The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) continues HIPAA enforcement actions, with settlements and penalties now exceeding $8 million. This marks what appears to be the most active year for HIPAA enforcement in recent history, sending a clear message to healthcare providers and their business associates: compliance is not optional.
September 30, 2025, Cadia Healthcare Facilities agreed to a settlement, which included a $182,000 fine for violations of the HIPAA Privacy and Breach Notification Rules. The breach involved posting 150+ patient "success stories" (including names, photos, and medical details) on their website without proper authorization. In addition to the $182,000 fine, Cadia agreed to a two-year corrective action plan, which includes updating HIPAA policies, training staff (specifically marketing personnel), and notifying affected patients.
August 18, 2025, BST & Co. CPAs, LLP agreed to pay $175,000 and implement a comprehensive corrective action plan after failing to conduct an adequate security risk analysis. The firm experienced a ransomware attack in December 2019 that compromised the protected health information of approximately 170,000 individuals. This enforcement action represents OCR's 15th ransomware-related enforcement action and the 10th under its dedicated Risk Analysis Initiative. According to OCR Director Paula M. Stannard, "A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it."
The HIPAA security risk analysis is not optional—it is a fundamental requirement for both covered entities and business associates. This critical assessment must evaluate all systems, processes, and technologies that store, transmit, or access electronic protected health information (ePHI) to identify potential risks and vulnerabilities.
Organizations must conduct an accurate and thorough risk analysis that:
> Identifies all ePHI locations**: Document where protected health information is stored, transmitted, and accessed across the entire enterprise
> Assesses threats and vulnerabilities**: Evaluate potential risks to the confidentiality, integrity, and availability of ePHI
> Documents findings comprehensively**: Maintain detailed records of the analysis methodology and results
> Informs risk management**: Use findings to develop and implement appropriate security measures
> Updates regularly**: Conduct ongoing assessments as systems, threats, and business operations evolve
OCR's enforcement activity in 2025 has been unprecedented, with settlements ranging from $5,000 to $3 million. Notable actions include:
- Solara Medical Supplies**: $3 million settlement for phishing incident and improper breach notifications affecting 114,007 individuals
- Warby Parker**: $1.5 million civil monetary penalty for repeated credential stuffing attacks and failure to conduct adequate risk analysis
- BayCare Health System**: $800,000 settlement for inadequate access controls and failure to restrict terminated employee credentials
- PIH Health**: $600,000 settlement for delayed breach notification following a phishing attack
According to analysis of recent enforcement trends, OCR has made risk analyses a focal point of its enforcement initiatives in 2025, signaling to the industry that no organization is too large or too small to be held accountable for this basic requirement.
A critical takeaway from 2025's enforcement actions is that business associates face the same HIPAA obligations as covered entities when it comes to protecting PHI. The BST settlement reinforces this principle—providing services to healthcare organizations, whether billing, IT support, consulting, or any other function involving PHI access, triggers full HIPAA compliance obligations.
Business associates must:
- Conduct comprehensive security risk analyses
- Implement appropriate safeguards based on identified risks
- Develop and maintain HIPAA-compliant policies and procedures
- Provide regular workforce training
- Report breaches to covered entities within 60 days
Beyond the direct settlement amounts and civil monetary penalties, HIPAA violations carry significant additional costs:
> Legal defense expenses: Specialized privacy attorneys often charge $500+ per hour
> Breach notification costs: Notifying hundreds of thousands of individuals requires substantial resources
> Credit monitoring services: Often required for affected individuals for extended periods
> Forensic investigation: Determining breach scope and remediation needs
> System remediation: Upgrading security infrastructure and implementing new controls
> Reputational damage: Loss of patient trust and competitive disadvantage
> Operational disruption: Diversion of resources from core business operations
According to recent analysis, organizations that reach amicable settlements with OCR pay approximately 18% less on average than those who proceed to administrative adjudication resulting in civil monetary penalties. However, the average wait between OCR receiving a complaint and announcing a settlement is 57 months—nearly five years of uncertainty and ongoing investigation costs.
Several trends are shaping HIPAA enforcement:
Continued Focus on Cybersecurity: Ransomware attacks, phishing incidents, and credential stuffing continue to dominate breach reports. OCR is prioritizing enforcement actions that address preventable cybersecurity failures, particularly inadequate risk analyses and insufficient access controls.
Small and Medium Organizations in Focus: While large health systems attract headlines, many enforcement actions target small and medium-sized providers and business associates. OCR recognizes these organizations often face greater cybersecurity challenges due to limited IT resources and is holding them to the same compliance standards while also providing targeted educational resources.
Conclusion: Risk & Compliance as Strategic Imperative
The message from OCR's 19 enforcement actions in 2025 is unambiguous: comprehensive security risk analysis is the foundation of HIPAA compliance and cybersecurity preparedness. It's not just about avoiding penalties—it's about protecting patients, preserving trust, and ensuring organizational resilience in an increasingly hostile threat landscape.
Organizations that view HIPAA compliance as a checkbox exercise do so at their peril. Those that embrace risk analysis as an ongoing strategic process position themselves to prevent incidents, respond effectively when breaches occur, and demonstrate good faith efforts that can mitigate enforcement consequences.
Get HIPAA Compliance for Dental Practices
The question is no longer whether OCR will enforce HIPAA requirements aggressively—2025 has definitively answered that question. The relevant question is whether your organization is prepared to demonstrate compliance when OCR comes calling. Given average investigation timelines exceeding four years, that preparation must begin now.
**About HIPAA Security Rule Compliance**
The HIPAA Security Rule establishes national standards requiring administrative, physical, and technical safeguards to protect electronic protected health information. The risk analysis requirement at 45 C.F.R. § 164.308(a)(1)(ii)(A) is considered the foundation upon which all other security measures are built.
Get HIPAA Compliance for Dental Laboratories
For additional resources on conducting HIPAA-compliant risk analyses, visit the HHS Office for Civil Rights website at https://www.hhs.gov/hipaa or consult with qualified HIPAA compliance professionals and legal counsel.
Discover more about dental compliance.