Back To The Blog

Avoiding HIPAA Violations and the Consequences of Non-Compliance

Incident Response / January 31 , 2025

Data breaches continue to stalk the healthcare industry. With ransomware attacks in the mix, these events threaten not just the financial and personal data of organizations but the well-being of patients. In light of record-breaking statistics—healthcare data breaches affected 168 million individuals in 2024—the Health and Human Services Office of Civil Rights (OCR) has followed suit, more proactively enforcing violations that lead to breaches. We talked with Breach Coaches® David Cole and Nicholas Jajko of Freeman Mathis & Gary LLP about common mistakes healthcare providers are making, how to mitigate the risk of a healthcare data breach, and best practices for responding to OCR investigations.

How has the OCR’s approach to HIPAA enforcement evolved over the past few years to reflect the increase in healthcare data breaches?

A magnifying glass held in a person’s hand examines papers strewn across a desk.OCR has adopted a more aggressive and strategic approach to HIPAA enforcement, focusing on risk-based investigations into breaches involving large amounts of sensitive data, repeated violations, or systemic compliance failures. The agency has emphasized preventative measures, including comprehensive risk analyses, timely patch management, and employee training to mitigate security vulnerabilities. This underscores OCR’s intent to hold entities accountable for breaches and any failure to take proactive measures to guard Protected Health Information (PHI).

Notably, OCR has expanded its enforcement to include small and medium-sized healthcare providers, recognizing their vulnerability to cyberattacks due to limited IT resources and outdated infrastructure. To address this, OCR has pursued enforcement actions and launched targeted educational programs and resources to help smaller providers improve their cybersecurity readiness, such as updating its online risk assessment tool.

Looking ahead, we expect OCR’s enforcement to intensify, with a continued focus on cybersecurity readiness and challenges posed by emerging technologies like artificial intelligence and cloud-based healthcare solutions.

What are the potential consequences for healthcare providers not following HIPAA?

Fines and penalties for HIPAA violations can be severe, with OCR imposing civil monetary penalties or negotiating substantial settlements that can range from tens of thousands to millions of dollars, depending on the severity of the violation and the level of culpability. Repeated or willful violations can lead to higher penalties, along with mandatory corrective action plans with extensive oversight by OCR for up to two years.

Beyond this, healthcare providers can face significant reputational harm as well. Healthcare providers rely on patient trust, and a publicized HIPAA breach can erode confidence, resulting in patient attrition, damaged relationships, and long-term harm to the provider’s brand. Negative media coverage and increased scrutiny from regulators can further compound the fallout, making compliance with HIPAA both a legal requirement and a critical component of maintaining trust and business stability.

Which recent OCR HIPAA enforcement actions stand out to you as particularly significant or instructive for healthcare providers?

A judge’s gavel rests on a computer keyboard.Over the past year, OCR has disclosed several resolution agreements related to ransomware events, marking a notable uptick in enforcement activity. In comparison, OCR’s “Right of Access” initiative, launched in 2019, has resulted in over 20 published resolutions addressing medical providers’ failures to provide patients with timely access to their medical records.

What stands out across both enforcement contexts is that the majority of resolutions involve small and medium-sized healthcare providers or business associates. In the ransomware cases, settlements have varied widely. For example, agreements include: a practice management software provider ($100k for 200k records impacted), a regional psychiatric practice ($40k for 14k records), a regional hospital system ($950k; records not disclosed), a privately owned ophthalmology and dermatology practice ($250k for 290k records), a non-profit physician services organization ($240k for 85k records), a plastic surgery practice ($500k for 10k records), and a regional ambulance authority ($90k for 14k records).

The key takeaway is that the size of the breach—in terms of records impacted—is not the sole determinant of settlement amounts. In addition, OCR is factoring in compliance efforts, such as thorough risk analyses, timely vulnerability management, and effective response measures, and not just the scale of the incident.

What are some of the most common causes of healthcare data breaches, and how can healthcare providers better address those vulnerabilities?

In our experience, the most common causes are unauthorized access to email accounts and ransomware attacks. While email security has improved by keeping PHI out of inboxes, ransomware remains prevalent, amplified by HHS guidance that presumes unauthorized access to encrypted PHI unless a low-risk-of-harm analysis can be demonstrated.

To help healthcare providers address these risks, OCR recently updated its Security Risk Assessment (SRA) Tool, a free resource designed for small and medium organizations. The SRA Tool guides users through identifying and assessing risks to PHI with multiple-choice questions, best practices, and references to improve cybersecurity.

Most ransomware incidents stem from unsecured remote access credentials and unpatched vulnerabilities in system hardware or software. To reduce these risks, providers should conduct regular risk analyses, implement multi-factor authentication for remote access (preferably through VPNs), establish a robust patch management program, and prioritize ongoing employee cybersecurity training.

