HIPAA fines against business associates: the OCR enforcement record
Business associates are directly liable under HIPAA, and OCR fines them directly. Every verified OCR business associate settlement, from 2016 to 2026.
10-minute read
CoreFolio Learn
Enforcement
What OCR is actually investigating right now, and how small practices end up on the wrong end of a settlement.
HIPAA violation fines in 2026: penalty tiers and what reduces them
The 2026 HIPAA penalty tiers from the Federal Register, plus the documented evidence that security practices can mitigate what OCR imposes.
8-minute read
How to prepare for a HIPAA OCR audit or investigation
OCR investigations open with a document request. Practices that respond quickly and completely with organized records fare substantially better than those that scramble. Here is what OCR asks for and how to have it ready.
8-minute read
What triggers an OCR HIPAA audit or investigation
OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.
7-minute read
The OCR Risk Analysis Initiative, explained
When OCR investigates a small practice — after a breach report, a ransomware attack, a vendor incident, or a patient complaint — the first thing they ask for is the risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
17-minute read
What OCR actually wants in a risk analysis
HHS's Office for Civil Rights has now settled with dozens of practices for risk analysis failures. The pattern in their investigation letters and resolution agreements tells you exactly what they are looking for.
5-minute read
What OCR finds every time it investigates a small practice
More than 100 OCR resolution agreements follow the same pattern. Here are the six violations investigators find most often — and what each means for your practice.
5-minute read