In February 2023, OCR announced a $1.3 million settlement with Banner Health after a breach affecting nearly 3 million individuals exposed catastrophic failures in access controls and risk analysis. It was one of dozens of recent violation of HIPAA cases that reveal a consistent pattern: organizations don't get penalized for isolated mistakes — they get penalized for systemic compliance failures they should have caught years earlier.

If your organization treats HIPAA as a checkbox exercise, these enforcement actions should change your mind. Let's break down what real cases teach us about where covered entities and business associates are failing — and how to avoid their fate.

What OCR Looks for in Violation of HIPAA Cases

OCR doesn't investigate every complaint. But when it does, its investigators follow a well-established playbook rooted in 45 CFR Part 164. They look for evidence of compliance program infrastructure — or the lack of it.

In my work with covered entities, I've seen three factors that consistently escalate an OCR investigation into a monetary penalty:

  • No documented risk analysis — required under the Security Rule at §164.308(a)(1)(ii)(A) — or a risk analysis that hasn't been updated in years.
  • No evidence of workforce training — the Privacy Rule at §164.530(b) mandates training for every member of the workforce, yet many organizations can't produce training records when OCR asks.
  • Delayed or missing breach notifications — the Breach Notification Rule at §164.404 requires notification to affected individuals within 60 days. Late notifications have fueled multiple enforcement actions.

These aren't obscure technicalities. They're the baseline requirements OCR expects every organization to meet.

Five Recent Enforcement Actions Every Compliance Officer Should Study

Let's walk through specific violation of HIPAA cases that illustrate where organizations went wrong.

1. Banner Health — $1.3 Million (2023)

A 2016 cyberattack compromised payment card data and PHI for 2.81 million individuals. OCR's investigation found Banner Health failed to conduct an enterprise-wide risk analysis and failed to implement sufficient monitoring of health information systems. The corrective action plan required two years of OCR monitoring.

2. Oklahoma State University – Center for Health Sciences — $875,000 (2022)

After a malware infection compromised the protected health information of nearly 280,000 individuals, OCR found the organization had not implemented audit controls or a compliant risk analysis. This case demonstrated that academic medical centers face the same Security Rule obligations as any other covered entity.

3. Hologic, Inc. — $750,000 Settlement with Massachusetts AG (2023)

While this was a state-level action, it reinforced how HIPAA standards inform state enforcement. A business associate's failure to secure PHI during a data migration led to the exposure of patient records. Business associate agreements alone don't insulate your organization from liability.

4. Dr. David Dino Tran — $30,000 (2023, OCR Right of Access)

OCR's Right of Access enforcement initiative has produced over 45 settlements. In this case, a dental practice repeatedly failed to provide a patient with their requested records. The penalty may seem modest, but the reputational damage and corrective action requirements were significant. Even small practices face enforcement.

5. L.A. Care Health Plan — $1.3 Million (2023)

This managed care plan exposed the PHI of over 1,400 members through an online portal misconfiguration. OCR found deficiencies in risk analysis and information system activity review. The investigation lasted years — a reminder that OCR's enforcement timeline doesn't expire quickly.

The Compliance Gaps These Cases Have in Common

After reviewing hundreds of violation of HIPAA cases over the past several years, I can tell you the patterns are strikingly predictable:

  • Risk analysis deficiencies appear in over 80% of OCR settlements. Most organizations either skip it, scope it too narrowly, or treat it as a one-time project rather than an ongoing requirement.
  • Workforce training gaps rank among the most common findings. OCR expects not just initial training but ongoing, documented education — especially after policy changes or security incidents.
  • Minimum necessary standard violations surface frequently in right-of-access and impermissible disclosure cases. Your staff must understand that access to PHI should be limited to what is necessary to perform their job functions.
  • Inadequate business associate oversight continues to drive breaches. If your business associates aren't meeting their obligations, your covered entity shares the risk.

Investing in comprehensive HIPAA training and certification for your workforce directly addresses the training documentation gaps OCR investigators look for first.

How to Protect Your Organization from Becoming the Next Case

OCR's enforcement priorities are not a mystery. They've published them. Here's what to focus on right now:

Conduct and update your risk analysis annually. Document every step. If your organization experiences a material change — a new EHR, a cloud migration, a workforce expansion — your risk analysis must be revisited immediately, not at the next annual review.

Train every workforce member and keep records. This includes employees, volunteers, trainees, and contractors. Completion certificates and sign-in sheets aren't optional — they're your first line of defense in an investigation. Platforms like HIPAA Certify make it straightforward to deliver workforce-wide HIPAA compliance training and maintain audit-ready documentation.

Audit your Notice of Privacy Practices. OCR has cited organizations for outdated notices that don't reflect current uses and disclosures of PHI. Review yours at least annually.

Test your breach notification process. Run a tabletop exercise. Know exactly who makes the determination that a breach occurred, who drafts the notification, and how you'll meet the 60-day window under the Breach Notification Rule.

Violation of HIPAA Cases Will Continue to Increase

OCR collected over $4 million in HIPAA penalties in 2023 alone, and the pace of Right of Access enforcement shows no signs of slowing. State attorneys general are also filing their own actions under the authority granted by the HITECH Act, creating a dual layer of enforcement risk.

The organizations that avoid becoming case studies are the ones that treat compliance as an operational discipline — not a once-a-year training session. They invest in documented risk analyses, enforceable policies, trained workforces, and tested incident response plans.

Every violation of HIPAA cases OCR has published is a roadmap of what not to do. The question is whether your organization is reading the map — or waiting to be put on it.