2022–2025 HIPAA Enforcement Report: What Small Practices Actually Paid
TLDR
55% of OCR enforcement actions target small medical practices. The median penalty is $20,000–$35,000. This report covers real cases, real penalties, and the compliance failures that triggered them.
How OCR Enforcement Targets Small Practices
OCR enforces HIPAA through financial penalties, corrective action plans, and in serious cases, criminal referrals. The common assumption is that enforcement targets large health systems with thousands of records. The data shows otherwise.
In 2022, 55% of OCR financial penalties hit small medical practices: solo physicians, dental offices, specialty clinics, and small group practices. OCR has stated that practice size does not determine enforcement priority. Evidence of a violation and whether the practice cooperates are what matter.
Annual enforcement summary (2022–2025):
| Year | Approximate Actions | Penalties Collected | Notable Pattern |
|---|---|---|---|
| 2022 | ~22 | Not published | 55% targeted small practices |
| 2023 | ~20 | Not published | Risk analysis initiative launched |
| 2024 | ~18 | $9.9 million | Risk analysis cited in most cases |
| 2025 | ~15 (through Q3) | $8.3 million | 75%+ cited missing risk analysis |
The Risk Analysis Initiative is OCR’s current enforcement focus. Starting in 2023, OCR began systematically investigating whether practices had completed a Security Rule risk analysis. A risk analysis is a documented assessment of threats to ePHI, a real inventory of risks and how the practice plans to address them. Most small practices have never done one.
OCR focuses on small practices for three reasons: complaints come from patients at small practices just as often as large ones; small practices are less likely to have legal counsel ready to respond; and settlements are faster and less contested. A solo practitioner facing a $25,000 settlement will typically sign rather than fight.
Five Practices That Paid: Case Studies
These cases are public record on HHS’s website. All five involved small practices with fewer than 20 staff. All five could have been avoided.
Summary table:
| Practice | Type | Penalty | Primary Violation |
|---|---|---|---|
| Comprehensive Neurology | Solo neurologist, 5 staff | $25,000 | Ransomware + no risk analysis |
| Gums Dental Care | Dental practice | $70,000 | Non-cooperation with OCR |
| Manasa Health Center | Mental health clinic | $30,000 | PHI disclosed in Google review responses |
| Bryan County Ambulance Authority | EMS/ambulance | $90,000 | Ransomware + no prior risk analysis |
| Northcutt Dental | Dental practice | $62,500 | Patient list provided to political campaign |
Comprehensive Neurology — $25,000
A solo neurologist with 5 staff experienced a ransomware attack that encrypted patient records. OCR found no risk analysis had ever been conducted. The penalty was not primarily for the ransomware attack itself. Ransomware can happen to any organization. The penalty was for operating years without any documented assessment of risks to patient data. A risk analysis, even a basic one, demonstrates good faith. Its absence makes any incident an automatic violation.
Gums Dental Care — $70,000
The underlying violation was relatively minor. The practice’s failure to respond adequately to OCR’s requests for documents and information turned it into a $70,000 penalty. OCR has no obligation to give practices the benefit of the doubt when they stonewall investigators. If OCR contacts you, respond promptly, provide requested documents, and do not attempt to minimize or obstruct the investigation.
Manasa Health Center — $30,000
A mental health clinic responded to negative patient reviews on Google by including identifiable patient information in the responses, confirming the reviewer was a patient and disclosing details about their care. This is a textbook impermissible disclosure. Never acknowledge whether someone is a patient in a public forum. If a review mentions specific clinical details, do not respond to those details publicly, regardless of how unfair the review feels.
Bryan County Ambulance Authority — $90,000
This was the first case in OCR’s Risk Analysis Initiative. An ambulance authority experienced a ransomware attack, and investigation found no risk analysis had ever been completed. The $90,000 penalty reflected both the breach and the failure to conduct basic security planning. EMS and ambulance providers are covered entities subject to the same HIPAA requirements as physician practices. Being outside a traditional clinic setting is not a compliance exemption.
Northcutt Dental — $62,500
A dental practice provided a patient mailing list to a political campaign. Patients consented to receive dental appointment reminders. They did not consent to political outreach. Patient data collected for one purpose cannot be reused for another without explicit authorization. Mailing lists derived from patient records are PHI.
2022–2025 HIPAA Enforcement Report: What Small Practices Actually Paid
Real OCR enforcement data from 2022–2025 including 5 named case studies, penalty amounts, violation types, and what each practice could have done differently. Includes a 10-item self-assessment checklist.
No spam, ever. Unsubscribe anytime.
Q&A
What percentage of OCR enforcement actions target small practices?
55% of OCR financial penalties in 2022 targeted small medical practices. The median penalty for small practices ranges from $20,000 to $35,000, with a maximum of $500,000. Security risk analysis failure was cited in over 75% of 2025 OCR penalties.
Q&A
What is a HIPAA Corrective Action Plan?
A Corrective Action Plan (CAP) is a federal oversight program that OCR imposes after a significant HIPAA violation. It typically runs 2–3 years, includes 7 standardized requirements, and mandates regular reporting to HHS. The administrative burden frequently exceeds the financial penalty itself.