What OCR Investigations Actually Reveal About PHI Protection
Every time the HHS Office for Civil Rights closes an investigation, it publishes a resolution agreement that reads like a compliance cautionary tale. The penalties change. The organization names change. But the underlying failures are remarkably consistent. After years of working with healthcare organizations and their business associates, I can tell you that the same gaps surface in enforcement action after enforcement action — gaps that are entirely preventable with the right program in place.
This post is not a theoretical overview of HIPAA. It is a direct look at what OCR investigators actually find when they walk in the door, and what compliance managers and executives need to do about it before that door opens at their organization.
If your organization handles protected health information — whether you are a hospital, a physician practice, a health plan, or a healthcare technology vendor — these failure patterns apply to you.
Failure 1: No Completed or Current Security Risk Analysis
This is the single most cited violation in OCR enforcement actions, and it has been for years. The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. That requirement is not optional, and it is not satisfied by a checklist someone filled out three years ago.
OCR investigators look for documented evidence that your organization has identified where ePHI lives across your environment, assessed the threats to it, evaluated existing controls, and prioritized remediation. Many organizations either have never completed a formal security risk analysis or completed one during an implementation project and never repeated it.
A proper analysis needs to be repeated whenever there are significant operational changes — new systems, mergers, expanded remote access, new vendors — not just on an annual calendar cycle. Our risk assessment services are designed to produce exactly the kind of documented, auditable output OCR expects to see.
Failure 2: Missing or Inadequate Risk Management Plan
Finding the risks is only half the obligation. The Security Rule also requires that organizations implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. OCR routinely finds that organizations have completed some form of risk analysis but have no documented plan to address what they found.
A risk management plan needs to be actionable, time-bound, and tracked. It is not enough to have a spreadsheet of findings that has not been updated since the last assessment. If your plan of action is not being reviewed regularly by someone with the authority and resources to drive remediation, it is a compliance liability, not a compliance asset.
Failure 3: Insufficient Access Controls
PHI protection requires that access to electronic protected health information be limited to authorized users with a legitimate need. In practice, OCR investigations frequently uncover environments where access controls are not implemented at all, are implemented inconsistently, or have never been reviewed after initial deployment.
Common access control failures include:
- Shared user accounts or generic login credentials used across departments
- Former employees retaining system access after termination
- No audit logging or log review process to detect unauthorized access
- Excessive privileges granted to users whose roles do not require broad access
- No automatic logoff controls on workstations in clinical areas
Access control is both a technical and an administrative obligation. It requires written policies, technical implementation, and ongoing monitoring. Organizations that treat it as a one-time IT configuration task consistently fail OCR scrutiny.
Failure 4: Failure to Execute and Manage Business Associate Agreements
One of the most consistent findings in multi-year OCR audits is that covered entities have vendors handling PHI without a valid, current Business Associate Agreement in place. This is not a paperwork technicality. A BAA is a legally binding contract that defines how your vendor is permitted to use protected health information, what safeguards they are required to maintain, and what they must do in the event of a breach.
OCR has aggressively pursued enforcement actions against both covered entities that failed to execute BAAs and business associates that violated the terms of those agreements. The HIPAA Compliance Documentation Toolkit we offer includes the policy and agreement templates organizations need to formalize these relationships properly.
Beyond executing the agreement, organizations are expected to conduct due diligence on their vendors' actual security practices. Signing a BAA with a vendor who cannot substantiate their PHI protection controls does not insulate you from liability.
Failure 5: Inadequate Workforce Training
The Security Rule requires that all members of the workforce receive appropriate security awareness and training. OCR investigators look at training records, assess the content of training programs, and evaluate whether training has actually been documented and repeated.
The failures here are predictable. Organizations rely on a single annual online module that employees click through without retention. Training content does not reflect the organization's actual environment or the realistic threats employees face. New hires are not trained before they begin handling PHI. No one tracks whether training has been completed and documented.
Workforce training is not a checkbox activity. It is a foundational safeguard that reduces the probability of human error — consistently one of the leading causes of PHI breaches. If your workforce cannot recognize a phishing email, does not know how to handle a misdirected fax containing patient records, or is unaware of your organization's breach reporting obligations, your training program is not working.
