In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee stole the protected health information of over 12,000 patients. The root cause wasn't a sophisticated cyberattack — it was a failure to implement basic safeguards required under HIPAA compliance law. Specifically, the organization failed to analyze risks to ePHI and lacked sufficient audit controls. Cases like this reveal a persistent truth: most HIPAA violations stem not from ignorance of the law's existence but from underestimating the specificity of its requirements.

The Core Structure of HIPAA Compliance Law

HIPAA compliance law is not a single rule. It's a framework of interconnected regulations, each imposing distinct obligations on covered entities and business associates. Understanding how these pieces fit together is essential for any healthcare organization.

The Privacy Rule (45 CFR Part 164, Subpart E) governs who can access, use, and disclose protected health information (PHI). It establishes patient rights — including the right to access their own records, request amendments, and receive a Notice of Privacy Practices — and imposes the minimum necessary standard on how your workforce handles PHI.

The Security Rule (45 CFR Part 164, Subpart C) focuses exclusively on electronic PHI (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards. These aren't optional best practices. They're legal mandates, and OCR enforcement actions routinely cite failures in risk analysis, access controls, and encryption.

The Breach Notification Rule (45 CFR Part 164, Subpart D) dictates exactly how and when your organization must notify affected individuals, HHS, and — in breaches affecting 500 or more individuals — the media. Timelines are strict: notification must occur without unreasonable delay and no later than 60 days from discovery of the breach.

Who HIPAA Compliance Law Actually Applies To

One of the most common mistakes I encounter in my work with covered entities is the assumption that HIPAA only applies to hospitals and insurers. The law applies to three categories of covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically in connection with a covered transaction.

But HIPAA compliance law extends well beyond covered entities. The Omnibus Rule of 2013 made business associates — and their subcontractors — directly liable for compliance with certain provisions of the Privacy and Security Rules. If your organization shares PHI with an IT vendor, a billing company, or a cloud storage provider, that relationship must be governed by a compliant business associate agreement (BAA).

Without a BAA, your organization is already in violation — even if no breach has occurred.

The Risk Analysis Requirement OCR Targets Most Often

If there is one provision of HIPAA compliance law that OCR zeroes in on during investigations, it's the risk analysis requirement under 45 CFR § 164.308(a)(1). Between 2016 and 2024, the majority of OCR settlements have cited failure to conduct an accurate and thorough risk analysis as a contributing factor.

A proper risk analysis isn't a one-time checklist. It requires your organization to identify every location where ePHI is created, received, maintained, or transmitted — then evaluate threats and vulnerabilities for each. The output should drive your risk management plan, dictating which safeguards to implement, update, or reinforce.

Healthcare organizations consistently struggle with this because it demands cross-departmental collaboration: IT, compliance, clinical operations, and leadership must all be involved.

What a Compliant Risk Analysis Includes

  • A complete inventory of systems and devices that store or transmit ePHI
  • Identification of reasonably anticipated threats (both internal and external)
  • Assessment of current security measures and their effectiveness
  • Determination of the likelihood and impact of potential risks
  • Documentation of findings and a corresponding risk management plan

Workforce Training: The Obligation Most Organizations Underestimate

Under the Privacy Rule (45 CFR § 164.530(b)) and the Security Rule (45 CFR § 164.308(a)(5)), covered entities and business associates must train all workforce members on HIPAA policies and procedures. "Workforce" is defined broadly — it includes employees, volunteers, trainees, and any person under direct organizational control, whether or not they are paid.

Training cannot be generic. It must be tailored to each member's role and the PHI they access. A front-desk receptionist handling patient intake has different compliance obligations than a systems administrator managing your EHR infrastructure.

OCR has made clear in resolution agreements that insufficient training — or training that lacks documentation — is treated as a HIPAA violation. If you can't prove your workforce was trained, you effectively weren't compliant. Investing in structured HIPAA training and certification is one of the most cost-effective ways to close this gap and create an auditable compliance record.

Penalties Under HIPAA Compliance Law: The Four-Tier Structure

OCR enforces HIPAA through a tiered civil penalty structure, adjusted annually for inflation:

  • Tier 1: The entity did not know and, by exercising reasonable diligence, would not have known of the violation — $137 to $68,928 per violation
  • Tier 2: Reasonable cause, not willful neglect — $1,379 to $68,928 per violation
  • Tier 3: Willful neglect, corrected within 30 days — $13,785 to $68,928 per violation
  • Tier 4: Willful neglect, not corrected — $68,928 per violation, up to ~$2 million per calendar year for identical violations

Criminal penalties under 42 U.S.C. § 1320d-6 can reach up to $250,000 and 10 years of imprisonment for offenses committed with intent to sell or use PHI for personal gain. These are prosecuted by the Department of Justice, not OCR.

Building a Defensible HIPAA Compliance Program

Compliance under HIPAA compliance law isn't a destination — it's a continuous operational discipline. OCR doesn't expect perfection. It expects documented, good-faith efforts to identify risks, implement safeguards, train your workforce, and respond to incidents appropriately.

A defensible program includes these elements at minimum:

  • A current, documented risk analysis and risk management plan
  • Written HIPAA policies and procedures, reviewed and updated regularly
  • Business associate agreements with every vendor that touches PHI
  • Role-based workforce training with documented completion records
  • An incident response plan that aligns with Breach Notification Rule timelines
  • A designated Privacy Officer and Security Officer (can be the same person in smaller organizations)

If your organization hasn't audited these elements recently, the risk isn't theoretical — it's measurable. Platforms like HIPAA Certify help organizations implement workforce compliance programs that satisfy these requirements and produce the documentation OCR expects during investigations.

The Compliance Gap You Can't Afford to Ignore

Every OCR investigation begins the same way: with a request for documentation. Policies you meant to write, training you planned to schedule, risk analyses you intended to update — none of it counts if it isn't documented and current. The organizations that face the steepest penalties aren't always those with the worst breaches. They're the ones that can't demonstrate they tried.

HIPAA compliance law gives your organization a clear framework. The question is whether you're treating it as a regulatory afterthought or an operational priority.