Skip to main content
CoreFolioHIPAA
Enforcement

HIPAA fines against business associates: the OCR enforcement record

Business associates are directly liable under HIPAA, and OCR fines them directly. Every verified OCR business associate settlement, from 2016 to 2026.

By CoreFolio

10-minute read

If you run a billing company, an IT managed-service provider, a transcription service, or any other business that handles patient data on behalf of a healthcare client, it is easy to assume HIPAA enforcement is your client's problem. Your client is the covered entity. They signed the business associate agreement (BAA). They are the one the Office for Civil Rights (OCR) would investigate.

That assumption is wrong, and the public enforcement record proves it.

Since the 2013 Omnibus Rule, business associates have been directly liable for compliance with the HIPAA Security Rule — and OCR has used that authority. It brought its first settlement directly against a business associate in 2016, and between January 2025 and April 2026 it settled with at least six more, most of them companies that never touched a patient in their lives. This article lays out every verified OCR business associate settlement, what each one was actually cited for, and what the pattern means for any organization that handles protected health information (PHI) on a client's behalf. Every figure cites the underlying U.S. Department of Health and Human Services (HHS) resolution agreement or press release so you can verify it yourself.

Why business associates are directly liable

Before 2013, HIPAA reached business associates only indirectly: a covered entity was contractually obligated to bind its vendors through a BAA, but OCR could not bring an enforcement action against the vendor itself.

The HITECH Act changed that. Codified at 42 U.S.C. § 17931, it extended the HIPAA Security Rule's administrative, physical, and technical safeguard requirements directly to business associates.1 The 2013 Omnibus Rule implemented the change, stating plainly that business associates are directly liable for Security Rule compliance.2 Since then, the core risk-analysis obligation at 45 CFR § 164.308(a)(1)(ii)(A) — the requirement to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information" — applies to a business associate exactly as it applies to the covered entity.3 A signed BAA documents the relationship; it does not transfer the obligation.

The first business associate settlement: CHCS, 2016

OCR's first-ever settlement directly with a business associate came on June 24, 2016, with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).4 CHCS provided management and information technology services as a business associate to six skilled nursing facilities. An employee's CHCS-issued iPhone — unencrypted and not password protected — was stolen, exposing the PHI of 412 nursing home residents, including Social Security numbers, diagnoses, and treatment information.

OCR's investigation found CHCS had no risk analysis and no risk management plan at all. CHCS paid $650,000 and accepted a two-year corrective action plan. The OCR director's statement at the time was unambiguous: "Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan."

That case set the template. Nearly a decade later, OCR is now running that play at volume.

The 2024–2026 wave: business associates under the Risk Analysis Initiative

In late 2024, OCR launched its Risk Analysis Initiative — a focused enforcement effort targeting the single most frequently cited HIPAA failure: the missing or inadequate risk analysis. The Initiative reaches covered entities and business associates alike, and a striking share of the settlements have been with business associates.

Here is every verified business associate settlement under the recent enforcement wave, drawn from the published HHS resolution agreements and press releases.

Business associateWhat they doDateSettlementIndividuals affectedCited issue
Elgon, Inc. (MA)EHR and billing supportJan 7, 2025$80,00031,248No accurate, thorough risk analysis5
Virtual Private Network Solutions (VA)Data hosting and cloud servicesJan 7, 2025$90,0006,400 (across 12 clients)No comprehensive risk analysis6
Health Fitness Corporation (IL)Wellness plan administrationMar 21, 2025$227,816~4,304No risk analysis until January 20247
Comstar, LLC (MA)Ambulance billing and collectionMay 30, 2025$75,000585,621 (70+ clients)No accurate, thorough risk analysis8
BST & Co. CPAs, LLP (NY)Accounting and advisoryAug 18, 2025$175,000~170,000No accurate, thorough risk analysis9
Consociate Health (IL)Third-party plan administrationApr 23, 2026$225,000136,539No HIPAA-compliant risk analysis10

Six settlements in roughly sixteen months, totaling $872,816 in resolution payments, every one of them carrying a corrective action plan with one to three years of OCR monitoring on top of the dollar figure.

What the pattern shows

Read across these settlements and three things stand out for any business associate.

They never treated a patient. BST & Co. is an accounting and advisory firm. Health Fitness administers wellness plans. Consociate Health is a third-party plan administrator. None of them is a hospital, a clinic, or a physician. OCR cited each one directly under the same Security Rule provision it applies to providers. The "we're not really a healthcare company" framing is not a defense — if you handle ePHI on a covered entity's behalf, you are a business associate, and the risk-analysis obligation is yours.

One incident can expose every client at once. When VPN Solutions was hit with ransomware, the ePHI of 12 covered entity clients was encrypted in a single attack. Comstar was a business associate to more than 70 covered entities when its servers were encrypted, exposing 585,621 individuals. A business associate's security failure is not contained to one relationship — it detonates across the entire client book simultaneously, and the business associate carries the direct OCR liability for all of it.

The breach is the trigger, but the risk analysis is the charge. In every 2025–2026 business associate settlement, ransomware or a data exposure is what brought OCR to the door. But the cited violation in each case was the failure to conduct an accurate and thorough risk analysis under § 164.308(a)(1)(ii)(A). OCR did not fine these companies for getting attacked. It fined them for being unable to produce the foundational document that should have existed before the attack. The Health Fitness case is especially pointed: OCR found the company had not conducted a compliant risk analysis until January 19, 2024 — years after it had already filed breach reports.

