A Single Fax Machine Cost This Hospital $4.8 Million

In 2019, a fax at NewYork-Presbyterian Hospital sent a patient's PHI to the wrong number. That mistake — combined with OCR's investigation into broader compliance failures — contributed to a settlement that cost the organization $4.8 million. The fax itself wasn't the real problem. The real problem was that the hospital couldn't demonstrate it had systematically followed HIPAA rules around safeguards and workforce training.

I've reviewed compliance programs at over a hundred covered entities. The pattern is always the same. Organizations think they understand HIPAA rules because they've assigned someone a "privacy officer" title and bought an off-the-shelf policy binder. Then OCR comes knocking, and everything unravels.

This post walks through the specific HIPAA rules that actually trigger enforcement — not the theoretical framework you've read a dozen times, but the operational requirements that matter when HHS investigators are sitting in your conference room.

The Three HIPAA Rules That Form Your Compliance Backbone

The Privacy Rule: Who Can See What

The HIPAA Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) governs how covered entities and business associates use and disclose protected health information. It establishes the "minimum necessary" standard — your staff should only access the PHI they need to do their jobs, nothing more.

In my experience, this is where most violations start. A curious employee looks up a neighbor's medical record. A front-desk worker shares a patient's diagnosis with a family member who calls in. These aren't sophisticated cyberattacks. They're everyday lapses that happen when your workforce doesn't understand the boundaries.

The Security Rule: How You Lock It Down

The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) focuses specifically on electronic PHI. It requires three categories of safeguards: administrative, physical, and technical. You need risk analyses, access controls, audit logs, encryption policies, and contingency plans.

Here's what I see constantly: organizations that completed a risk analysis in 2019 and never updated it. OCR doesn't accept stale assessments. Your risk analysis must be a living document that reflects current threats — including the use of AI tools that interact with PHI, which is a growing area of scrutiny in 2026.

The Breach Notification Rule: When Things Go Sideways

When a breach of unsecured PHI occurs, the Breach Notification Rule (45 CFR §§ 164.400-414) dictates exactly what you must do. Individual notification within 60 days. HHS notification. Media notification if 500 or more individuals in a single state are affected.

I've watched organizations delay breach reporting because they "weren't sure" it qualified. That hesitation becomes its own violation. OCR has made it clear: when in doubt, report.

What Exactly Do HIPAA Rules Require? A Quick-Reference Answer

HIPAA rules require covered entities and business associates to:

  • Protect the privacy of individually identifiable health information (PHI)
  • Implement administrative, physical, and technical safeguards for ePHI
  • Conduct regular risk analyses and manage identified risks
  • Train all workforce members on HIPAA policies and procedures
  • Execute Business Associate Agreements with all vendors handling PHI
  • Notify individuals, HHS, and (when applicable) the media of PHI breaches
  • Appoint a Privacy Officer and Security Officer
  • Maintain documentation of compliance efforts for at least six years

That last point — documentation — is the one I hammer home with every client. If you can't prove you did it, OCR assumes you didn't.

The $1.5 Million Lesson in Skipping Your Risk Analysis

In 2018, OCR settled with Filefax, Inc. for $100,000 after the company left medical records in an unlocked vehicle that was accessible to unauthorized individuals. Small penalty, small entity. But the larger cautionary tale came from Premera Blue Cross, which paid $6.85 million in 2020 after a breach affecting over 10.4 million people. OCR's investigation found systemic noncompliance with the Security Rule, including failure to conduct an adequate risk analysis.

These aren't outliers. The HHS enforcement actions page reads like a catalog of preventable failures. Risk analysis failures appear in nearly every single resolution agreement.

Your organization cannot comply with HIPAA rules without a current, thorough risk analysis. Period.

Workforce Training: The Requirement Everyone Underestimates

Section 164.530(b) of the Privacy Rule and Section 164.308(a)(5) of the Security Rule both mandate workforce training. Not optional. Not "nice to have." Required.

Yet I routinely find organizations that train employees once at onboarding and never again. Or they use a generic 20-minute video from 2017 and call it compliant. OCR looks for evidence of ongoing, role-specific training that addresses real threats your workforce faces today.

If your team handles pharmacy operations, they need training tailored to their workflow — something like HIPAA & HITECH training built for pharmacy professionals. If your organization operates in Texas, state law adds additional requirements through HB 300 that go beyond federal HIPAA rules, and your staff needs dedicated Texas Medical Records Privacy Act training to stay compliant.

Generic training creates generic compliance. And generic compliance collapses under investigation.

Business Associate Agreements: Your Biggest Blind Spot

Every covered entity knows they need Business Associate Agreements. Few actually audit them. I've walked into organizations with 40 vendors handling PHI and only 12 signed BAAs on file.

The HIPAA rules at 45 CFR Part 164, Subpart C make clear that the covered entity bears responsibility for ensuring BAAs are in place and that business associates are meeting their obligations. When your cloud vendor has a breach, OCR will ask you for the BAA first.

Build a vendor inventory. Audit it quarterly. Make someone accountable for tracking every single entity that touches your patients' data.

How OCR Actually Investigates HIPAA Rules Violations

Here's what most people don't realize: OCR doesn't just show up after a breach. They receive roughly 30,000 complaints per year. They also conduct compliance reviews independent of any complaint. And their investigation process is methodical.

First, they request documentation. Policies, training records, risk analyses, BAAs, incident response logs. If your documentation is incomplete, you've already lost ground.

Then they interview staff. Not just the privacy officer — frontline workers. They want to know if your receptionist can explain what PHI means and what they'd do if they received a suspicious email.

Finally, they assess whether your organization took "reasonable and appropriate" measures. That standard matters. HIPAA rules don't require perfection. They require diligence, documentation, and good faith effort to protect patient information.

The 2026 Landscape: What's Changed and What Hasn't

The fundamentals of HIPAA rules haven't shifted. Privacy, security, and breach notification remain the pillars. But the threat landscape has evolved dramatically.

Ransomware attacks against healthcare entities have surged. HHS published updated guidance on recognized security practices that OCR now considers during investigations — a provision added by the HITECH Act amendment signed in January 2021. If you've adopted recognized frameworks like NIST CSF, OCR may reduce penalties or shorten audit timelines.

AI tools present a new frontier. When your clinicians use AI-powered dictation or diagnostic tools, PHI flows through systems that may not be covered by your existing BAAs or security controls. This is an area where I'm seeing compliance gaps widen fast.

Five Things to Do This Week

Stop reading compliance articles passively. Take action:

  • Pull your risk analysis. If it's more than 12 months old, schedule an update immediately.
  • Audit your BAA inventory. Cross-reference every vendor that touches PHI against your signed agreements.
  • Check your training records. Can you prove every workforce member received HIPAA training in the last 12 months?
  • Review your breach response plan. Run a tabletop exercise. Time how long it takes your team to identify the reporting obligations.
  • Inventory your AI tools. Any tool processing ePHI needs a risk assessment and a BAA. No exceptions.

HIPAA rules aren't ambiguous. They're just demanding. The organizations that get into trouble aren't usually the ones who've never heard of HIPAA — they're the ones who thought a policy binder on a shelf was enough.

It never is.