In February 2024, OCR announced a $4.75 million settlement with a hospital system that failed to conduct an enterprise-wide risk analysis — a requirement that has existed since 2005. The organization had the policies on paper. It had a compliance officer on staff. What it lacked was the operational discipline to make HIPAA in health care a daily reality rather than an annual checkbox. This gap between documentation and practice is where the vast majority of enforcement actions originate.

Why HIPAA in Health Care Demands More Than Policy Binders

Healthcare organizations consistently treat HIPAA as a documentation exercise. They draft privacy policies, post a Notice of Privacy Practices in the lobby, and assume the work is done. OCR has made clear — through over $142 million in cumulative enforcement settlements — that compliance lives in execution, not paperwork.

HIPAA in health care governs how every covered entity and business associate handles protected health information (PHI). That includes hospitals, physician practices, dental offices, pharmacies, health plans, clearinghouses, and every vendor that touches patient data on their behalf. The regulatory framework spans three major rules: the Privacy Rule (45 CFR §164.500–534), the Security Rule (45 CFR §164.302–318), and the Breach Notification Rule (45 CFR §164.400–414).

Each rule creates distinct obligations. Treating them as interchangeable is one of the most common mistakes I see in my work with covered entities.

The Privacy Rule Obligations Your Staff Must Understand

The HIPAA Privacy Rule establishes patient rights over their health information and limits how your organization uses and discloses PHI. Two provisions cause more violations than any others: the minimum necessary standard and individual access rights.

The minimum necessary standard requires that your workforce access, use, or disclose only the PHI reasonably necessary to accomplish a specific task. A billing clerk doesn't need access to therapy notes. A front-desk employee doesn't need to view lab results. Role-based access controls aren't optional — they're a direct regulatory requirement.

Patient access rights under 45 CFR §164.524 require your organization to provide individuals with copies of their medical records within 30 days of a request. OCR launched its HIPAA Right of Access Initiative in 2019, and it has since resulted in over 45 enforcement actions — many against small practices that simply failed to respond to patient requests on time.

Notice of Privacy Practices: More Than a Formality

Your Notice of Privacy Practices must accurately describe how your organization uses and discloses PHI, outline patient rights, and identify your organization's legal duties. It must be provided to every patient at their first encounter. When your privacy practices change, the notice must be updated and redistributed. Many organizations are still operating with notices drafted before the 2013 Omnibus Rule — a compliance gap that's easy to fix and inexcusable to ignore.

Security Rule Requirements That Trip Up Health Care Organizations

The Security Rule applies specifically to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. The single most scrutinized requirement in OCR investigations is the risk analysis under 45 CFR §164.308(a)(1)(ii)(A).

A risk analysis is not a vulnerability scan. It's not a checklist from a vendor. It's a thorough, documented assessment of every reasonably anticipated threat to the confidentiality, integrity, and availability of ePHI across your entire organization. It must be updated regularly — not conducted once and filed away.

In my work with covered entities, I've found that organizations frequently confuse a security questionnaire with a genuine risk analysis. OCR's guidance is explicit: the analysis must identify specific threats, estimate their likelihood and impact, and document the security measures in place to address them. Failure to perform an adequate risk analysis has appeared in the majority of OCR resolution agreements over the past decade.

Technical Safeguards You Cannot Afford to Skip

  • Access controls: Unique user IDs and emergency access procedures for every system containing ePHI.
  • Audit controls: Mechanisms to record and examine activity in systems that store or process ePHI.
  • Transmission security: Encryption of ePHI transmitted over electronic networks. While the Security Rule lists encryption as addressable, OCR has repeatedly signaled that failing to encrypt data in transit without a documented alternative is indefensible.
  • Integrity controls: Policies and procedures to ensure ePHI is not improperly altered or destroyed.

Business Associate Agreements: Your Liability Extends Beyond Your Walls

Every vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on your behalf is a business associate. Under the Omnibus Rule of 2013, business associates are directly liable for HIPAA violations — but that doesn't absolve your covered entity of responsibility.

You must have a signed business associate agreement (BAA) in place before any PHI is shared. The BAA must specify permitted uses and disclosures, require the associate to implement appropriate safeguards, and mandate breach notification. If a business associate suffers a data breach due to negligent security practices, your organization will face scrutiny for its vendor management process.

OCR has investigated covered entities that failed to execute BAAs with cloud storage providers, IT support companies, and even shredding services. If a vendor touches PHI in any form, a BAA is required — no exceptions.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every member of your workforce must receive training on your HIPAA policies and procedures. This includes employees, volunteers, trainees, and anyone under your organization's direct control — regardless of whether they are paid.

Training cannot be generic. It must be specific to the functions each workforce member performs and must address the policies and procedures relevant to their role. New workforce members must be trained within a reasonable period after joining your organization, and retraining is required whenever material changes occur.

Organizations that rely on a single annual slide deck are not meeting this standard. Effective HIPAA training and certification programs incorporate role-specific scenarios, assessments that verify comprehension, and documentation that demonstrates ongoing compliance to OCR investigators.

Building a Culture of HIPAA Compliance in Your Health Care Organization

Sustainable compliance requires more than annual training and a stack of policies. It requires leadership commitment, ongoing risk management, and a workforce that understands why HIPAA in health care exists — to protect patients and the organizations that serve them.

Start with a current, thorough risk analysis. Verify that every business associate agreement is executed and up to date. Audit access logs regularly. Ensure your Notice of Privacy Practices reflects current operations. And invest in workforce education that goes beyond the minimum.

If your organization is ready to move beyond checkbox compliance, HIPAA Certify's workforce compliance platform provides the structured training, documentation, and certification your covered entity needs to withstand OCR scrutiny. The cost of a HIPAA violation — which can reach $2,067,813 per violation category per year under the 2024 adjusted penalty tiers — makes proactive compliance the only rational strategy.

Every patient interaction generates PHI. Every workforce member is a potential point of failure or a point of strength. The organizations that treat HIPAA in health care as an operational discipline — not an administrative burden — are the ones that protect their patients, their reputation, and their financial viability.