What this means for your organization

The enforcement record makes the exposure concrete, but it does not make the remedy complicated to describe. A business associate that wants a defensible position needs the same two linked artifacts OCR looks for in every investigation:

  1. A risk analysis under § 164.308(a)(1)(ii)(A) — an accurate, thorough, dated assessment of the risks and vulnerabilities to the ePHI across every system your organization uses to create, receive, maintain, or transmit it.
  2. A risk management plan under § 164.308(a)(1)(ii)(B) — the documented response that takes each identified risk and maps it to a remediation step, a responsible person, and a timeline.11

Neither is satisfied by your BAA, by your covered entity client's risk analysis, or by a security tool your IT vendor runs. The obligation is scoped to your environment, and OCR reads these documents looking for whether they reflect the systems you actually operate.

The work is clear, but it is specific and citation-heavy, and it is exactly the work the Risk Analysis Initiative is now enforcing against organizations like yours. CoreFolio HIPAA is building a guided path to produce both linked artifacts — a risk analysis and a matching risk management plan — scoped to a business associate's environment and the covered entity relationships it maintains.

This article is educational and is not legal advice. For a specific situation — a post-incident review, an active OCR investigation, or a complex environment — consult a qualified HIPAA attorney or a compliance consultant.

Sources

Footnotes

  1. HITECH Act, 42 U.S.C. § 17931, applying the HIPAA Security Rule administrative, physical, and technical safeguard requirements (45 CFR §§ 164.308, 164.310, 164.312, and 164.316) directly to business associates. Text at https://www.govinfo.gov/app/details/USCODE-2010-title42/USCODE-2010-title42-chap156-subchapIII-partA-sec17931.

  2. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act ("Omnibus Rule"), 78 Fed. Reg. 5566 (Jan. 25, 2013). Established direct liability of business associates for HIPAA Security Rule compliance.

  3. 45 CFR § 164.308(a)(1)(ii)(A), the risk analysis specification, which applies to covered entities and business associates alike. Current text at the Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308.

  4. U.S. Department of Health and Human Services, Office for Civil Rights, Business Associate's Failure to Safeguard Nursing Home Residents' PHI Leads to $650,000 HIPAA Settlement (June 2016). Resolution agreement and details at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html. First OCR settlement brought directly against a business associate; 412 individuals affected; two-year corrective action plan.

  5. U.S. Department of Health and Human Services, Office for Civil Rights, Elgon, Inc. Resolution Agreement and Corrective Action Plan (announced Jan. 7, 2025). https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elgon-inc-ra-cap/index.html. Ransomware accessed Elgon's server through open firewall ports on March 25, 2023; 31,248 individuals affected; $80,000 resolution payment; three-year corrective action plan. Second enforcement action under the Risk Analysis Initiative.

  6. U.S. Department of Health and Human Services, Office for Civil Rights, settlement with Virtual Private Network Solutions, LLC (announced Jan. 7, 2025). Resolution agreements index: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/. October 2021 ransomware incident; VPN Solutions reported to OCR in December 2021 that the breach affected 6,400 individuals across 12 covered entity clients; $90,000 resolution payment; one-year corrective action plan. Third enforcement action under the Risk Analysis Initiative.

  7. U.S. Department of Health and Human Services, Office for Civil Rights, OCR Settles HIPAA Security Rule Investigation with Health Fitness Corporation (March 21, 2025). https://www.hhs.gov/press-room/ocr-settles-hipaa-security-rule-investigation-health-fitness-corporation.html. Software misconfiguration exposed ePHI to web crawlers beginning approximately August 2015, discovered June 27, 2018; four breach reports filed October 2018–January 2019; approximately 4,304 individuals affected; OCR found no accurate, thorough risk analysis until January 19, 2024; $227,816 resolution payment; two-year corrective action plan. Fifth enforcement action under the Risk Analysis Initiative.

  8. U.S. Department of Health and Human Services, Office for Civil Rights, HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC (May 30, 2025). https://www.hhs.gov/press-room/hhs-hipaa-comstar-agreement.html. Unauthorized access to Comstar's servers on March 19, 2022, detected March 26, 2022; ePHI of 585,621 individuals affected; Comstar was a business associate to more than 70 covered entities at the time; $75,000 resolution payment; two-year corrective action plan. Ninth enforcement action under the Risk Analysis Initiative and 13th ransomware-related enforcement action.

  9. U.S. Department of Health and Human Services, Office for Civil Rights, HHS' Office for Civil Rights Settles HIPAA Ransomware Security Rule Investigation with BST & Co. CPAs, LLP (August 18, 2025). https://www.hhs.gov/press-room/hhs-ocr-bst-hipaa-settlement.html. Ransomware discovered December 7, 2019; breach reported February 16, 2020; PHI of approximately 170,000 individuals (patients of a covered entity client) potentially affected; $175,000 resolution payment; two-year corrective action plan. Tenth enforcement action under the Risk Analysis Initiative and 15th ransomware-related enforcement action.

  10. U.S. Department of Health and Human Services, Office for Civil Rights, HHS' Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations (April 23, 2026). https://www.hhs.gov/press-room/ocr-settles-four-ransomware-investigations.html. Consociate Health, a third-party plan administrator, settled for $225,000 after a ransomware attack affected 136,539 individuals; two-year corrective action plan. One of four settlements announced together that day totaling $1,165,000.

  11. 45 CFR § 164.308(a)(1)(ii)(B), the risk management specification, consecutive to the risk analysis paragraph in the same eCFR section. OCR's corrective action plans in the settlements cited here require both a risk analysis and a risk management plan.