The Largest HIPAA Fines in History and What Each Clinic Can Learn

The largest HIPAA fines and settlements in OCR’s enforcement history are not random. They share a common structure: a systemic failure that persisted for years, a precipitating incident that brought it to OCR’s attention, and a documented record of an organization that knew — or should have known — that required safeguards were absent.

The dollar amounts are striking. The operational lessons are more useful. Each violation category that produced a major enforcement action maps directly to a gap that a compliance program with the right discipline can prevent.

All enforcement cases referenced in this article are drawn from OCR’s published resolution agreements and enforcement examples, available at the HHS website. Readers should consult those sources directly for current details.

Access Control Failures: When Employees Access Records Without Authorization

The pattern. Workforce members access patient records outside the scope of their treatment, billing, or operational responsibilities. The access may be motivated by curiosity, personal relationships, financial fraud, or malice. The covered entity’s audit controls either do not capture the activity or are never reviewed. Years pass before the access is discovered — often through a patient complaint or a whistleblower.

Enforcement example: Cignet Health of Prince George’s County (2011). OCR issued a civil monetary penalty of $4.3 million against Cignet Health, a Maryland provider, for violations that included denying patients their right of access to medical records and failing to cooperate with an OCR investigation. The case illustrated how a pattern of repeated violations — not a single incident — escalates OCR’s response. OCR noted that Cignet failed to provide records to 41 patients who made access requests and then failed to cooperate during the investigation.

The lesson for small clinics. Patient access rights violations are a specific and serious category. When a patient requests their records, HIPAA requires a response within 30 days (extendable by one 30-day period with notice). Denying or delaying access without valid justification is a violation. Document every access request and every response.

Enforcement example: UCLA Health System (2011). OCR settled with UCLA Health for $865,000 over unauthorized access by workforce members to celebrity patients’ medical records. OCR found that UCLA Health failed to implement adequate security measures to safeguard ePHI and failed to restrict access based on minimum necessary principles.

The lesson. Role-based access controls are not a technical nicety. They are a required safeguard under 45 CFR §164.312(a)(1). Each user should have access to the records needed for their treatment, billing, or operational role — not to the broader patient database. Audit log review is the mechanism for detecting violations after they occur.

Training Failures: When Workforce Members Were Never Trained

The pattern. A workforce member discloses PHI improperly — gives records to someone without authorization, posts patient information online, discusses patient details in public areas. Investigation reveals that the workforce member never received HIPAA privacy training, or that training records are absent or outdated.

Enforcement example: Pagosa Springs Medical Center (2019). OCR settled with this Colorado rural health clinic for $111,400 over the termination of a former employee’s access credentials. The workforce member’s remote access to HIPAA-covered records was not terminated after employment ended, and OCR found that the clinic had failed to implement policies and procedures for workforce clearance, authorization, and access termination. The case underscores that workforce access management is part of the training and administrative safeguards framework.

The lesson. Workforce access termination must be immediate and comprehensive. An offboarding checklist that includes disabling all system access — EHR, email, remote access, practice management — and that is documented with the termination date is a required safeguard, not a best practice. OCR has cited failures here as both access control violations and workforce management failures.

Enforcement example: Jackson Health System (2019). OCR entered a $2.15 million resolution agreement with Jackson Health System, a major Florida health system, covering multiple breach events including the posting of a patient’s photo on social media by a workforce member, the loss of unencrypted paper records, and the improper disclosure of records to a media outlet. OCR cited failures in risk analysis, risk management, and workforce access controls across multiple breach events over several years.

The lesson for training. Workforce members who receive clear, documented training on what PHI is, what uses are permissible, and what sharing is prohibited are less likely to make errors that produce enforcement actions. The Jackson Health case involved multiple workforce members across multiple events — a signal of systemic training gaps rather than isolated misconduct. A workforce training program with documentation, periodic refreshers, and sanctions procedures is the operational response.

Business Associate Agreement Failures: Vendors Handling PHI Without Agreements

The pattern. A vendor performs a service — billing, transcription, IT support, cloud hosting — that requires access to PHI. No BAA is in place. A breach occurs, or an OCR audit reveals the gap. The covered entity has allowed PHI to flow to a vendor for months or years without the required contractual protections.

