In February 2023, Banner Health agreed to a $1.25 million settlement with the Office for Civil Rights after a 2016 breach exposed the protected health information of nearly 3 million individuals. The case hinged on failures that OCR sees repeatedly: insufficient risk analysis and inadequate monitoring. If you think HIPAA law cases are abstract regulatory footnotes, Banner Health's seven-year enforcement journey should change your mind.

These cases aren't just cautionary tales. They're the clearest roadmap your organization has for understanding what OCR actually enforces — and what mistakes trigger the largest penalties.

Landmark HIPAA Law Cases Every Covered Entity Should Study

OCR has resolved more than 130 cases resulting in settlements or civil money penalties since HIPAA enforcement began. A handful of these cases have fundamentally shaped how the Privacy Rule, Security Rule, and Breach Notification Rule are applied today.

Anthem, Inc. (2018) — $16 million. The largest HIPAA settlement in history stemmed from a cyberattack that compromised nearly 79 million records. OCR's investigation found Anthem failed to conduct an enterprise-wide risk analysis, lacked adequate procedures to regularly review information system activity, and failed to identify and respond to suspected security incidents. This case established that the size of a breach is only one factor — systemic Security Rule failures drive the penalty amount.

Premera Blue Cross (2020) — $6.85 million. Another massive breach, this time affecting over 10 million individuals. OCR found the covered entity had not conducted a sufficient risk analysis and had not implemented adequate minimum necessary controls. The case reinforced that a risk analysis is not a one-time checkbox — it's an ongoing obligation under 45 CFR § 164.308(a)(1).

MD Anderson Cancer Center (2018) — $4.3 million civil money penalty. MD Anderson fought the penalty administratively and lost. An Administrative Law Judge upheld OCR's finding that unencrypted devices containing PHI — a stolen laptop and two lost USB drives — demonstrated willful neglect of encryption and access controls. This is one of the few HIPAA law cases where the covered entity challenged OCR in a formal hearing and the penalty was sustained on appeal to the Departmental Appeals Board.

What These HIPAA Law Cases Reveal About OCR Priorities

If you read through enough enforcement actions, a clear pattern emerges. OCR does not pursue organizations simply because a breach occurred. They pursue organizations that failed to meet baseline Security Rule and Privacy Rule requirements before the breach happened.

Three compliance failures appear in nearly every major case:

  • Incomplete or absent risk analysis. This is cited in the overwhelming majority of HIPAA settlements. If your organization hasn't conducted or updated a thorough risk analysis in the past year, you are exposed.
  • Lack of workforce training. Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures related to PHI. OCR treats absent or outdated training as evidence of organizational neglect. Investing in comprehensive HIPAA training and certification is one of the most cost-effective compliance steps available.
  • Failure to implement access controls and encryption. The MD Anderson case made this unmistakably clear. If PHI exists on portable devices without encryption, OCR considers that a known, addressable risk that your organization chose to ignore.

Small Organizations Are Not Immune From Enforcement

Healthcare organizations consistently assume that OCR only targets large health systems. The enforcement record says otherwise.

Adult & Pediatric Dermatology, P.C. (2013) — $150,000. A small practice settled with OCR after a stolen thumb drive containing PHI of approximately 2,200 individuals triggered an investigation. The practice had not conducted a risk analysis and had no HIPAA policies in place.

Hospice of North Idaho (2013) — $50,000. This settlement involved just 441 patient records exposed through a stolen laptop. But the hospice had never conducted a risk analysis — a fact that OCR viewed as a fundamental Security Rule violation regardless of the breach size.

These cases make a critical point: OCR's penalty framework under the HITECH Act, as modified by the Omnibus Rule, considers the nature and extent of the violation, not just the number of affected individuals. A small practice with no risk analysis faces the same regulatory standard as a nationwide health plan.

How the Right to Access Initiative Changed HIPAA Enforcement

Starting in 2019, OCR launched the Right to Access Initiative, producing a wave of HIPAA law cases focused on patients' rights under the Privacy Rule. As of 2024, OCR has resolved more than 45 cases under this initiative, with penalties ranging from $3,500 to $240,000.

The message is direct: when a patient requests their medical records, your covered entity must provide them in the form and format requested within 30 days (with a possible 30-day extension). Delays, excessive fees, or outright refusals now carry enforcement consequences that did not exist at this scale five years ago.

Your Notice of Privacy Practices must accurately describe patient access rights, and your workforce must understand how to process these requests without delay.

Compliance Steps That Would Have Prevented Most Enforcement Actions

After reviewing years of OCR settlements, the corrective action plans attached to these cases are strikingly similar. Nearly every resolution agreement requires the same remedial steps — steps your organization can implement proactively:

  • Conduct and document a comprehensive, enterprise-wide risk analysis annually.
  • Implement a risk management plan that addresses identified vulnerabilities with specific timelines.
  • Develop, maintain, and distribute written HIPAA policies and procedures.
  • Train every workforce member — including volunteers, trainees, and business associate staff with PHI access — on HIPAA requirements. A structured workforce HIPAA compliance program can standardize this across your organization.
  • Encrypt all devices and media that store or transmit protected health information.
  • Execute and monitor business associate agreements for every third party handling PHI on your behalf.

The Cost of Inaction vs. the Cost of Compliance

OCR's penalty tiers under 45 CFR § 160.404 range from $137 per violation for unknowing violations up to nearly $2.13 million per violation category per year for willful neglect left uncorrected (adjusted for inflation). Compare that to the cost of a risk analysis, workforce training, and encryption — the math is not close.

Every significant HIPAA law case in the enforcement record could have been mitigated or avoided entirely with the compliance fundamentals OCR has been emphasizing since the Security Rule took effect in 2005. The question is whether your organization will learn from these cases before becoming one.