Recent OCR Settlements: What HHS Actually Penalizes (2025)
8 min read · Last reviewed May 23, 2026
OCR settlement patterns in 2024-2025 show three dominant deficiencies: missing or inadequate Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A)(1)(ii)(A)), late or absent breach notification under 45 CFR §§ 164.404–164.408, and patient access denials under 45 CFR § 164.524. Recent Resolution Agreements range from $15,000 small-practice access cases to multi-million-dollar ransomware settlements.
The Risk Analysis Initiative
In October 2024, OCR announced the Risk Analysis Initiative, prioritizing investigations against entities lacking an accurate and thorough Security Risk Analysis. The Security Rule has required a risk analysis since the rule's 2003 effective date, and OCR has identified its absence as the single most-cited deficiency in resolution agreements for over a decade.
The Initiative has produced a string of published settlements. Published 2024-2025 Risk Analysis Initiative resolutions on the OCR Enforcement Highlights page include settlements ranging from approximately $150,000 to over $1.5 million, paired with three-year corrective action plans that require:
- A current, written risk analysis per 45 CFR § 164.308(a)(1)(ii)(A)(1)(ii)(A))
- A risk management plan per 45 CFR § 164.308(a)(1)(ii)(B)(1)(ii)(B))
- Updated policies and procedures
- Workforce training per 45 CFR § 164.308(a)(5)(5))
- Quarterly status reports to OCR
- Final implementation report at the end of the CAP period
The practical pattern: a breach is reported, OCR opens an investigation under 45 CFR § 160.306, the investigation surfaces the absence of a risk analysis, the settlement names the missing risk analysis as a primary finding. The breach is the surface; the missing risk analysis is the depth charge.
The Right of Access Initiative
OCR's Right of Access Initiative, ongoing since 2019, has produced more than 50 published settlements through 2025. The full list of Right of Access Initiative resolutions sits on the OCR Enforcement Highlights page. Most settlements are $15,000-$80,000 with two-year corrective action plans.
The pattern under 45 CFR § 164.524 is consistent: a patient or personal representative requests a copy of records, the practice does not provide them within 30 calendar days (or fails to invoke the one-time 30-day extension properly), the patient files an OCR complaint, OCR investigates, the practice settles.
What the published settlements specifically penalize:
- Failure to provide records within 30 days under 45 CFR § 164.524(b)(2)(2))
- Failure to provide records in the form and format requested when readily producible under 45 CFR § 164.524(c)(2)(2))
- Charging more than the Limited Fees permitted under the access guidance
- Failure to provide records to personal representatives properly designated
- Failure to act on a patient's request to direct records to a third party under 45 CFR § 164.524(c)(3)(3))
This is the highest-volume OCR enforcement pattern. A small-practice front desk that does not produce records inside 30 days is the most likely complaint path.
Ransomware and the breach-notification chain
Ransomware settlements show the compound-failure pattern. The HHS ransomware fact sheet treats the presence of ransomware on a system containing ePHI as a presumptive breach unless the four-factor analysis at 45 CFR § 164.402 rebuts the presumption.
Recent multi-million-dollar ransomware settlements show a recurring sequence:
- A ransomware event encrypts ePHI
- The covered entity either underreports affected individuals or delays the breach notification beyond 45 CFR § 164.404(b))'s 60-day clock
- OCR opens an investigation following the HHS Portal submission
- The investigation finds (a) no current risk analysis, (b) no contingency plan exercised under 45 CFR § 164.308(a)(7)(7)), (c) inadequate audit controls under 45 CFR § 164.312(b)), (d) inadequate access controls under 45 CFR § 164.312(a)), and (e) late notification
The settlement penalizes the compound failure, not just the ransomware. The corrective action plans run three years and require external assessor verification at multiple checkpoints.
