I’m sharing this because recent OCR enforcement actions from January 2025 through March 2026 paint a stark picture of persistent, repeatable compliance failures across the HIPAA Security, Privacy, and Breach Notification Rules.
Across multiple press releases and resolution agreements, three failure patterns keep cropping up in OCR’s resolution agreements and corrective action plans: incomplete or absent HIPAA risk analyses, breakdowns in breach‑notification timeliness, and weak written governance (policies, audit controls, workforce/vendor oversight).
1) Incomplete or absent HIPAA risk analyses — a foundational breakdown
OCR consistently cites covered entities’ and business associates’ failures to “conduct an accurate and thorough risk analysis” under the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)). In MMG Fusion, LLC, OCR found that the business associate had failed to conduct such an analysis as part of its investigation into a breach and required a three‑year corrective action plan to address both risk analysis and risk management. Similarly, OCR’s enforcement with Top of the World Ranch Treatment Center emphasized that the entity did not adequately assess risks after a phishing attack compromised ePHI, spotlighting how fundamental risk assessments are tied to identifying and reducing vulnerabilities.
2) Breach‑notification timeliness failures — OCR enforcing 60‑day deadlines
OCR’s breach notification rule requires entities — and, for business associates, prompt notification to covered entities — without unreasonable delay and typically within 60 calendar days of breach discovery. In the MMG Fusion settlement, OCR explicitly noted that business associates must notify covered entities promptly after discovering a breach to allow covered entities to satisfy their own obligations. In the Syracuse ASC case, OCR found the ambulatory surgery center failed to issue timely notifications to affected individuals and the Secretary after a ransomware attack, a violation of the Breach Notification Rule that led to a $250,000 resolution and a corrective action plan requiring revised breach procedures and policies.
3) Weak written governance, audit controls, and workforce/vendor oversight
OCR’s corrective action plans often mandate substantial governance improvements: written policies and procedures tailored to HIPAA requirements, audit controls to monitor system activity, and workforce training bolstered with documented evidence of compliance. For example, MMG Fusion’s CAP included specific steps to implement audit controls, authenticate user access, encrypt ePHI appropriately, and integrate lessons learned into security management processes. In Cadia Healthcare Facilities, OCR found multiple impermissible disclosures of PHI on public‑facing social media and demanded updated policies, workforce training (especially for marketing staff), and formal breach notifications to affected individuals.
In these actions, OCR weaves statutory obligations into enforcement:
• Risk analysis & management: Entities repeatedly are required to perform thorough, organization‑specific risk assessments and then address identified vulnerabilities with risk management plans.
• Breach notification: Rule obligations under 45 C.F.R. §§ 164.404, 164.408 are reinforced when entities fail to notify affected persons, the Secretary, or internal stakeholders in the required timeframe.
• Governance & audit: Policies, audit controls, workforce training, and oversight of business associates are not peripheral but central to OCR’s CAP obligations.
In short, OCR’s recent enforcement landscape signals that entities of all sizes must have not only baseline compliance documentation but an active, ongoing program that integrates thorough risk analysis, breach response readiness, and robust written governance embedded into operations.