HIPAA Compliance
Why Independent Medical Practices Pay the Most in HIPAA Fines — And What to Do About It
Small medical practices account for 55% of OCR financial penalties. Five violations drive most of the exposure — with enforcement cases, dollar amounts, and exactly what to do if your practice has any of them right now.
Why Independent Medical Practices Pay the Most in HIPAA Fines — And What to Do About It
In 2022, small medical and dental practices accounted for 55% of OCR financial penalties. Not hospitals. Not health systems. Not large group practices with dozens of providers. Independent practices — the solo physicians, the small specialty clinics, the family medicine offices — bear the majority of HIPAA enforcement cost.
This is not because independent practices are more negligent than larger organizations. It is because OCR enforcement has shifted focus toward smaller covered entities, because the compliance infrastructure gap at independent practices makes violations more likely, and because certain violations are structurally more common in small practice environments.
Understanding which violations drive the most enforcement — and why they disproportionately affect independent practices — is the first step to not being part of that 55%.
Why Small Practices Account for the Majority of Penalties
The enforcement pattern reflects three structural realities of independent practice:
No dedicated compliance function. Large health systems have compliance officers, legal teams, and IT security departments. Independent practices have the physician, the office manager, and whoever answers the phone. The compliance work competes with clinical work and administrative work for the same limited time and attention.
Prior OCR contact elevates violations. OCR's complaint-resolution process generates technical assistance letters to covered entities — essentially notices that a compliance issue was identified. A practice that receives a technical assistance letter and does not address the identified gap has now demonstrated knowledge of the violation. In subsequent enforcement actions, this moves the violation from Tier 1 (unknowing) to Tier 2 (reasonable cause) or higher, substantially increasing the penalty range.
EHR ownership creates false confidence. Many independent practices believe that having an EHR subscription satisfies their HIPAA obligations. When a breach or complaint triggers an investigation, the gap between "we have an EHR" and "we have a compliant ePHI management program" becomes the basis for enforcement action.
Violation 1: Inadequate Security Risk Analysis
Citation: §164.308(a)(1)(ii)(A)
The most frequently cited deficiency in OCR enforcement actions. Across the Risk Analysis Initiative cases — OCR's dedicated enforcement program for SRA failures — independent medical practices are disproportionately represented.
The independent practice pattern:
Scenario A: The practice has never conducted a formal SRA. The physician is aware HIPAA requires something around "risk assessment" but has deferred it because it seems complex and time-consuming. When OCR investigates, there is no documentation to produce.
Scenario B: The practice completed the HHS free SRA tool several years ago, generated a report, and filed it. The practice has since changed EHR vendors, added telehealth capability, and started using an AI documentation tool. The SRA reflects none of these changes. OCR treats the filed tool output as evidence that the practice knew about the requirement — elevating the violation toward reasonable cause.
Scenario C: The practice hired a consultant to conduct an SRA, received a report with identified risks, and filed the report. The risk management plan the consultant recommended was never implemented. OCR finds the report — which documents known vulnerabilities — and asks for evidence of remediation. There is none.
Real enforcement context:
OCR's Risk Analysis Initiative has pursued settlements ranging from $10,000 to $240,000 against small practices for SRA failures. In one case, a solo physician practice paid $100,000 to resolve OCR findings related to failure to conduct an adequate risk analysis despite prior OCR technical assistance. The prior contact — a letter from OCR noting the deficiency — was the factor that elevated the penalty from what might have been a $10,000 case to a $100,000 settlement.
What to do:
Conduct a current, documented SRA that covers your actual systems — EHR, labs, imaging, email, backup, mobile devices, any AI tools. Produce a Risk Management Plan with specific actions. Implement the actions. Update the SRA when your environment changes.
Violation 2: EHR Configuration Gaps Creating Technical Safeguard Failures
Citation: §164.312 (Technical Safeguards)
This is the violation that independent practices are most likely to have and least likely to know about. EHR systems require active configuration to meet HIPAA's technical safeguard requirements — they do not arrive configured for compliance by default.
The most common EHR configuration gaps:
Audit logging not fully enabled. HIPAA requires that systems record access to ePHI — who accessed which records, when, and what actions were taken. Most EHR systems have audit logging capability, but the logging may not be fully enabled in the practice's deployment. If audit logs are not being generated, there is no audit evidence for OCR to review — and no way to detect unauthorized access before a breach report forces the question.
Role-based access set too broadly. Many EHR deployments default to granting broad access to all users rather than configuring access by role. A front desk coordinator who needs access to scheduling and demographics does not need access to clinical notes and lab results. When access is broader than minimum necessary and a breach occurs, OCR's investigation includes whether access controls were appropriately configured.
Session timeout too long or not configured. HIPAA requires automatic logoff after a period of inactivity. EHR systems often default to session timeouts of 30 minutes or longer — or to requiring user-configured timeout settings that are never set. A workstation in a clinical area with a 60-minute session timeout is effectively leaving ePHI accessible on unattended screens.
MFA not enabled for remote access. Physicians and staff accessing the EHR remotely — from home, from a hospital, from a mobile device — without MFA are accessing ePHI with a single authentication factor. This falls below the standard expected under the 2025 Security Rule amendments and is an increasingly common finding in OCR investigations.
What to do:
Work with your EHR vendor or IT provider to audit your current configuration against the Security Rule requirements. Specifically: verify audit logging is enabled and being retained, confirm role-based access is configured to minimum necessary, set session timeout to a clinically appropriate interval (10–15 minutes for shared workstations), and enable MFA for all remote access.
