How does OCR learn about small provider HIPAA violations?

Three main ways: patient complaints filed directly with OCR, self-reported breaches submitted through the OCR breach notification portal, and OCR-initiated audits (which are relatively rare for small providers). Patient complaints are by far the most common trigger.

What is a corrective action plan?

A corrective action plan (CAP) is a document OCR requires a covered entity to implement after a violation is found. It specifies what the covered entity must do to achieve compliance — adopt policies, train workforce, implement a risk analysis — and typically requires the covered entity to report back to OCR on implementation progress over a monitoring period.

Can a small clinic afford civil money penalties?

Penalties range from $141 to over $2 million per violation category per year (2024 adjusted figures). For small clinics, even lower-tier penalties can be significant. OCR has discretion to reduce penalties based on financial circumstances and cooperation. The goal of the right of access initiative has generally been relatively modest penalties ($25,000-$100,000 range) to signal enforcement priority, not to destroy small practices.

Does cooperation with OCR reduce penalties?

OCR considers cooperation as a mitigating factor in penalty determination. Covered entities that self-identify violations, voluntarily comply with corrective action, and cooperate fully with OCR investigations typically receive more favorable outcomes than those who are uncooperative or fail to remediate.

Awareness article

OCR Enforcement Patterns for Small Providers

What triggers HIPAA enforcement actions against small medical practices, what OCR typically finds when it investigates, and what small clinics can do to reduce their exposure.

Short answer

Small healthcare providers are subject to the same HIPAA enforcement as large health systems. The most common triggers for enforcement against small practices are patient right of access complaints, self-reported breaches that reveal program gaps, and workforce member complaints. The most common findings are lack of a risk analysis, missing BAAs, and no training records.

Coverage of HIPAA enforcement tends to focus on large health systems and seven-figure settlements. Small healthcare providers face the same patient rights obligations and are fully subject to OCR enforcement. This article explains what triggers enforcement actions against small providers, what OCR finds when it investigates, and what reduces exposure.

How OCR Learns About Small Provider Violations

Patient Complaints

Most HIPAA enforcement actions originate with patient complaints filed directly with OCR. Patients who believe their rights were violated, who were refused access to their records, or who learned their information was disclosed without authorization can file a complaint at hhs.gov.

OCR investigates a substantial portion of these complaints. For small providers, the most common complaint subjects are:

Failure to provide records access. The patient requested their records and the clinic did not respond on time, required excessive documentation, or refused.
Improper disclosure. A staff member disclosed PHI to a family member, employer, or third party without the patient’s authorization.
Retaliation for a privacy complaint. A patient complained internally, and the provider retaliated.

Self-Reported Breaches

Covered entities are required to report breaches affecting 500 or more individuals to OCR within 60 days and to report smaller breaches annually. When a clinic reports a breach, OCR may investigate the underlying incident.

OCR looks at the compliance program behind the breach. A breach that reveals no risk analysis was ever conducted, no BAAs were in place with the relevant vendor, and no workforce training existed creates multiple findings on top of the original incident.

Clinics must self-report breaches as required. Failure to self-report creates additional violations and is an aggravating factor. The state of the compliance program at the time of the breach determines the full scope of exposure.

OCR Audits

OCR has an audit program that can select covered entities for proactive compliance review. Historically, audits have focused on larger covered entities, but small providers are within scope. Audit selection can occur without any complaint or incident.

The Right of Access Enforcement Initiative

Since 2019, OCR has run a dedicated right of access enforcement initiative that has produced dozens of enforcement actions against providers of all sizes. The pattern is consistent: patient requests records, provider misses the deadline or imposes improper conditions, patient files an OCR complaint, OCR investigates and settles.

