In February 2024, OCR settled with a healthcare provider for $480,000 after investigators found the organization had failed to conduct a risk analysis, neglected workforce training, and lacked policies addressing the minimum necessary standard. The provider's defense? Leadership believed their EHR vendor handled compliance. That misunderstanding of HIPAA law cost them nearly half a million dollars — and irreparable reputational damage.

If your organization handles protected health information, understanding HIPAA law isn't optional. It's the regulatory foundation that governs every interaction your workforce has with patient data.

The Core Structure of HIPAA Law Most People Get Wrong

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is not a single rule. It's a framework of interrelated regulations that have evolved significantly since passage. The components that matter most for day-to-day compliance are codified in 45 CFR Parts 160 and 164.

Three rules form the operational backbone of HIPAA law:

  • The Privacy Rule (45 CFR Part 164, Subpart E): Establishes national standards for when and how PHI can be used and disclosed. It requires covered entities to issue a Notice of Privacy Practices, apply the minimum necessary standard to every disclosure, and honor patient rights to access and amend their records.
  • The Security Rule (45 CFR Part 164, Subpart C): Requires administrative, physical, and technical safeguards to protect electronic PHI. Risk analysis is the foundational requirement — and the one OCR cites most frequently in enforcement actions.
  • The Breach Notification Rule (45 CFR Part 164, Subpart D): Mandates that covered entities and business associates report breaches of unsecured PHI to affected individuals, HHS, and in some cases the media, within specific timeframes.

The 2013 Omnibus Rule expanded these obligations significantly, making business associates directly liable under HIPAA law for the first time. If your organization still treats BA compliance as a handshake agreement, you're exposed.

Who Must Comply with HIPAA Law — and Who Gets Overlooked

Every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — must comply. That much is widely understood.

What organizations consistently miss is the scope of business associate obligations. Under HIPAA law, any person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a business associate. That includes your IT managed services provider, your cloud storage vendor, your billing company, and your shredding service.

Each of these relationships requires a Business Associate Agreement that specifies permitted uses and disclosures of protected health information, security obligations, and breach notification responsibilities. OCR has made clear through enforcement actions that a missing or inadequate BAA is itself a HIPAA violation.

The Risk Analysis Requirement That Triggers the Most Penalties

If there is one obligation under HIPAA law that generates more enforcement actions than any other, it's the risk analysis requirement under 45 CFR § 164.308(a)(1). OCR's own breach investigation data confirms this — the majority of resolution agreements and civil money penalties cite risk analysis failures.

A compliant risk analysis must be thorough, documented, and ongoing. It's not a one-time checklist. Your organization must identify every system that stores, processes, or transmits ePHI, evaluate threats and vulnerabilities, assess the likelihood and impact of each risk, and implement measures to reduce those risks to a reasonable level.

Healthcare organizations that treat risk analysis as an annual checkbox exercise are the ones that end up in OCR's crosshairs. The analysis must drive your security program — informing your policies, your technical controls, and your HIPAA training and certification priorities.

Workforce Training: The HIPAA Law Obligation with No Exceptions

Under 45 CFR § 164.530(b), every member of your workforce must receive training on your organization's HIPAA policies and procedures. This isn't limited to clinical staff. Front desk employees, IT personnel, billing teams, volunteers, and even interns fall under this requirement.

Training must occur within a reasonable period after a person joins your workforce and whenever functions are affected by a material change in policies. OCR does not prescribe a specific frequency, but annual training has become the industry standard — and anything less invites scrutiny during an investigation.

In my work with covered entities, the organizations that face the fewest incidents are those that invest in structured, role-based training. Generic slide decks don't create the behavioral change that prevents breaches. If your current program isn't producing measurable improvements, consider implementing workforce HIPAA compliance training through HIPAA Certify to close those gaps.

HIPAA Law Enforcement: What the Penalty Tiers Actually Mean

OCR enforces HIPAA law using a four-tier penalty structure adjusted annually for inflation:

  • Tier 1: Lack of knowledge — $137 to $68,928 per violation
  • Tier 2: Reasonable cause — $1,379 to $68,928 per violation
  • Tier 3: Willful neglect, corrected within 30 days — $13,785 to $68,928 per violation
  • Tier 4: Willful neglect, not corrected — $68,928 to $2,067,813 per violation

Annual caps apply to each tier, with the maximum reaching over $2 million per violation category per year. State attorneys general also have independent authority to enforce HIPAA law, adding another layer of liability.

Beyond financial penalties, OCR frequently imposes corrective action plans that require organizations to overhaul policies, implement new safeguards, and submit to monitoring for one to three years. These operational burdens often exceed the monetary penalty in total cost.

Five Steps to Strengthen Your HIPAA Law Compliance Today

Compliance isn't a destination — it's an operational discipline. These five actions address the areas where OCR finds the most deficiencies:

  • Conduct or update your risk analysis. Document every finding and your remediation plan. Date everything.
  • Audit your Business Associate Agreements. Confirm every vendor relationship involving PHI is covered by a current, Omnibus-compliant BAA.
  • Review your Notice of Privacy Practices. Ensure it reflects current uses and disclosures, including any changes related to telehealth or patient portal access.
  • Implement ongoing workforce training. Move beyond annual check-the-box sessions to role-specific education that addresses real scenarios your staff encounters.
  • Test your breach notification procedures. Run a tabletop exercise. Confirm your team knows the 60-day notification deadline and the steps to assess whether an incident qualifies as a reportable breach.

HIPAA law will continue to evolve — proposed rule changes around access rights, recognized security practices, and cybersecurity requirements signal that OCR expects more, not less, from covered entities and business associates. The organizations that treat compliance as a strategic priority rather than a regulatory nuisance are the ones that protect their patients, their workforce, and their bottom line.