Top 8 OCR Settlement Patterns from Recent Years — What Independent Practices Should Learn

Every HHS OCR settlement is published as a public resolution agreement. Read enough of them and the same patterns repeat — making the enforcement record one of the most useful free training resources available to independent practices.

Below are the eight patterns that recur most often, with the lesson each carries for the next practice in line.

1. Risk-analysis failures cited in nearly every case

OCR's most-cited single finding. Multiple settlements explicitly call out the absence or inadequacy of a documented risk analysis as the foundational gap that made every other failure investigable. Examples span specialties, organization sizes, and time periods.

Lesson: A documented, dated, scoped, annually-reviewed risk analysis is the single most important compliance artifact a practice maintains. Without it, OCR has no foundation to evaluate any other safeguard.

2. Missing or inadequate Business Associate Agreements

Raleigh Orthopaedic Clinic settled at $750,000 with no breach required — the missing BAA was itself the violation. Center for Children's Digestive Health, North Memorial Health Care, and several others have reached similar outcomes.

Lesson: Every vendor that touches PHI on the practice's behalf needs a signed, current BAA before access. Track them centrally with execution dates and renewal triggers.

3. Lost unencrypted laptops driving multi-million-dollar settlements

Children's Medical Center of Dallas at $3.2M. Lifespan Health at $1.04M. Concentra Health at $1.7M. New York Presbyterian Hospital at $4.8M for related issues. The pattern is identical: the practice's own risk analysis flagged encryption as recommended, but the device wasn't actually encrypted.

Lesson: The Breach Notification Rule safe harbor for encrypted PHI is the strongest argument for universal endpoint encryption. A breached encrypted laptop typically doesn't require notification. A breached unencrypted one almost always does.

4. Social-media and verbal disclosures of patient information

Elite Dental Associates (Dallas) settled at $10,000 for responding to a patient's negative online review by disclosing the patient's treatment information. Other settlements have involved staff posting about patients to personal social media, or visible discussion in public-facing areas.

Lesson: Workforce training on appropriate use of patient information — including non-clinical contexts like online reviews and social media — is required under §164.530(b). The training applies to every workforce member, not just clinical staff.

5. Right of Access initiative — 45+ settlements since 2019

OCR's Right of Access Initiative has produced the most consistent enforcement stream of any single HIPAA provision. The pattern is uniformly: patient requests records, practice misses the 30-day window or charges fees beyond cost-based recovery, patient complains. Penalties typically $20,000–$200,000.

Lesson: Documented patient-access workflow with timestamps, defined fee structure, and named accountability for the 30-day clock under §164.524 is the defense. Build it before a complaint arrives.

6. Breach-notification timing failures

The Premera Blue Cross case ($6.85M) and several others include findings about delayed breach notification. The 60-day individual notification clock starts at discovery, not at confirmation. Practices that waste 30 days investigating before notifying counsel often find themselves out of compliance with the notification rule itself.

Lesson: Written incident response plan, named accountability for the notification clock, annual tabletop exercises. The plan turns each step from improvisation into checklist execution.

7. Tracking pixels on patient-facing pages

A newer-but-fast-growing enforcement category. OCR's December 2022 bulletin explicitly addressed tracking technologies on covered-entity websites. Meta Pixel, Google Analytics, and similar tools on authenticated patient portal pages — or even on appointment-booking pages — frequently transmit PHI to third parties without BAAs. Multiple class actions are pending against major health systems.

Lesson: Audit every analytics and marketing tag on every page that handles PHI. Tracking pixels on PHI-adjacent pages require a BAA with the analytics vendor or removal entirely. See our Is Google Analytics HIPAA compliant guide for the full breakdown.

8. Improper disposal of paper or electronic records

Hard drives donated without secure wipe. Paper records left in unlocked dumpsters. Old servers sold on eBay with patient data still on them. Cases recur because disposal is treated operationally as an afterthought rather than a documented procedure.

Lesson: §164.310(d)(2)(i) requires media-disposal policies. NIST SP 800-88 provides the technical standard. Disposal vendors need BAAs. Disposal records need retention.

What every pattern has in common

None of these settlements involve sophisticated attacks. Almost all involve documented operational gaps that surfaced during investigation — not exotic vulnerabilities exploited by advanced actors. The audit doesn't create the violation. It finds what was already there.

The practical implication for independent practices: invest compliance time in the operational discipline that closes these eight patterns, in the order they appear in OCR's enforcement record. The return per hour is higher than almost any other compliance work.

Where Patient Protect fits

Patient Protect is built around continuously closing the operational gaps that drive OCR enforcement — risk analyses, BAAs, audit logs, training, encryption, incident response, vendor monitoring. Documentation-focused compliance platforms typically generate the policy library covering each requirement. Patient Protect adds the active layer — verification that the policies are actually being executed across the practice's day-to-day operations. The two complement each other. Most practices need both.

---

Patient Protect tracks the operational program continuously — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.