Failure 6: Breach Notification Delays and Errors
When a PHI breach occurs, the HIPAA Breach Notification Rule imposes specific timelines and obligations. Covered entities must notify affected individuals within 60 days of discovering a breach. Breaches affecting 500 or more individuals in a state or jurisdiction require simultaneous media notification. All breaches must be reported to HHS — breaches of 500 or more individuals immediately, smaller breaches in the annual log submission.
OCR investigations frequently find that organizations discovered a breach months before they reported it, misclassified a reportable breach as a non-reportable incident, or failed to conduct the required breach risk assessment to determine whether notification was necessary. These procedural failures compound the original incident and dramatically increase the severity of OCR's response.
A mature PHI protection program includes a tested incident response plan with clear escalation triggers, defined roles, and documented procedures for conducting breach risk assessments. Without it, the chaos that follows a breach discovery makes everything worse.
Failure 7: Weak Encryption and Transmission Security
The Security Rule identifies encryption as an addressable implementation specification, which some organizations misread as optional. It is not optional in any meaningful operational sense. OCR's position is clear: if your organization chooses not to encrypt ePHI, you must document an equivalent alternative measure. In practice, very few alternative measures satisfy that standard, and investigators know it.
Common encryption failures include:
- Unencrypted laptops containing patient records that are subsequently lost or stolen
- PHI transmitted via standard email without encryption
- Portable storage devices used without encryption controls
- Mobile devices enrolled in BYOD programs without mobile device management or encryption enforcement
The majority of large breach reports submitted to OCR involve lost or stolen unencrypted devices. This is a solved problem. The technology exists. The failure is organizational — not investing in it and not enforcing it through policy and technical controls.
Failure 8: No Formal HIPAA Compliance Program Structure
Underlying most of the failures described above is a common root cause: the absence of a structured, documented compliance program with clear ownership, governance, and accountability. Organizations that treat HIPAA as a set of tasks to be completed once do not sustain compliance over time. Policies go unreviewed. Risk analyses are not repeated. Training lapses. BAAs expire without renewal.
A formal compliance program creates the infrastructure that keeps these obligations current — assigned roles, documented procedures, scheduled reviews, and executive visibility into the program's status. Our HIPAA Privacy and Security Compliance course for healthcare administrators provides the foundational knowledge compliance managers need to build and sustain that program effectively.
Organizations that operate without this structure depend on institutional memory and individual heroics to stay compliant. That is not a sustainable model, and OCR investigations expose it quickly.
What Compliance Managers Should Do Right Now
If reading this list made you uncomfortable, that discomfort is useful. Take it seriously. The organizations that appear in OCR resolution agreements are not uniquely negligent. They are organizations that delayed action, underestimated their exposure, or assumed that their existing measures were sufficient.
Start with a current, documented security risk analysis. If you do not have one, or if your most recent one predates significant changes to your environment, it needs to happen before anything else. Pair that analysis with a risk management plan that has ownership and timelines attached to every finding.
If you are not sure where your program stands relative to what OCR expects to see, a structured gap assessment against the Security Rule's requirements will surface the answer quickly. From there, remediation is a matter of sequencing and resource allocation — both of which we help organizations work through as part of our regulatory vCISO engagements.
The Stakes Are Real
OCR civil monetary penalties now reach into the millions of dollars. The agency has demonstrated a consistent willingness to pursue enforcement against organizations of all sizes, including small practices, regional health systems, and business associates. The reputational damage that follows a public resolution agreement is a separate cost that does not appear on the penalty notice.
PHI protection is not a compliance formality. It is a patient safety obligation, a legal requirement, and an operational imperative. The organizations that treat it that way — by building real programs with documented controls, trained workforces, and executive accountability — are the ones that do not end up in OCR's case resolution database.
If you want to understand exactly where your organization stands and what it would take to close the gaps, request a quote from our team. We work with healthcare organizations and their vendors to build HIPAA compliance programs that hold up under the scrutiny OCR brings to every investigation it opens.