A recent report put the odds of an asteroid hitting the earth in December 2032 at 3.1%—which is 3,100 times more likely than an organization resolving an enforcement action with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Not a misprint: since January 2024, OCR has announced penalties for, or settlements with, just 0.001% of all entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But that does not mean that OCR is a paper tiger—it often investigates without pursuing an enforcement action (and, when it does act, the penalties can be significant). To help companies steer clear of OCR’s crosshairs, we reviewed all 20 enforcement actions announced in the last year to identify trends/insights that can help organizations understand the risks and prioritize compliance measures.

Key Takeaways

Regulated entities assessing their compliance program should consider the following points:

• Focus on the risk analysis. Organizations should ensure their risk analysis is both current and adequate because OCR launched an enforcement initiative on this issue.
• Sweat the minutia (at least for access requests). OCR’s enforcement actions against multiple covered entities for just one delayed access request indicate that OCR is focused on more than systemic issues or large-scale breaches.
• Train for that marathon. The investigation/enforcement process is often a slow, methodical process that stretches over years with spurts of action followed by quiet periods.

The big caveat here is that all the enforcement activity happened under the last administration, and it is an open question how the current administration will police HIPAA compliance. However, as noted in our recent alert on the proposed Security Rule revisions, there appears to be bipartisan support for ensuring the safety and privacy of medical records.

Targeted Organizations

OCR announced the results of 20 enforcement actions since the beginning of 2024—and all but three of them were targeted at covered entities. [To put those 20 matters into context, OCR recently estimated there are 822,600 covered entities and 1,000,000 business associates.] The three outliers involved business associates who reported that third parties gained access to protected health information the business associate maintained for covered entities.

Settlements Versus Penalties

OCR’s enforcement activity since the start of 2024 resulted in a mix of settlements and civil monetary penalties. Consistent with OCR’s guidance, there was a strong preference for settlements: 13 of the 20 matters were resolved in what one might call an amicable fashion. In the seven remaining matters, OCR pursued an administrative adjudication that led to a civil monetary penalty. The preference for settlements is no surprise because OCR can negotiate ongoing monitoring/reporting obligations (often in the form of a Corrective Action Plan)—an option that is unavailable when OCR instead relies on its power to impose civil monetary penalties.

Payments

OCR’s enforcement activity resulted in organizations coughing up $9,436,346 since the start of 2024. But not all matters are created equal—the risks here vary depending on how OCR resolved the matter—settlement or penalty:

Unsurprisingly, organizations that reached an amicable resolution—a settlement—paid about 18% less on average than when OCR resorted to imposing a penalty. The difference between settlements and penalties would be even greater but for one outlier, a $3 million settlement. [The import of that outlier is highlighted by the median settlement being significantly lower than the median penalty.] These numbers, however, offer only limited predictive value because we are dealing with a universe of only 20 matters.

Areas of Focus

We break down OCR’s enforcement activity in a few different ways: (1) the rule involved (Breach, Privacy, and Security Rules); (2) the regulatory requirement at issue (e.g., training or risk analysis); and (3) the incident type (e.g., ransomware or access request).

Rule

OCR zeroed in on the Security Rule last year. Of the 20 matters, 15 of them involved a Security Rule component—and 10 of those matters only involved that rule. OCR also had five matters covering only the Privacy Rule, four matters involving both the Privacy and Security Rules, and one matter addressing purported violations of all three HIPAA rules.

Regulatory Requirement

Each matter often involved more than one alleged regulatory violation. OCR’s most frequently cited violation was an inadequate risk analysis, which appeared in 13 matters. That was not by chance; in late 2024, OCR launched its Risk Analysis Initiative “to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.” [This plan should not be taken as mere bluster—the last initiative, 2019’s Right of Access Initiative, spurred nearly 50 enforcement actions over five years.] OCR’s other hot topics last year included access requests (five matters), unauthorized disclosures (five matters), and information system activity reviews (six matters).

We breakdown below the number of matters in which OCR asserted each type of violation:

Incident Type

Another way of looking at the enforcement actions is to explore the underlying event that triggered OCR’s scrutiny. We identified six categories: phishing, ransomware, access requests, credential stuffing, unauthorized disclosures, and business associate compromise. While phishing, ransomware, and credential stuffing ultimately resulted in unauthorized disclosures, our “unauthorized disclosure” category covers situations where the third party did not “hack” their way into the systems. These matters, instead, cover situations where the organization: shared data with a patient’s employer without authorization, allowed protected health information to be indexed/cached by search engines, and determined a terminated contractor still was accessing records. Our Business Associate Compromise tag covers a matter where an unauthorized third party accessed and deleted records held by the business associate on behalf of covered entities.

We summarize below how frequently each type of incident prompted an OCR action:

Timing

OCR’s timeline varied widely on these matters—but there was one constant: a lengthy wait. On average, 57 months elapsed between OCR receiving a complaint (or a breach notice) and announcing the settlement/penalty. The quickest turnaround was 14 months, the longest wait was 88 months, and the median period was 62 months.

The numbers move only slightly—and in an unsurprising way—when we break the timing out by settlements and administrative adjudications where OCR imposed a penalty. Settlements moved 14 months faster on average than adjudications (52 months versus 66 months). But, in a surprising twist, the two longest waits (87 and 88 months) were both in settled matters.

These numbers do not tell the full story because sometimes there was a delay between the decision and the announcement. For example, OCR issued a final determination on July 1 and announced it on October 3. In another matter, OCR reached a settlement on February 20 yet only published the press release on July 1.

Conclusion

The odds may be slim that a complaint or breach notice results in an enforcement action, but OCR’s activity over the last year shows that there is not a compliance area where organizations can skimp with impunity.