HIPAA Fines Are Hitting Record Levels — Here's the Data
HIPAA enforcement is hitting record levels. If you run a medical practice and assume “they only go after big hospitals” — the data says otherwise.
The HHS Office for Civil Rights (OCR), which enforces HIPAA at the federal level, has been unusually active. In just the first five months of 2025, OCR announced 10 resolution agreements — spanning organizations from small physician groups to large hospital systems.
Here’s what organizations actually paid — and why.
Notable HIPAA fines: 2023–2026
| Organization | Year | Fine | Root Cause |
|---|---|---|---|
| Blackbaud | 2023–2024 | $56.25M | Ransomware + misleading breach disclosure |
| Montefiore Medical Center | 2024 | $4.75M | Employees selling patient data |
| Enzo Biochem | 2023 | $4.5M | Ransomware, 2.4M patients exposed |
| Solara Medical Supplies | 2025 | $3M | Phishing attack + no prior risk analysis |
| Heritage Valley Health System | 2025 | $950K | Ransomware + lacked contingency plan |
| Northeast Radiology | 2025 | $350K | Never conducted a security risk analysis |
| Oregon Health & Science Univ. | 2025 | $200K | Security Rule violations |
| Cadia Healthcare Facilities | 2025 | $182K | Privacy Rule & breach notification failures |
| Virtual Private Network Solutions | 2025 | $90K | No BAA with cloud storage vendor |
| PIH Health | 2025 | $600K | Delayed breach notification (over 60 days) |
Notice the range: from $90K for a missing BAA to $56M for a breach cover-up. The takeaway is clear — there is no “too small to fine” threshold.
The Risk Analysis Initiative: OCR’s new enforcement weapon
In late 2024, OCR formally launched the Risk Analysis Initiative — a targeted enforcement campaign focused on organizations that haven’t conducted adequate security risk assessments.
This isn’t a suggestion. Under the HIPAA Security Rule (45 CFR § 164.308(a)(1)), every covered entity must conduct an accurate and thorough assessment of potential risks to the confidentiality, integrity, and availability of electronic PHI.
By early 2026, the initiative had already produced 11 enforcement actions. The message is explicit: OCR will investigate organizations that skip or shortcut their risk analysis — even if no breach has occurred.
For small healthcare practices, this is especially relevant. Most dental offices, chiropractic clinics, and physical therapy practices have never conducted a formal risk analysis. Many don’t even know it’s required.
What triggers an OCR investigation
Fines aren’t only triggered by cyberattacks. Here’s what can open an investigation:
- A patient complaint. Any patient can file a complaint on the HHS website. OCR investigates every one.
- A reported breach. Breaches affecting 500+ people are publicly listed on the HHS Breach Portal (the “Wall of Shame”). Smaller breaches must still be reported to HHS annually.
- A missing risk analysis. Under the new initiative, OCR actively audits for this — no complaint needed.
- Tracking pixels and analytics. In 2022–2023, HHS issued specific guidance on tracking pixels in healthcare. Several hospital systems paid multimillion-dollar settlements for running Facebook Pixel on patient-facing pages.
- Late breach notification. HIPAA requires notification within 60 days of discovery. PIH Health paid $600K simply for being late.
- No BAA with vendors. If your IT contractor, hosting provider, or scheduling tool handles PHI without a signed BAA — that’s an enforceable violation.
Penalty caps increase automatically every year
This is the detail most practices miss: HIPAA penalty caps are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act.
Over the past three years:
- The maximum per-violation fine rose by approximately $46,000
- The annual cap climbed by nearly $200,000
Current penalty tiers (2025–2026):
| Tier | Knowledge Level | Per Violation | Annual Maximum |
|---|---|---|---|
| Tier 1 | Didn’t know (and couldn’t have) | $137 – $68,928 | $2,067,813 |
| Tier 2 | Reasonable cause, not willful neglect | $1,379 – $68,928 | $2,067,813 |
| Tier 3 | Willful neglect, corrected within 30 days | $13,785 – $68,928 | $2,067,813 |
| Tier 4 | Willful neglect, not corrected | $68,928 – $2,067,813 | $2,067,813 |
Inaction gets more expensive on its own — without OCR doing anything differently.
