In February 2024, OCR settled with a Louisiana medical group for $480,000 after determining that the organization had failed to provide patients timely access to their medical records — a fundamental requirement under federal privacy law. Healthcare organizations across the country watched that settlement and asked the same question: could this happen to us? The answer, based on OCR's enforcement trajectory, is a resounding yes.

Privacy law in healthcare is not a single statute. It is a layered framework built primarily on HIPAA — the Health Insurance Portability and Accountability Act — and its implementing regulations under 45 CFR Parts 160 and 164. Every covered entity and business associate operating in the United States must understand these rules, not as abstract legal theory, but as operational requirements that affect every department, every workflow, and every member of the workforce.

The Core Framework of Privacy Law Healthcare Organizations Must Follow

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) establishes national standards for how protected health information (PHI) is used, disclosed, and safeguarded. It applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically — as well as their business associates.

At its foundation, the Privacy Rule requires covered entities to limit uses and disclosures of PHI to the minimum necessary standard. This means your organization cannot share more patient information than what is reasonably needed to accomplish the intended purpose. In my work with covered entities, I consistently find that this standard is misunderstood or ignored entirely at the operational level.

The Privacy Rule also mandates that every covered entity maintain and distribute a Notice of Privacy Practices (NPP), informing patients of their rights and your organization's obligations. Failure to provide this notice — or providing an outdated version — is one of the most common HIPAA violations OCR identifies during investigations.

Where the Security Rule and Breach Notification Rule Fit In

Privacy law in healthcare does not stop at the Privacy Rule. The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Central to Security Rule compliance is conducting a thorough risk analysis — something OCR has cited as the single most common deficiency in enforcement actions.

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires organizations to notify affected individuals, HHS, and in some cases the media, when unsecured PHI is compromised. Since 2009, OCR has received reports of breaches affecting over 550 million individuals. Each of those breaches triggered legal obligations that many organizations were not prepared to meet.

The Omnibus Rule's Expansion of Accountability

The 2013 Omnibus Rule significantly expanded the reach of HIPAA by making business associates directly liable for compliance with the Security Rule and certain provisions of the Privacy Rule. If your organization shares PHI with vendors, consultants, IT providers, or billing companies, those relationships must be governed by a business associate agreement (BAA). Without a valid BAA, both parties are at risk of an OCR enforcement action.

OCR has shifted its enforcement posture in recent years, moving from complaint-driven investigations to proactive audits and larger settlements. In 2023 and 2024, OCR aggressively pursued cases involving patient right of access failures, inadequate risk analyses, and missing business associate agreements.

Penalty tiers under 45 CFR § 160.404 range from $141 per violation (for violations the entity was unaware of) up to over $2.1 million per violation category per year. These figures are adjusted annually for inflation. The message is clear: noncompliance is expensive, and OCR is not slowing down.

Healthcare organizations consistently struggle with two areas: documenting their compliance efforts and keeping workforce members trained on current requirements. Both of these gaps become liabilities the moment OCR opens an investigation.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every covered entity must train all members of its workforce on the policies and procedures related to PHI — and that training must occur within a reasonable period after the person joins the organization, and whenever material changes are made to policies. "Workforce" under HIPAA includes employees, volunteers, trainees, and anyone under the organization's direct control, whether or not they are paid.

Yet many organizations treat HIPAA training as a one-time checkbox exercise during onboarding. That approach leaves your covered entity exposed. OCR expects evidence of ongoing, documented training that reflects your organization's specific privacy and security policies.

If your workforce training program is outdated or nonexistent, investing in a structured HIPAA training and certification program is one of the most effective steps you can take to reduce risk. Documented training demonstrates good faith compliance — a factor OCR considers when determining penalties.

Building a Defensible Privacy Law Healthcare Compliance Program

A compliance program that holds up under OCR scrutiny requires more than policies on a shelf. It requires action and documentation. Here are the elements your organization should prioritize:

  • Conduct and document a risk analysis at least annually, identifying threats to the confidentiality, integrity, and availability of ePHI.
  • Implement the minimum necessary standard across all roles and systems that access PHI.
  • Execute business associate agreements with every vendor, subcontractor, or partner that handles PHI on your behalf.
  • Distribute an updated Notice of Privacy Practices and make it available on your website and at the point of service.
  • Train your entire workforce on HIPAA requirements with documented completion records.
  • Establish a breach response plan with clear timelines for investigation, notification, and mitigation.

Each of these elements must be documented and retained for a minimum of six years, as required by 45 CFR § 164.530(j). If you cannot prove you did it, OCR will treat it as if you did not.

State Laws Add Another Layer of Complexity

HIPAA sets the federal floor for privacy law in healthcare, but it does not preempt state laws that provide greater protections. States like California (CCPA/CMIA), Texas, New York, and Washington have enacted privacy statutes that impose additional obligations on healthcare organizations. Your compliance program must account for the most protective standard — whether federal or state — that applies to a given situation.

This layered regulatory environment makes it essential to have team members who understand both HIPAA and applicable state requirements. Comprehensive workforce HIPAA compliance programs give your staff the knowledge base to navigate these overlapping obligations confidently.

The Bottom Line for Your Organization

Privacy law in healthcare is not optional, and it is not static. OCR continues to raise the bar on enforcement, penalties are increasing, and patient expectations around data privacy have never been higher. The organizations that invest in understanding and operationalizing these requirements — through risk analysis, workforce training, and documented policies — are the ones that avoid the settlements, the corrective action plans, and the reputational damage that follow an OCR investigation.

Your compliance program is only as strong as its weakest link. Make sure every member of your workforce knows exactly what privacy law requires of them — and that you can prove it.