What recent corrective action plans actually require
A read of any recent OCR CAP on the Enforcement Highlights page shows a common skeleton:
- Submit a current risk analysis within 90-120 days of the resolution agreement
- Submit a risk management plan addressing every identified risk
- Update and submit policies and procedures across the Security Rule and Privacy Rule
- Retrain the workforce within a defined timeline and submit training records
- Submit annual or quarterly status reports for the CAP period
- Engage an independent assessor for some matters
- Submit a final implementation report at CAP end
Compliance with the CAP is monitored by OCR. Failure to comply with the CAP can produce a further finding under 45 CFR § 160.408 and additional civil monetary penalties.
The civil monetary penalty matrix
Statutory tiers under 45 CFR § 160.404, as adjusted by the annual civil penalty inflation adjustment, set the maximum civil monetary penalty per violation by culpability tier:
- No knowledge — lowest tier
- Reasonable cause — middle tier
- Willful neglect, corrected within 30 days — higher tier
- Willful neglect, not timely corrected — highest tier
Tiers apply per violation, with annual caps per identical violation. OCR's settlement amounts are generally well below the statutory maximums; the maximums are anchor points in negotiation.
What OCR cites most often in resolution agreements
Across recent published resolution agreements, the deficiencies that recur:
- Absent or stale Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A)(1)(ii)(A))
- Absent or inadequate risk management process under 45 CFR § 164.308(a)(1)(ii)(B)(1)(ii)(B))
- No information system activity review under 45 CFR § 164.308(a)(1)(ii)(D)(1)(ii)(D))
- No contingency plan exercised under 45 CFR § 164.308(a)(7)(7))
- Encryption decision not documented under 45 CFR § 164.312(a)(2)(iv)(2)(iv))
- No or inadequate audit controls under 45 CFR § 164.312(b))
- Missing or stale BAAs with vendors handling ePHI under 45 CFR § 164.502(e))
- Late or absent breach notification under 45 CFR §§ 164.404–164.408
- Right of access denials under 45 CFR § 164.524
- Inadequate workforce training under 45 CFR § 164.308(a)(5)(5))
A practice that addresses these ten controls — with documented evidence — is positioned to navigate an OCR inquiry on far better terms than one that does not.
State AG parallel enforcement
Under the HITECH Act state enforcement authority at 42 USC § 1320d-5(d) (added by HITECH § 13410(e)), state attorneys general can bring HIPAA civil actions on behalf of state residents. State AGs have brought enforcement actions in parallel with OCR.
State-specific overlays that often pair with HIPAA enforcement:
- California — CMIA (Civil Code §§ 56–56.37) and the California AG's consumer protection authority
- New York — SHIELD Act (General Business Law § 899-aa, § 899-bb) and the AG's data-security authority
- Texas — HB 300 (Health and Safety Code Chapter 181) and Texas AG enforcement under Business and Commerce Code Chapter 521
- Massachusetts — 201 CMR 17.00 and Mass. AG enforcement under M.G.L. c. 93A and c. 93H
State AG parallel cases can run alongside OCR investigations or follow them. The cumulative settlement exposure is the sum of federal and state.
How to learn from the published record
OCR posts every resolution agreement at HHS HIPAA Enforcement Highlights. Read recent settlements in the practice's specialty. The pattern of cited deficiencies is the practical roadmap for what to put in place before an incident — and what to fix immediately after one.
The HHS Breach Portal shows every 500+ breach report. Reading the entries for the practice's geography and specialty is a calibration exercise on what threats are actually hitting peers.
How d3rx fits
d3rx maintains the program elements OCR cites most often inside the compliance binder: risk analysis workflow, risk management tracker, BAA log, training log, breach incident workflow, right-of-access tracker, and policies and procedures. The binder is a source-grounded administrative aid. It does not represent the practice in any OCR investigation, does not provide legal advice, and does not replace counsel. See audit defense for broader response support and the compliance binder overview for binder structure.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Recent OCR Settlements: What HHS Actually Penalizes (2025). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
How much do recent OCR settlements actually cost?
