HIPAA lessons learned: A review of HHS resolution agreements

Insights from past enforcement actions by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) offer valuable lessons for reducing risk and safeguarding patient data.

Trends in HIPAA enforcement

OCR resolves most cases informally through voluntary compliance, corrective actions, or resolution agreements, which often include monetary settlements. However, when informal resolution isn’t possible, OCR may impose civil money penalties.

Recent enforcement trends indicate that HIPAA compliance remains a high priority, even during challenging periods such as the pandemic. These cases show the necessity of proactively managing risk to avoid financial penalties and reputational damage.

In the news: Lessons learned from OCR’s first HIPAA enforcement action of 2025

Lessons from enforcement cases

Conduct thorough and accurate risk assessments

OCR investigations frequently reveal that covered entities failed to perform risk assessments. HIPAA's security rule requires entities to evaluate potential threats and vulnerabilities and implement tailored policies and procedures to mitigate risks.

Notable cases:

• North Memorial Health Care paid $1.55 million after reporting a stolen, unencrypted laptop containing electronic protected health information (ePHI). The investigation revealed insufficient risk analysis and a lack of business associate agreements (BAAs).
• University of Washington Medicine (UWM) settled for $750,000 after a malware attack compromised ePHI for 90,000 individuals. OCR found gaps in risk assessments and mitigation efforts across UWM’s entities.

Action steps:

• Identify the types of protected health information (PHI) stored and the systems used.
• Regularly review who has access to PHI and ensure access is appropriately monitored.
  
  

Encrypt devices storing ePHI

Encryption provides a safe harbor under HIPAA, protecting data from unauthorized access in case of loss or theft. Despite its importance, unencrypted devices remain a common vulnerability in many breach cases.

Notable cases:

• Lifespan Health System paid $1.04 million after a stolen, unencrypted laptop exposed patient names, medical records, and other sensitive data.
• University of Rochester Medical Center (URMC) settled for $3 million after multiple incidents involving unencrypted mobile devices, despite prior guidance from OCR on encryption practices.

Action steps:

• Encrypt portable devices and document encryption policies.
• Regularly audit device security and implement remote locking and wiping capabilities.

Ensure business associate agreements (BAAs) are in place

HIPAA requires covered entities to establish a BAA before sharing PHI with a third party. Without this agreement, disclosures of PHI are considered impermissible and subject to enforcement action.

Notable cases:

• Advanced Care Hospitalists PL paid $500,000 after PHI was exposed due to the absence of a BAA with a medical billing contractor.
• Pagosa Springs Medical Center paid $111,400 after sharing ePHI with a scheduling vendor without a valid BAA.

Action steps:

• Establish and review BAAs with all third-party vendors accessing PHI.
• Use HHS sample BAA provisions as a reference.

Maintain accountability for employee actions

Covered entities are responsible for ensuring employees follow HIPAA policies and procedures. Many enforcement actions stem from employee errors or unauthorized access to PHI.

Notable cases:

• St. Luke’s-Roosevelt Hospital Center Inc. paid $387,200 after staff members repeatedly mishandled PHI, including faxing records to the wrong recipient.
• Memorial Healthcare System paid $5.5 million after a former employee’s credentials were used for unauthorized access to ePHI over a year-long period.

Action steps:

• Conduct regular training sessions on HIPAA compliance and security best practices.
• Implement audit trails and access controls to monitor employee activity.
• Use resources like HHS training materials to develop effective training programs.
  
  

Treat HIPAA compliance as an ongoing process

HIPAA compliance isn’t static—it requires continuous evaluation and updates to policies, procedures, and technologies. Outdated practices can lead to vulnerabilities and enforcement actions.

Notable cases:

• Woman & Infants Hospital of Rhode Island paid $400,000 after failing to update a BAA and losing unencrypted backup tapes containing ePHI.
• Anchorage Community Mental Health Services paid $150,000 after an investigation revealed outdated IT policies and the use of unsupported software.

Action steps:

• Periodically review and update HIPAA policies, procedures, and agreements.
• Integrate HIPAA compliance into decision-making for new technologies or policies.

Why it matters

HIPAA enforcement actions show the serious consequences of non-compliance for healthcare organizations of all sizes. Learning from these cases and implementing proactive measures helps covered entities better protect sensitive health information, minimize legal risks, and maintain patient trust.

FAQs

What happens if a healthcare organization disagrees with the OCR’s findings during a HIPAA investigation?

If an organization disputes the OCR’s findings, it can request a hearing before an administrative law judge (ALJ) to challenge the proposed penalties. However, most cases don’t reach this stage, as organizations often opt for a resolution agreement to avoid prolonged legal battles and additional costs.

Are smaller healthcare providers equally at risk of enforcement actions as large hospital systems?

Yes, smaller providers are just as likely to face enforcement actions. The OCR does not limit investigations to large healthcare systems. In fact, smaller organizations often face penalties for neglecting basic HIPAA requirements, like risk assessments and business associate agreements, which apply to all covered entities regardless of size.

Can a healthcare provider face HIPAA penalties even if a breach didn’t occur?

Yes. HIPAA penalties can be imposed even if no breach occurs. The OCR often enforces penalties for non-compliance with administrative safeguards, such as missing risk assessments, outdated policies, or lack of BAAs. Compliance is required even when there’s no evidence of data exposure.

Does HIPAA enforcement change based on emerging technologies?

Yes, HIPAA enforcement evolves to address new risks from emerging technologies. For example, OCR has issued guidance on the use of mobile devices, cloud storage, and telehealth services. Healthcare organizations must evaluate whether new technologies introduce vulnerabilities and update their compliance measures accordingly.

How can organizations reduce the risk of repeat violations after a resolution agreement?

Organizations can reduce the risk of repeat violations by implementing post-settlement compliance plans, including regular third-party audits, employee retraining programs, and ongoing risk assessments. Monitoring compliance improvements through internal audits also helps demonstrate a proactive approach to safeguarding PHI.