Enforcement actions under the right of access initiative against small practices have resulted in:

Resolution agreements requiring corrective action plans
Civil money penalties ranging from tens of thousands of dollars to over $100,000
Monitoring periods during which OCR reviews the clinic’s compliance progress

The violations that have been penalized include:

Failing to respond within 30 days (or within the extended window)
Requiring patients to pick up records in person when they requested electronic copies
Charging fees that included retrieval or search costs
Conditioning records release on payment of outstanding balances

What OCR Finds When It Investigates

Across hundreds of enforcement actions and resolution agreements, certain compliance gaps appear repeatedly regardless of the size of the provider:

No Risk Analysis

The most consistently cited finding in OCR resolution agreements is the absence of a documented risk analysis (required by 45 CFR § 164.308(a)(1)). Covered entities that have operated for years without completing a written risk analysis face this finding in virtually every investigation.

The Security Rule’s entire security program is supposed to flow from the risk analysis. Without one, the clinic’s security controls have no documented foundation — and OCR cannot tell whether they were chosen deliberately or at random.

Missing or Incomplete BAAs

OCR regularly finds that covered entities have relationships with vendors who handle PHI but have never executed a BAA. Common gaps: the EHR vendor has a BAA but the answering service, billing company, or cloud backup provider does not.

No Workforce Training Records

Covered entities are required to train workforce members on privacy and security policies (45 CFR § 164.530(b), 45 CFR § 164.308(a)(5)). OCR frequently finds that no training records exist. Without them, the clinic cannot demonstrate whether training happened at all.

Policies That Predate Current Operations

Some small providers have privacy and security policies adopted years ago that have never been reviewed. Policies that reference systems the clinic no longer uses, or omit systems it now uses daily, are a finding on their own.

Civil Money Penalties

Civil money penalties for HIPAA violations are tiered under 45 CFR § 160.404 based on culpability:

Tier	Circumstances	Annual Cap
Tier 1	Did not know of the violation	$25,000/year
Tier 2	Reasonable cause (not willful neglect)	$100,000/year
Tier 3	Willful neglect, corrected within 30 days	$250,000/year
Tier 4	Willful neglect, not corrected	$1,900,000/year

Note: Per-violation amounts and annual caps are adjusted for inflation periodically. The figures above are approximate as of 2024; verify current amounts at HHS.gov.

The tiered structure means a clinic that made a genuine effort to comply but made a mistake faces much lower penalties than a clinic that identified a gap, documented nothing, and left it open for years.

What Small Clinics Can Do

The compliance program that reduces enforcement exposure is not complex:

Document the risk analysis. This is the most important single step. Complete a written risk analysis covering all ePHI systems, identified threats, vulnerabilities, and likelihood/impact assessments. Update it when the environment changes.

Execute BAAs before PHI reaches any vendor. Build a BAA inventory and confirm coverage for every business associate relationship — including answering services and cloud backup providers that small clinics routinely overlook.

Maintain training records. Document every workforce member’s training completion: who trained, when, and what content was covered. Retain for six years.

Build a right of access process that front desk staff can actually follow. They are the ones who receive records requests. Make sure they know the 30-day deadline, the format rules, and what fees are allowed. Document each request and its outcome.

Have a written incident response procedure. When something goes wrong, the clinic needs a documented process for investigating and, if required, reporting. Proof that the procedure was followed is part of the record.

These steps require organizational discipline and a system for tracking compliance work over time. The documentation requirement is the part that trips up small clinics most often — not the policies themselves, but the evidence that the policies were followed.

Key takeaways

Patient complaints about records access (right of access violations) are the leading source of HIPAA enforcement actions against small providers.
Self-reported breaches often trigger broader investigations into the underlying compliance program — a breach that leads to OCR discovering no risk analysis exists creates compounding findings.
The absence of a documented risk analysis appears in nearly every OCR resolution agreement — it is the single most common compliance gap identified in investigations.
Civil money penalties are tiered by culpability — violations due to willful neglect that are not corrected carry the highest penalties.
The most effective way to reduce enforcement exposure is to have a documented risk analysis, a working training program, signed BAAs, and a functional right of access process.