News & Analysis as of August 11, 2025

Department of Health and Human Services (HHS)

+ Follow

Business Associates can refer broadly to individuals engaged in business relationships with one another. However, in the HIPAA context, the term has a specific statutory meaning and those characterized as business associates have expanded data protection obligations and duties. Essentially, a business associate under HIPAA is a person or entity that performs certain functions or services which necessitates exposure to protected health information on behalf of a covered entity. Typical business associate functions include: claims processing or administration, data analysis, billing, etc. less -

2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

Ogletree, Deakins, Nash, Smoak & Stewart,... on 5/21/2025

In the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution...more

Former OCR Director Fontes Rainer Reflects On ‘Imperfect’ RSP Law, Urges Final Security Reg

Health Care Compliance Association (HCCA) on 5/12/2025

In October, the HHS Office for Civil Rights (OCR) fined Providence Medical Institute (PMI) $240,000, an amount that reflected a 20% discount for having “recognized security practices” (RSPs) in place. But many more covered...more

Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers

Jackson Lewis P.C. on 3/24/2025

On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health...more

HIPAA Tidings: A Look at OCR's Recent Enforcement Actions

Holland & Knight LLP on 12/4/2024

In addition to holiday celebrations, the month of December typically ushers in a final round of enforcement actions by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), and 2024 is no...more

DSIR Deeper Dive: Tracking the Crackdown on Tracking/Pixel Technologies: Web Litigation and Regulatory Landscape - Part 2

BakerHostetler on 11/19/2024

In the first part of this blog post, we looked into the OCR and FTC’s focus on third-party tracking technologies. We also reviewed the AHA Lawsuit and its impact for the use of tracking technologies. In this blog post, we...more

Recognized Security Practices ‘Saved’ Covered Entity $60K of $300K Fine, But Which Ones Remain a Mystery

Health Care Compliance Association (HCCA) on 11/14/2024

Covered entities (CEs) and business associates (BAs) may receive a “discount” for having recognized security practices (RSPs) in place when the HHS Office for Civil Rights (OCR) calculates financial penalties for Security...more

HHS OCR Provides Annual Report to Congress Detailing 2022 Enforcement Activities

BakerHostetler on 3/19/2024

On Feb. 16, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published its 2022 Annual Report to Congress. ...more

HHS OCR Announces Largest Civil Monetary Penalty Imposed Since 2021 for Snooping Incident

BakerHostetler on 2/13/2024

Nearly two months after settlement was reached, the Department of Health and Human Services Office for Civil Rights (HHS OCR) announced on Feb. 6 that it obtained a resolution agreement with Montefiore Medical Center over...more

HHS Issue Six Figure Penalty for Ransomware Attack

Bricker Graydon LLP on 1/5/2024

Late last year, the Department of Health and Human Services (HHS) issued its first HIPAA settlement agreement involving a ransomware attack. In the press release announcing the settlement, HHS stated that they began...more

Business Associate Victim of Ransomware Attack Pays $100,000 to HHS OCR

Brooks Pierce on 12/6/2023

Is your organization a business associate? You could be subject to enforcement action if you fail to protect health information within your control from ransomware attacks. In October, for the first time, the U.S....more

[Event] 2023 Healthcare Enforcement Compliance Conference - November 5th - 7th, Washington, DC

Health Care Compliance Association (HCCA) on 8/8/2023

Hear directly from the enforcement community - Want to gain insight into properly monitoring, detecting, investigating, and managing violations? Join us at HCCA’s Annual Healthcare Enforcement Compliance Conference to...more

HHS OCR Settles HIPAA Investigation with Business Associate for $350,000

Dorsey & Whitney LLP on 5/22/2023

Over the past decade, the number of health care data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has increased dramatically. From 2009 to 2022, over 5,000 data...more

[Event] Regional Healthcare Compliance Conference - January 27th, Lake Buena Vista, FL

Health Care Compliance Association (HCCA) on 1/18/2023

Looking for compliance education and networking in your area? HCCA’s Regional Healthcare Compliance Conferences offer practitioners convenient, local compliance education, including updates on the latest news in regulatory...more

OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief

Health Care Compliance Association (HCCA) on 5/6/2022

Report on Patient Privacy 22, no. 5 (May, 2022) - Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more

Has the Bear Awakened From Its Hibernation? OCR Announces Four HIPAA Enforcement Actions

Williams Mullen on 4/20/2022

On March 28, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) reported four new Health Insurance Portability and Accountability Act (HIPAA) enforcement actions. After a multi-month hiatus...more

OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

Health Care Compliance Association (HCCA) on 5/7/2021

Report on Patient Privacy 21, no. 5 (May 2021) - Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights...more

K&L Gates Triage: HIPAA: Do Hospitals Need a Business Associate Agreement with their Health System Parent Corporation?

K&L Gates LLP on 8/20/2020

In this week’s episode, Rebecca Schaefer and Hannah Maroney discuss a string of recent HIPAA enforcement actions which demonstrate that the HHS Office of Civil Rights (OCR), the agency tasked with enforcing HIPAA, is...more

HHS OCR to Exercise Enforcement Discretion to Allow Business Associates to Share PHI for Public Health and Health Oversight...

Akin Gump Strauss Hauer & Feld LLP on 4/13/2020

On April 2, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that the agency will exercise enforcement discretion with respect to certain uses and disclosures of protected...more

HIPAA Update - OCR Enforcement Discretion to Allow Business Associates to Disclose PHI for Public Health Activities and Health...

Seyfarth Shaw LLP on 4/3/2020

On Thursday, April 2, 2020, the Office for Civil Rights (“OCR”) issued a Notification of Enforcement Discretion under the Health Insurance Portability and Accountability Act (“HIPAA”)....more

43 Results

View per page

Page: of 2

Business Associates › Enforcement Actions › Department of Health and Human Services (HHS)

2025 Enforcement Trends: Risk Analysis Failures at the Center of HHS’s Multimillion-Dollar HIPAA Penalties

Former OCR Director Fontes Rainer Reflects On ‘Imperfect’ RSP Law, Urges Final Security Reg

Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers

HIPAA Tidings: A Look at OCR's Recent Enforcement Actions

DSIR Deeper Dive: Tracking the Crackdown on Tracking/Pixel Technologies: Web Litigation and Regulatory Landscape - Part 2

Recognized Security Practices ‘Saved’ Covered Entity $60K of $300K Fine, But Which Ones Remain a Mystery

HHS OCR Provides Annual Report to Congress Detailing 2022 Enforcement Activities

HHS OCR Announces Largest Civil Monetary Penalty Imposed Since 2021 for Snooping Incident

HHS Issue Six Figure Penalty for Ransomware Attack

Business Associate Victim of Ransomware Attack Pays $100,000 to HHS OCR

[Event] 2023 Healthcare Enforcement Compliance Conference - November 5th - 7th, Washington, DC

HHS OCR Settles HIPAA Investigation with Business Associate for $350,000

[Event] Regional Healthcare Compliance Conference - January 27th, Lake Buena Vista, FL

OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief

Has the Bear Awakened From Its Hibernation? OCR Announces Four HIPAA Enforcement Actions

OCR Investigator: Goal Is to Uncover ‘Root Cause,’ Remedy Harm From Violations

K&L Gates Triage: HIPAA: Do Hospitals Need a Business Associate Agreement with their Health System Parent Corporation?

HHS OCR to Exercise Enforcement Discretion to Allow Business Associates to Share PHI for Public Health and Health Oversight...

HIPAA Update - OCR Enforcement Discretion to Allow Business Associates to Disclose PHI for Public Health Activities and Health...

Payment Dispute Triggered First 2020 OCR Settlement

A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule

Under New Settlement, Ambulance Co. Pays OCR $65K, Must Quickly Encrypt Computers

'Misinterpretation' of Breach Rule, Lack of Internal BAA Cost Hospital Group $2.1M

Encrypt Your Devices or Face HIPAA Penalties

A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

Business Associates › Enforcement Actions › Department of Health and Human Services (HHS)

"My best business intelligence, in one easy email…"