Violation 3: Missing BAAs in the Lab and Imaging Ecosystem
Citation: §164.308(b)(1)
Independent medical practices interact with labs, imaging centers, and diagnostic service providers daily. Each entity that receives patient identifiers in connection with a diagnostic order or result transmission is a Business Associate. Each requires a signed BAA.
This is where independent medical practices diverge from dental and chiropractic practices in their BAA exposure: the volume and variety of diagnostic relationships creates a complex BAA matrix that most practices have never fully mapped.
The reference lab relationship:
A family medicine practice sends blood draws to Quest or LabCorp daily. The lab receives patient name, date of birth, insurance information, and the ordering provider's information. The lab transmits results back to the EHR. This is an ePHI flow in both directions. Both Quest and LabCorp offer BAAs — but the practice must execute the agreement, not simply use the services.
The sub-processor dimension is significant here: major reference labs use sub-processors for specimen transport, result transmission, and data management. The Change Healthcare breach demonstrated how a sub-processor compromise can expose the ePHI of practices that had BAAs with the primary vendor.
The imaging center relationship:
When a physician orders an MRI, CT, or other imaging study, the referral typically includes patient demographics and clinical information. The imaging center is a Business Associate for this referral. If images and reports are transmitted back electronically, the radiology group is also a Business Associate for that return flow. Many practices have never documented BAAs with imaging partners they have used for years.
What to do:
List every lab and imaging center your practice uses. Contact each to obtain and execute a BAA. Review the BAA for sub-processor language. Add new diagnostic partners to your BAA tracking process before referring the first patient.
Violation 4: Delayed or Inadequate Patient Access to Records
Citation: §164.524
This is the violation that produced OCR's 2020–2023 enforcement push — a wave of enforcement actions against medical practices that failed to provide patients timely access to their medical records or charged excessive fees.
The requirements are specific:
- Practices must provide access to records within 30 days of a request
- One 30-day extension is permitted, with written notice
- Fees must be limited to the reasonable cost of copying and transmitting
- Electronic records must be provided in the format requested, if readily producible
OCR's guidance on reasonable fees established $6.50 as a safe harbor for most records requests. Practices that charged per-page fees of $0.75 or more — common in practices that outsourced records fulfillment to copy services — were exposing themselves to enforcement action.
The independent practice pattern:
A patient or their attorney requests a complete medical record. The practice routes the request to a medical records copy service. The copy service charges $50 or more for the production. The practice either passes this cost to the patient or fails to monitor the fee being charged in their name. OCR investigates the complaint.
The second common pattern: a physician practice simply does not have a documented process for handling records requests. Requests are managed ad hoc, the 30-day deadline is not tracked, and by the time OCR is involved, the practice cannot demonstrate it responded within the required timeframe.
What to do:
Establish a documented records request process. Assign responsibility to a named staff member. Track every request with the date received and date fulfilled. Verify fees charged by copy services on your behalf. Set a calendar-based tracking system for the 30-day deadline.
Violation 5: Breach Notification Failures
Citation: §164.404 and §164.408
Independent medical practices that experience breaches face a second enforcement risk beyond the breach itself: failing to notify affected individuals and HHS within the required timeframes.
The requirements:
- Individual notification: within 60 days of discovering the breach
- HHS notification: within 60 days for breaches affecting fewer than 500 individuals (reported annually); immediately for breaches affecting 500+ in a state
- Media notification: for breaches affecting 500+ individuals in a state
The 60-day clock starts at discovery — not at the completion of the investigation, not when the practice is certain a breach occurred, and not when legal counsel has finished reviewing. OCR has been explicit: practices cannot indefinitely delay notification under the guise of ongoing investigation.
The investigation delay trap:
A practice discovers on Day 1 that a laptop containing unencrypted ePHI was stolen. The practice retains a cybersecurity firm to investigate. The investigation takes 45 days. The practice sends breach notifications on Day 55. This is compliant — but only barely, and only if the investigation was conducted promptly. If the same investigation takes 90 days, the practice is in violation of the notification timeline regardless of when the investigation concluded.
The "we're not sure it's a breach" trap:
Practices sometimes delay notification on the theory that they are still assessing whether a breach occurred. HIPAA's framework does not support indefinite assessment periods. A breach is presumed to have occurred unless the practice can demonstrate a low probability that PHI was compromised — a specific four-factor analysis that must be documented contemporaneously. Failure to conduct this analysis in real time, or to document it, removes the ability to avoid notification on this basis.
What to do:
Establish a breach response procedure now — before a breach occurs. Assign responsibility. Document the four-factor analysis framework. Build in calendar tracking for the 60-day notification deadline. Practice the process with a tabletop exercise at least annually.
The Common Thread
Every violation in this post reflects the same root cause: a compliance program that was treated as a project rather than an operating function. The SRA was filed, not maintained. The EHR was deployed, not configured for compliance. The BAAs were executed with the main vendors, not the full ecosystem. The records request process was handled informally, not documented. The breach response plan was deferred until after a breach made it urgent.
Independent medical practices are not in this position because they do not care. They are in this position because compliance infrastructure has historically required resources that independent practices do not have.
That constraint has a solution in 2026 that it did not have five years ago.
See how Patient Protect closes these gaps →
Read the complete compliance guide for independent practices →
See real enforcement cases and fine amounts →
Track breach intelligence in your area →
Based on OCR enforcement data and HHS guidance documents as of April 2026. Provided for informational purposes only. Does not constitute legal advice.