Skip to main content
CoreFolioHIPAA
Enforcement

HIPAA settlement patterns: what OCR finds when it investigates small practices

OCR has published more than 100 resolution agreements over the past decade. The findings in those agreements follow a consistent pattern. Here is what investigators actually find — and what it means for your practice.

5-minute read

HHS OCR publishes resolution agreements publicly. They are available at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html. Each document names the covered entity, describes the investigation, lists the findings, and specifies the corrective action plan.

Reading them is not cheerful. But it is the most direct way to understand what OCR finds when it investigates small practices — and therefore, what you need to be able to produce if OCR ever opens an investigation into yours.

The pattern across more than 100 agreements is consistent. This article describes what it looks like.

How most investigations start

Small practices are investigated by OCR primarily through two channels:

Patient complaints. A patient believes their PHI was disclosed without authorization, their right of access was denied, or they were retaliated against for filing a complaint. OCR receives more than 20,000 complaints per year and investigates a subset.

Breach reports. Under 45 CFR § 164.408, covered entities must report breaches affecting 500 or more individuals to HHS within 60 days. Breaches affecting fewer than 500 individuals must be reported annually. OCR reviews these reports and opens investigations into those that suggest systemic failures.

Proactive enforcement. OCR's Risk Analysis Initiative (launched late 2024) targets covered entities for proactive investigation specifically around risk analysis compliance, without waiting for a complaint or breach report.

The most common findings in resolution agreements

1. No current risk analysis

This is the finding in nearly every resolution agreement. Not "the risk analysis was imperfect." Not "the risk analysis had minor gaps." "The covered entity failed to conduct an accurate and thorough assessment."

In the Risk Analysis Initiative settlements (2024–2025), this is the primary finding — and in some cases the only finding. Practices were investigated and settled not because of a breach, not because a patient complained, but because their risk analysis documentation was either absent or outdated.

Regulatory basis: 45 CFR § 164.308(a)(1)(ii)(A)

2. No risk management plan

Where there is a finding about the risk analysis, there is almost always a paired finding about the risk management plan. 45 CFR § 164.308(a)(1)(ii)(B) requires a documented plan for managing identified risks. OCR's investigators look for both.

The pattern: practice completed a risk analysis (or something resembling one), identified gaps, and then filed it. No plan. No action items. No timeline.

3. No business associate agreements

The BAA finding shows up consistently in practices with vendor relationships that were not documented. IT providers who have access to systems containing ePHI, answering services that take patient messages, billing companies — all require BAAs under 45 CFR § 164.308(b)(1).

The typical pattern: the EHR vendor BAA is in place (because the vendor required it). The IT provider, cloud backup service, and billing company BAAs are missing.

4. Workforce training gaps

45 CFR § 164.308(a)(5)(i) requires covered entities to implement a security awareness and training program for all workforce members. Resolution agreements regularly cite insufficient training documentation — not necessarily no training, but no documentation that it happened.

OCR asks for training records. If you cannot produce a record of when each employee was trained, what they were trained on, and that they completed the training, the requirement is treated as unmet.

5. Access control failures

45 CFR § 164.312(a)(1) requires covered entities to implement technical policies to allow only authorized persons to access ePHI. Common failures:

  • Former employees who still have active EHR credentials
  • Shared login credentials (multiple staff using the same username and password)
  • No unique user identification for each workforce member
  • No automatic logoff on workstations left unattended

6. Audit controls not implemented

45 CFR § 164.312(b) requires hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. In practice: your EHR should have audit logging enabled, and someone should be reviewing those logs periodically.

Small practices often have audit logging available in their EHR and have never turned it on — or have it on and have never looked at the output.

The corrective action plan pattern

Every resolution agreement ends with a corrective action plan (CAP). The CAP typically requires:

  1. Complete a risk analysis within 60–90 days
  2. Develop and implement a risk management plan
  3. Review and update policies and procedures
  4. Implement workforce training
  5. Submit compliance reports to OCR for a monitoring period (often two years)

The monitoring period means OCR does not walk away after the settlement. For the duration of the CAP, the practice is submitting regular reports to investigators documenting that they have addressed the findings.

The penalty range for small practices

Financial settlements in resolution agreements involving small practices (fewer than 25 employees) have ranged from:

  • $10,000–$25,000 for practices that self-reported, cooperated fully, and had a relatively limited scope of failure
  • $100,000–$500,000 for practices with significant documentation failures across multiple categories, or where a patient suffered harm
  • The April 2025 Northeast Radiology settlement: $350,000, for a radiology group that had no current risk analysis — with no breach involved

The maximum annual penalty per violation category is approximately $1.9 million (indexed annually). For a small practice, even a $50,000 settlement plus two years of monitoring is a significant operational burden.

What this means for your practice

If you want to understand what OCR expects, read the resolution agreements. They are the most direct evidence of what investigators find and what they require.

The minimum floor to be defensible:

  • A risk analysis, dated within the past 12 months, covering all systems
  • A risk management plan with specific actions and timelines
  • BAAs with every business associate
  • Workforce training records
  • Audit logs enabled in your EHR
  • A policy for revoking access when employees leave

None of those are expensive. All of them require time and documentation.

Sources: HHS OCR resolution agreements, available at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements. 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan); 45 CFR § 164.308(b)(1) (business associate contracts); 45 CFR § 164.308(a)(5)(i) (workforce training); 45 CFR § 164.312 (technical safeguards). Civil monetary penalty adjustments published annually in the Federal Register.