State laws that are stricter than federal HIPAA
Federal HIPAA sets the floor, not the ceiling. Several states have enacted laws that go significantly further — and if you operate in those states, you must comply with both.
Washington: My Health My Data Act (MHMDA)
Washington’s MHMDA, enacted in 2023, is the most aggressive state health privacy law in the country:
- No business size threshold. A three-person dental practice faces the same requirements as a hospital network.
- Broader definition of health data. Covers data that HIPAA doesn’t consider PHI — including symptom searches, wellness app data, and health-related browsing history on your website.
- Private right of action. Unlike HIPAA (where complaints go to HHS), MHMDA allows patients to sue you directly. Any violation automatically triggers the Washington Consumer Protection Act.
- Separate consent for sharing. Collecting patient data requires consent. Sharing it with third parties requires separate, independent consent. Running Google Analytics without explicit patient permission could violate MHMDA even if it doesn’t violate HIPAA.
We covered MHMDA in detail in our article on IT contractors and HIPAA in Washington. If your practice operates in Washington State, this applies to you regardless of size.
California: CCPA + Confidentiality of Medical Information Act (CMIA)
California’s CMIA predates HIPAA and in some areas is stricter. It covers a broader range of health data, applies to more types of organizations, and allows patients to sue for statutory damages of $1,000 per violation — plus actual damages and attorney’s fees.
Combined with the California Consumer Privacy Act (CCPA/CPRA), California practices face a three-layer compliance obligation: HIPAA + CMIA + CCPA. Class action firms in Los Angeles and San Francisco actively monitor healthcare websites for violations.
Texas: HB 300
Texas Health and Safety Code Chapter 181 adds state-level penalties for unauthorized disclosure of health information. Fines can reach $250,000 per violation for intentional or reckless breaches. The Texas Attorney General has independent enforcement authority and has been increasingly active against practices in Houston, Dallas, and across Texas.
New York: SHIELD Act
New York’s Stop Hacks and Improve Electronic Data Security Act requires businesses that handle private information of New York residents to implement “reasonable safeguards.” It applies extraterritorially — any practice with New York patients must comply, even if the practice is based in another state. SHIELD adds breach notification requirements on top of HIPAA and carries up to $250,000 in penalties per incident.
What this means for small practices
The enforcement trend is clear:
- OCR is actively looking for organizations that haven’t done risk analyses — not waiting for breaches.
- Fines scale down but don’t disappear for small organizations. A $90K–$350K fine that’s survivable for a hospital can destroy a small practice.
- State laws multiply your exposure. In Washington, a single violation can trigger both a federal HIPAA penalty and a patient lawsuit under MHMDA.
- Penalty caps increase automatically. Doing nothing this year is more expensive than doing nothing last year.
HIPAA compliance isn’t a one-time checklist. It’s an ongoing program. And the cost of doing nothing compounds every year.
How we help
We specialize in federal HIPAA + state-specific privacy laws — MHMDA (Washington), CMIA/CCPA (California), HB 300 (Texas), and the SHIELD Act (New York). Most web agencies stop at “HTTPS and a privacy policy.” We don’t.
We support small medical practices — dental, chiropractic, physical therapy, and general healthcare — in all four states above, plus practices that serve patients across multiple jurisdictions.
Our free initial audit identifies:
- Every third-party service on your website and whether you have a BAA with each
- Whether your site meets HIPAA Security Rule requirements
- State-specific compliance gaps (MHMDA, CMIA, HB 300, SHIELD — whichever apply to you)
- A prioritized remediation plan with specific steps and timeline
Most issues we find are fixable within 2–3 weeks. The risk analysis that OCR requires? We help you complete it — properly and thoroughly.
Schedule your free compliance audit →
This material is for informational purposes only and does not constitute legal advice. Fine amounts and penalty tiers are based on publicly available HHS data and may change. For assessment of specific legal risks, consult an attorney specializing in healthcare compliance.