Additionally, the HHS 405(d) Program provides free healthcare-specific cybersecurity training resources for small and medium-sized healthcare facilities. These programs, including the Knowledge On Demand Platform, are valuable tools for enhancing employee education and strengthening cybersecurity defenses.

What are some of the best practices that healthcare providers can adopt to avoid common HIPAA violations and minimize the risk of OCR enforcement?

Primarily, providers must conduct regular risk analyses to identify potential vulnerabilities in their organization’s systems, processes, and policies. They then must implement a risk management plan that addresses the gaps identified by the risk analysis—such as unpatched software, unsecured access points, and outdated policies.

Ongoing employee training is equally important. Regular training programs can help staff recognize phishing attempts, securely handle PHI and follow proper access and disposal procedures. OCR’s Security Risk Assessment (SRA) Tool and the HHS 405(d) Program offer valuable free resources to assist organizations—particularly small and medium-sized providers—in building strong compliance programs.

Finally, healthcare providers should carefully vet business associates by maintaining up-to-date Business Associate Agreements (BAAs) and monitoring their compliance with HIPAA.

What advice would you give to healthcare providers that must engage with OCR in an investigation after a HIPAA breach?

Providers should work with legal counsel whenever engaging with OCR after a data breach. To ensure the best outcome, our key pieces of advice are:

  • Prompt Notification: Report the breach to OCR as soon as possible. Timely notification can demonstrate your commitment to transparency and compliance.
  • Detailed Documentation: Prepare a comprehensive narrative of the incident and demonstrate the organization’s commitment to transparency and compliance. Be prepared to show your prior risk assessments and risk management plans, as well as your policies and procedures for protecting PHI.
  • Cooperate and Show Corrective Actions: If the organization has not done a risk assessment before, do one now and tell OCR about it. If the organization is missing certain policies, implement them now and show OCR. Cooperate with the investigation and demonstrate corrective actions to prevent future breaches. This might include updating security measures, revising policies, and providing additional training to staff.

How has the rise of telemedicine impacted HIPAA compliance? What additional security measures should providers consider?

While telemedicine allows practitioners to see and treat more patients, it also poses risks to PHI due to the expanded use of network assets and personal devices. OCR has provided guidance to help providers address these risks, which emphasize transparency and privacy. More information is available on the OCR website, but some key points are:

  • Use HIPAA-Compliant Platforms: Ensure telehealth tools have necessary security features like encryption.
  • Strong Authentication: Implement methods like multi-factor authentication.
  • Regular Audits: Conduct security audits and risk assessments regularly.
  • Employee Training: Provide ongoing HIPAA compliance training.
  • Patient Education: Educate patients on protecting their information.
  • Follow OCR Recommendations: Include automatic log-off, regular review of policies, scheduled deletion of mobile device files, and third-party security evaluations.

What are some other emerging risks to data security and privacy in the healthcare context, and how can healthcare providers prepare for them?

The emerging risk on the minds of most is how artificial intelligence could impact data security and privacy in healthcare. Providers should have policies in place that responsibly restrict the use of AI for providing care to meet HIPAA’s minimum necessary requirement.

Other concerns include the increased connectivity of devices that collect medical information, like wearable technology, and the continued targeting of healthcare infrastructure for cybercrime. Providers should conduct adequate security audits of business associates, stimulating competition within the market and ensuring robust security measures.

If you need to navigate the process of HIPAA compliance and OCR enforcement, having a knowledgeable and skilled team in your corner can make all the difference.

To learn more about FMG and other NetDiligence-authorized Breach Coach® law firms, visit this page for more information.

Related Blog Posts

Collective Strength: Facing Cyber Challenges with Diverse Perspectives

A Q&A with Buchanan Ingersoll & Rooney PC

As cybercriminals adopt new tactics, it is essential to have a team that reflects a variety of perspectives and backgrounds to create comprehensive and innovative security solutions.

Continue Reading

Avoiding HIPAA Violations and the Consequences of Non-Compliance

A Q&A with David Cole and Nicholas Jajko of Freeman Mathis & Gary LLP

The HHS administration is taking data security in healthcare very seriously with active enforcement, fines, and penalties. David Cole and Nicholas Jajko of Freeman Mathis & Gary LLP discuss how this impacts small and medium-sized businesses.

Continue Reading

Understanding the Cyber Intrusion Path to Strengthen Security

Adopting a New Cybersecurity Posture

Devon Ackerman, Global Head of Digital Forensics and Incident Response (DFIR) for Cybereason, compares the cyber intrusion path to a home break-in. This clarifies how organizations must change network security monitoring to strengthen cybersecurity.

Continue Reading
Visit Our Blog

Download 2024 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Download
Solutions
About
Contact

P.O. Box 204
Gladwyne, PA 19035
610.896.9715

© 2025 NetDiligence All Rights Reserved.