Right of Access settlements typically run $15,000 to $240,000 with two-year corrective action plans. Risk Analysis Initiative settlements published in 2024-2025 have ranged from approximately $150,000 to over $1.5 million, with three-year corrective action plans. Ransomware-related settlements have run into the multi-million-dollar range when paired with breach notification failures. The penalty matrix at 45 CFR § 160.404 sets the statutory tiers; OCR's published Resolution Agreements show where the agency actually lands.
Why has the Risk Analysis Initiative driven so many settlements?
OCR announced the Risk Analysis Initiative in October 2024 as an enforcement priority focused on the most fundamental Security Rule failure: the absence of an accurate and thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). OCR has repeatedly identified this as the most-cited deficiency in resolution agreements going back over a decade. The Initiative formalizes prioritizing investigations against entities that lack one.
What triggers an OCR investigation versus a complaint dismissal?
Under 45 CFR § 160.306, OCR reviews every complaint for jurisdiction and merit, and opens investigations on those alleging a Privacy, Security, or Breach Notification Rule violation. Complaints that allege patient access denials, ransomware events, large breaches reported on the HHS Portal, and complaints from former employees alleging systemic failures tend to drive investigations. Many complaints close with technical assistance; the ones that survive triage produce the published settlements.
Does a small practice get treated the same as a hospital?
The same statutory penalty tiers at 45 CFR § 160.404 apply, but settlement amounts reflect ability to pay and the scope of affected individuals. Right of Access settlements at $15,000-$80,000 most commonly target small practices. The corrective action plans are also tailored — small-practice CAPs typically require a current risk analysis, updated policies, training, and quarterly status reports for two to three years. The CAP burden is often the larger long-term cost.
What if OCR closes my investigation with no penalty?
Many investigations close with no formal action under 45 CFR § 160.312, sometimes accompanied by technical assistance. Document the closure letter and retain it for at least six years. Update the risk analysis and remediation tracker with the lessons learned. Closure is not certification — a future incident is evaluated against the practice's continued program, not against the prior closure.
How long does an OCR matter take from complaint to resolution?
OCR investigations commonly run 12 to 36 months from complaint receipt to closure or resolution agreement. Larger matters and those with parallel state AG involvement run longer. The corrective action plan period typically extends another two to three years after the resolution agreement. The practical implication: a matter opened by a single complaint can occupy the practice for five-plus years.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 45 CFR §§ 164.404–164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 45 CFR § 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- Risk Analysis Initiativehttps://www.hhs.gov/about/news/2024/10/31/hhs-office-civil-rights-settles-hipaa-security-rule-investigation-plastic-surgery-associates-south-florida.html
- OCR Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- 45 CFR § 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
- 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524#p-164.524(b
- 45 CFR § 164.524(c)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524#p-164.524(c
- Limited Feeshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
- HHS ransomware fact sheethttps://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- 45 CFR § 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404#p-164.404(b
- 45 CFR § 164.312(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(b
- 45 CFR § 164.312(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
- 45 CFR § 160.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.408
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- civil penalty inflation adjustmenthttps://www.federalregister.gov/documents/2024/01/11/2024-00404/annual-civil-monetary-penalties-inflation-adjustment
- 45 CFR § 164.502(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502#p-164.502(e
- Breach Portalhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceHIPAA Breach Notification: The 60-Day Window Step-by-StepFrom discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
- ComplianceAdditional Documentation Request (ADR): How to Respond Inside the WindowMedicare ADR response windows are contractor-specific (45 days for MAC/SMRC/RAC, 30 days for UPIC). Miss the window and the claim auto-denies. Here is the procedure that actually works.
- ComplianceThe Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.
- ComplianceUPIC Audit Response: What to Do First (and What Not to Touch)A UPIC letter signals suspected fraud, not a routine review. Engage counsel before responding. Here is the procedure that preserves the practice.
- ComplianceBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
- GlossaryHIPAA Breach Notification RuleThe federal rule at 45 CFR Part 164 Subpart D requiring covered entities and business associates to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.