transmission security are areas where many practices fall short. A risk assessment guide to avoid fines can help identify these gaps before OCR does.
Warnings, Corrective Action Plans, and Fines
Not every HIPAA violation results in a fine. OCR uses a tiered enforcement model that weighs the severity of the violation against the effort a covered entity made to comply.
The first step is often a warning or technical assistance letter. For organizations making their due diligent effort to become HIPAA compliant, more often than not this amounts to a slap on the wrist.
If the violation is more serious, OCR may impose a corrective action plan (CAP) - a set of requirements that must be followed on the government’s timeline, no longer on yours. CAPs typically run one to three years and include monitoring, reporting, and specific remediation steps.
A fine is one step higher on the scale of severity. Penalty amounts under 45 CFR 160.404 are organized into four tiers:
| Tier | Culpability | Per Violation | Annual Cap |
|---|---|---|---|
| 1 | Did not know | $137 - $68,928 | $2,067,813 |
| 2 | Reasonable cause | $1,379 - $68,928 | $2,067,813 |
| 3 | Willful neglect, corrected within 30 days | $13,785 - $68,928 | $2,067,813 |
| 4 | Willful neglect, not corrected | $68,928 - $2,067,813 | $2,067,813 |
These amounts were adjusted for inflation and HIPAA fines increased in 2026. The gap between Tier 1 and Tier 4 reflects the difference between an honest mistake and willful neglect.
How Due Diligence Protects You
The single most important factor in how OCR handles a violation is whether the organization was making a genuine effort to comply before the incident occurred.
A completed risk assessment is the first thing OCR looks for. In the Cascade Eye settlement, the absence of a risk assessment was a central finding. It signals to investigators that the practice never even attempted to identify its vulnerabilities.
Beyond the risk assessment, due diligence means written policies, documented training, access controls, audit logs, and a breach response plan (among other things), all maintained and updated regularly. None of these need to be perfect. They need to exist, be followed, and be documented.
Practices with evidence of an active compliance program are far more likely to receive technical assistance or a Tier 1 penalty than a six-figure fine. The goal is to show that the violation was an exception and not a symptom of systemic neglect.
Our case studies show how practices that invested in compliance programs before an incident fared significantly better during OCR investigations.
FAQs
Can a patient file a HIPAA complaint directly? Yes. Any person can file a complaint with OCR through the HHS website or by mail. Complaints must be filed within 180 days of when the person knew or should have known about the violation, though OCR can waive this deadline for good cause.
How long does an OCR investigation take? There is no fixed timeline. Simple complaints may be resolved in a few months. Investigations involving large breaches or systemic violations can take one to three years or longer, particularly if they result in a resolution agreement or corrective action plan.
Can employees be personally fined for HIPAA violations? OCR’s civil penalties target covered entities and business associates, but the Department of Justice can pursue criminal charges against individuals. Criminal penalties range from $50,000 and one year in prison up to $250,000 and ten years for offenses committed with intent to sell or use PHI for personal gain.
Does having a compliance program guarantee you will not be fined? No. A compliance program does not make a practice immune to penalties. However, it significantly reduces the likelihood of large fines and is the primary factor OCR considers when determining the penalty tier.
Sources
- 45 CFR 160.404 - Amount of a civil money penalty
- OCR Enforcement Results by Year
- How to File a HIPAA Complaint
- Cascade Eye and Skin Centers Settlement
One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more about One Guy Consulting