Enforcement example: North Memorial Health Care of Minnesota (2016). OCR settled for $1.55 million with North Memorial after a breach affecting nearly 10,000 individuals resulted from a laptop stolen from a business associate’s vehicle. OCR found that North Memorial had no BAA with the business associate — a company providing administrative and management services — despite that company having access to North Memorial’s PHI.

The lesson. The BAA inventory is not optional. Every vendor with access to ePHI is a business associate, and every BA must have a current, signed BAA before PHI flows to them. A vendor that has been operating for years without a BAA is not a grandfathered exception — it is an open enforcement finding. Conducting an annual BAA inventory and addressing gaps before an incident occurs is the only defensible approach.

Enforcement example: Catholic Health Care Services of the Archdiocese of Philadelphia (2016). OCR settled for $650,000 with CHCS after a breach of PHI belonging to nursing home residents. A business associate employee’s smartphone was stolen, and the device contained PHI of nursing home residents. OCR found that CHCS had no BAA with its own parent organization — which was providing IT management services — and no policies governing the use of mobile devices with PHI.

The lesson. BA relationships within affiliated organizations are not automatically exempt. If a related organization creates, receives, maintains, or transmits PHI on behalf of the covered entity, a BAA is required. The existence of an organizational relationship does not substitute for the contractual requirement.

Risk Analysis Failures: No Documented Risk Assessment Despite Years of Operation

The pattern. A covered entity has operated for years — sometimes decades — without conducting the risk analysis required under 45 CFR §164.308(a)(1)(ii)(A). A breach or complaint prompts an investigation. OCR discovers that no risk analysis exists, or that the analysis on file is so outdated as to be meaningless. The absence of a risk analysis is cited as both a standalone violation and as evidence of systemic non-compliance.

Enforcement example: Advocate Medical Group (2016). OCR entered a $5.55 million resolution agreement with Advocate Medical Group, a large Illinois physician group, following three data breaches affecting approximately 4 million individuals. The breaches involved stolen laptops and unauthorized access to a business associate network. OCR found that Advocate had failed to conduct an adequate risk analysis, failed to implement policies for authorizing access to ePHI, and had an insufficient security awareness training program. The $5.55 million settlement was among the largest at the time.

The lesson. Scale matters in enforcement — but the violations themselves are not unique to large organizations. An absent risk analysis, access control gaps, and training deficiencies are exactly the violations that small clinics also accumulate. The difference is that a major breach at a large organization brings immediate OCR attention; a small breach at a small clinic may not reach the same level of scrutiny immediately, but the violations are present regardless.

Enforcement example: Fresenius Medical Care North America (2018). OCR settled for $3.5 million with Fresenius, a large dialysis chain, following five separate breach events over a six-month period in 2012. OCR found that Fresenius had failed to conduct an accurate and thorough risk analysis of its facilities, failed to implement policies restricting access to ePHI, and failed to properly control media (physical devices) containing PHI.

The lesson. Multiple incidents in a short period signal systemic failure. OCR treats recurring incidents as evidence that an organization has not addressed the underlying causes of its compliance gaps. A single incident followed by documented remediation presents a very different compliance profile than multiple incidents with no documented response.

What These Cases Have in Common

Reading across OCR’s enforcement history, the organizations that faced the largest penalties shared recognizable characteristics:

• Compliance programs that were inadequate on paper and absent in practice
• Failure to address known gaps — in many cases, internal audits or prior incidents had surfaced the same vulnerabilities that later produced major breaches
• No documented risk analysis, or an analysis so outdated it did not reflect current systems and operations
• Training programs that existed in policy but were not applied uniformly to the workforce
• BAA inventories that were incomplete, unsigned, or had never been reviewed

None of these failures require sophisticated technology to prevent. They require operational discipline: documented policies, executed agreements, trained workforce members, reviewed audit logs, and a current risk analysis. The enforcement cases make the cost of that discipline feel modest relative to the alternative.

For small clinics, the lesson is not that large penalties are inevitable — it is that the violations producing those penalties are also present at small clinics where no breach has surfaced yet. The question is whether those gaps get addressed before or after OCR gets involved.