In February 2024, OCR announced a $4.75 million settlement with a hospital system that had failed to conduct an enterprise-wide risk analysis for over six years. The organization knew it had gaps. Leadership had even budgeted for improvements. But year after year, other priorities won out — until a breach affecting over 100,000 patients forced OCR's hand. This is the pattern I see repeatedly: organizations that understand their HIPAA risks in theory but fail to act on them in practice.

The HIPAA Risks OCR Investigates Most Aggressively

OCR's enforcement data tells a clear story. Since 2019, the top findings in settled cases have been remarkably consistent: failure to perform a thorough risk analysis, insufficient access controls, and lack of workforce training on PHI handling. These aren't exotic vulnerabilities. They're foundational compliance obligations that covered entities and business associates routinely neglect.

The Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires your organization to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. This isn't a one-time exercise. It must be ongoing, and it must be documented. OCR has made abundantly clear through its enforcement actions that a risk analysis sitting in a drawer from 2018 doesn't satisfy the requirement.

Your organization also faces significant HIPAA risks from improper disclosures of protected health information. The minimum necessary standard under the Privacy Rule requires that your workforce limit PHI access and disclosure to only what's needed for a specific purpose. In my work with covered entities, I find this is one of the most frequently misunderstood provisions — staff often assume that being part of the care team grants blanket access to any patient record.

Workforce Behavior: The HIPAA Risk You Can Actually Control

Technology failures make headlines, but human error drives the majority of HIPAA breaches. According to the Verizon 2024 Data Breach Investigations Report, the healthcare sector continues to see miscellaneous errors and privilege misuse as leading breach causes. Snooping in medical records, sending PHI to the wrong recipient, and falling for phishing emails are everyday HIPAA risks that no firewall can prevent.

The Privacy Rule at 45 CFR § 164.530(b) requires that your covered entity train all members of the workforce on policies and procedures related to PHI — and that this training occur within a reasonable period after onboarding and whenever material changes occur. Yet many organizations treat workforce training as a checkbox exercise completed once during orientation and never revisited.

Effective training programs address the specific risks your workforce encounters daily. A billing clerk faces different HIPAA risks than a nurse or an IT administrator. Tailored, role-based education is what moves the needle. If your current approach is a single generic video for all staff, consider enrolling your team in a comprehensive HIPAA training and certification program that covers real scenarios relevant to each role in your organization.

Business Associate Agreements: A Risk Multiplier

Every business associate relationship your organization maintains is a potential vector for HIPAA violations. The Omnibus Rule expanded business associate liability significantly, yet I still encounter covered entities that haven't updated their BAAs since before 2013 — or worse, that have vendors handling PHI with no agreement in place at all.

Your responsibility doesn't end at signing a BAA. You must also take reasonable steps to address known patterns of non-compliance by your business associates. If your cloud storage vendor suffers a breach and you had no idea where your ePHI was stored or how it was protected, OCR will view that as a failure on your part as well. Identifying and managing these third-party HIPAA risks should be a core component of your annual risk analysis.

Five Specific Steps to Reduce Your Organization's HIPAA Risks

  • Conduct a current, enterprise-wide risk analysis. Document every system that creates, receives, maintains, or transmits ePHI. Map the threats, assess the likelihood and impact, and assign remediation owners with deadlines.
  • Implement a risk management plan. The risk analysis is only step one. 45 CFR § 164.308(a)(1)(ii)(B) requires you to implement security measures sufficient to reduce risks to a reasonable and appropriate level. Track remediation progress quarterly.
  • Audit your business associate inventory. Confirm that every vendor with PHI access has a current, Omnibus-compliant BAA. Terminate agreements with associates who refuse to cooperate on security requirements.
  • Update your Notice of Privacy Practices. Regulatory changes, new uses of PHI, and evolving technology mean your NPP should be reviewed at least annually. Patients have the right to understand how their information is used and protected.
  • Invest in ongoing workforce training. Annual refresher training, phishing simulations, and incident response drills build a culture of compliance. Organizations that treat training as an afterthought consistently appear in OCR's enforcement results.

The Cost of Ignoring HIPAA Risks in 2024

OCR's penalty tiers under the HITECH Act range from $137 to $68,928 per violation, with annual caps reaching $2,067,813 per violation category. But the financial damage extends far beyond federal fines. Breach notification costs, legal fees, reputational harm, and lost patient trust compound quickly. The Ponemon Institute's 2023 report found that healthcare data breaches cost an average of $10.93 million per incident — the highest of any industry for the thirteenth consecutive year.

State attorneys general also have enforcement authority under HITECH and are increasingly exercising it. In 2023 alone, multiple states pursued independent actions against healthcare organizations for HIPAA-related failures. Your organization's risk exposure isn't limited to a single federal regulator.

Building a Compliance Program That Addresses Real HIPAA Risks

Compliance isn't a project with a finish line. It's an operational discipline that requires sustained leadership commitment, adequate resources, and a workforce that understands its role in protecting PHI. The organizations I've seen succeed treat their risk analysis as a living document, conduct tabletop exercises for breach scenarios, and empower their privacy officers with direct access to senior leadership.

If your organization hasn't assessed its HIPAA risks within the past twelve months — or if your last assessment was conducted informally without proper documentation — you're operating with a level of exposure that OCR's current enforcement priorities are designed to target.

Start by benchmarking your current compliance posture. Ensure every member of your workforce has completed up-to-date training through a trusted resource like HIPAA Certify's workforce compliance platform. Then build your risk management plan around the specific threats your organization faces — not a generic template. That's how you turn awareness of HIPAA risks into actual protection for your patients and your organization.