In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee stole the protected health information of over 12,000 patients. The root cause wasn't sophisticated hacking — it was the organization's failure to meet a foundational HIPAA requirement: conducting a thorough risk analysis and implementing adequate access controls. This case is a textbook example of how overlooking even one compliance obligation can lead to massive financial and reputational damage.

Healthcare organizations consistently struggle not with understanding that HIPAA exists, but with grasping the full scope of what it demands. The regulation isn't a single rule — it's a framework of interlocking requirements that apply to every covered entity, every business associate, and every member of your workforce who touches PHI.

The Core HIPAA Requirement Categories You Must Address

HIPAA is structured around several key rules, each containing specific mandates. At a high level, your organization must comply with the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), and the Breach Notification Rule (45 CFR Part 164, Subpart D). The 2013 Omnibus Rule expanded these obligations significantly, particularly for business associates.

Each rule contains dozens of individual standards and implementation specifications. Treating any single HIPAA requirement as optional because it seems "addressable" rather than "required" is a dangerous misreading of the regulation — OCR has penalized organizations for exactly this mistake.

Privacy Rule: Controlling How PHI Is Used and Disclosed

The Privacy Rule establishes your obligation to protect protected health information in all forms — electronic, paper, and oral. It requires your covered entity to implement policies that limit the use and disclosure of PHI to the minimum necessary standard. This means your staff should access only the specific patient information needed to perform their job function, and nothing more.

You must also provide every patient with a Notice of Privacy Practices that clearly explains how their information may be used, their rights regarding that information, and how to file a complaint. OCR routinely investigates organizations that fail to distribute or update this notice.

Additionally, the Privacy Rule requires you to designate a Privacy Officer, document all privacy policies, and establish a process for patients to request access to their records. Under the HIPAA Right of Access initiative, OCR has settled over 45 cases since 2019 specifically targeting organizations that failed to provide timely patient access — with penalties ranging from $3,500 to $240,000.

Security Rule: Safeguarding Electronic PHI

If your organization creates, receives, maintains, or transmits electronic protected health information (ePHI), the Security Rule applies to you. This HIPAA requirement is built on three categories of safeguards: administrative, physical, and technical.

Administrative safeguards include conducting a comprehensive risk analysis, implementing a risk management plan, and establishing workforce training programs. In my work with covered entities, the risk analysis is the single most cited deficiency in OCR enforcement actions. It is not a one-time checkbox — it must be an ongoing, documented process.

Physical safeguards address facility access controls, workstation security, and device disposal. Technical safeguards require access controls, audit controls, integrity controls, and transmission security for ePHI. Each specification must be evaluated, and if an addressable specification isn't implemented, your organization must document why and what alternative measure was adopted instead.

Breach Notification: The HIPAA Requirement with Hard Deadlines

When a breach of unsecured PHI occurs, the Breach Notification Rule imposes strict timelines. You must notify affected individuals within 60 days of discovering the breach. If the breach affects 500 or more individuals, you must also notify OCR and prominent media outlets in the affected jurisdiction within that same 60-day window.

Breaches affecting fewer than 500 individuals must be reported to OCR annually, no later than 60 days after the end of the calendar year in which they were discovered. Failing to meet these deadlines is itself a HIPAA violation, compounding the penalties your organization faces.

Business Associate Obligations After the Omnibus Rule

Since the Omnibus Rule took effect in 2013, business associates are directly liable for compliance with applicable HIPAA requirements. Every vendor, contractor, or third party that accesses PHI on your behalf must sign a Business Associate Agreement (BAA) that specifies permitted uses, required safeguards, and breach reporting obligations.

OCR has made clear that a covered entity cannot outsource its compliance responsibility. If your business associate suffers a breach because of inadequate security, your organization may also face investigation. Maintaining an up-to-date inventory of all business associate relationships — and verifying their compliance — is a non-negotiable part of your program.

The Workforce Training Requirement Most Organizations Underestimate

Under both the Privacy Rule and Security Rule, every member of your workforce must receive training on HIPAA policies and procedures relevant to their role. This includes employees, volunteers, trainees, and any person under your direct control — whether or not they are paid. Training must occur at onboarding and be reinforced periodically, especially when policies change.

OCR does not prescribe a specific curriculum, but it does expect documentation that training occurred and that it was tailored to your organization's operations. A generic slide deck reviewed once a year is unlikely to satisfy an investigator. Investing in structured HIPAA training and certification ensures your workforce receives comprehensive, current education that holds up under scrutiny.

Building a Compliance Program That Covers Every HIPAA Requirement

Compliance is not achieved through a single policy binder or an annual meeting. It requires an integrated program that addresses risk analysis, workforce training, policy documentation, breach response planning, and ongoing monitoring. Each HIPAA requirement reinforces the others — gaps in one area inevitably create vulnerabilities elsewhere.

Start by completing a current, thorough risk analysis. Map every system that touches ePHI. Review and update your Notice of Privacy Practices. Audit your business associate agreements. And critically, ensure every person in your organization who interacts with PHI understands their obligations.

Platforms like HIPAA Certify provide a streamlined way to deliver workforce HIPAA compliance training, track completion, and maintain the documentation OCR expects to see during an investigation. When the next enforcement action hits the news, the question you want to answer confidently is: every requirement is covered.