All insights
Deep dives mapped to the Privacy, Security, and Breach Notification Rules, written for operators who need plain-English explanations, CFR citations, and practical checklists.
Try: BAA, Security Rule, breach notification, PHI, OCR enforcement
Featured insight
Business Associates
Cloud storage, email, EHR software, billing, AI tools, IT support: which of your vendors actually require a HIPAA Business Associate Agreement? A clear, plain-English decision guide with a vendor-by-vendor breakdown.
OCR Enforcement
Cadia Healthcare posted patient names, photos, and treatment details as 'success stories' on their public website without HIPAA authorization. OCR's investigation found 150 patients affected and fined the facility group $182,000. Here is what every healthcare marketing team needs to know.
OCR Enforcement
BST and Co. CPAs, a New York public accounting firm, settled with OCR for a ransomware breach affecting patient financial data. The case is a warning for every professional services firm that handles healthcare client data.
OCR Enforcement
OCR fined MMG Fusion just $10,000 for exposing 15 million patients' data — the company has since dissolved. The real story is what this means for every dental practice that trusted them with patient data.
Rule Update
OCR announced new offices focused on religious discrimination and anti-Christian bias on May 19, 2026 — raising serious questions about whether HIPAA breach enforcement will receive less attention as resources shift to administration priorities.
Rule Update
OCR Acting Director Paula Stannard used her HIMSS 2026 address to defend the proposed HIPAA Security Rule update, warning that weak cybersecurity controls have enabled a wave of ransomware attacks that harm patients and that inaction is not a cost-free option.
Rule Update
A HITECH Act provision requires HHS to share HIPAA civil money penalties with individuals harmed by violations. OCR is now seeking comment on how to implement it. Here is what the proposed program would mean for patients, covered entities, and compliance programs.
Rule Update
HHS restructured its Office for Civil Rights, creating three new divisions to handle a 69% increase in complaints. Here is how the new structure works and what it means for HIPAA investigations.
OCR Enforcement
Top of the World Ranch Treatment Center paid $103,000 to settle HIPAA violations after a 2023 phishing attack exposed patient records. OCR found the center had never completed a HIPAA Security Rule risk analysis.
OCR Enforcement
OCR's 54th Right of Access enforcement action settled with Concentra Inc. for $112,500 after a patient had to make six separate records requests over more than a year before receiving access to his health information.
Rule Update
OCR's regulatory agenda listed May 2026 as the target for the HIPAA Security Rule final rule. The month is here and no announcement has been made. Here is where things stand and what covered entities should do right now.
Rule Update
A federal court vacated most of OCR's 2024 reproductive health privacy rule in June 2025, but key Notice of Privacy Practices changes survived and were required by February 16, 2026. Here is exactly what covered entities must do.
OCR Enforcement
OCR imposed a $1.5 million civil money penalty on Warby Parker in February 2025 for HIPAA Security Rule violations following credential stuffing attacks. The case is a landmark warning for any non-healthcare company that operates an employer health plan or handles employee health data.
Data Breach
A complete guide to HIPAA breach response — from the moment of discovery through notification to HHS, individuals, and media. Includes the four-factor risk assessment, deadlines, and role-specific responsibilities.
Data Breach
A complete guide to the HIPAA Breach Notification Rule — what constitutes a breach, the four-factor risk assessment, who must be notified, and exactly when notifications are due.
Data Breach
Overview of the HIPAA Breach Notification Rule — what triggers notification, who must be notified, and when. See our complete guide for full coverage.
Analysis
A comprehensive HIPAA compliance checklist for covered entities covering all Privacy Rule, Security Rule, and Breach Notification Rule requirements — with CFR citations and priority rankings.
OCR Enforcement
OCR has now resolved more than 50 HIPAA enforcement actions in 2026 under its Risk Analysis and Right of Access initiatives. A new enforcement focus on parental access to minor records adds a third priority area every practice must understand.
OCR Enforcement
A complete guide to preparing for an OCR HIPAA audit or investigation — what OCR requests, how to organize your evidence, and the specific documentation that determines audit outcomes.
Rule Update
A complete guide to all eight patient rights under the HIPAA Privacy Rule — what each right requires, how to respond correctly, and the timelines your practice must meet.
Rule Update
OCR's proposed HIPAA Security Rule overhaul faces fierce industry opposition — including a coalition of over 100 hospital systems calling for its withdrawal. Here is the full picture of what is proposed, who is fighting it, and what covered entities should actually do while the outcome remains uncertain.
Analysis
A complete guide to HIPAA workforce training requirements under the Privacy Rule and Security Rule — who must be trained, what training must cover, how often it must occur, and how to document it for OCR.
Rule Update
The most significant update to the HIPAA Security Rule since 2013 is on the verge of finalization. Here is what the proposed changes require and what every covered entity and business associate must do to prepare.
OCR Enforcement
HHS published updated HIPAA civil money penalty amounts effective January 2026. Here are the current figures for all four violation tiers and what they mean for your compliance program.
OCR Enforcement
OCR's May 2026 enforcement action against a self-funded employer group health plan marks a significant expansion of HIPAA enforcement beyond traditional healthcare entities. Here is what every employer with a self-funded health plan must know.
OCR Enforcement
OCR's settlement with Assured Imaging highlights two compounding violations: no risk analysis ever conducted and delayed breach notification. Here is what every covered entity must learn from this case.
Rule Update
As of February 16, 2026, OCR began civil enforcement of the updated Part 2 regulations protecting substance use disorder patient records. Behavioral health providers face a new compliance obligation that runs alongside and partially overlaps with HIPAA.
Rule Update
OCR has formally expanded its enforcement initiative beyond risk analysis to include risk management. Here is exactly what changed, what OCR is now looking for, and the specific steps every covered entity and business associate must take.
OCR Enforcement
OCR announced four simultaneous HIPAA settlements on April 23, 2026 totaling $1.165 million following ransomware investigations. All four failed the same requirement.
Security Rule
Everything covered entities and business associates need to know about the HIPAA Security Rule: administrative, physical, and technical safeguards explained.
SaaS & Technology
When HIPAA applies to software companies, how BAAs fit product roadmaps, and which Security Rule themes customers audit most often.
Security Rule
A structured overview of the HIPAA Security Rule, administrative, physical, and technical safeguards, with CFR anchors and practical implementation notes.
Privacy Rule
Understand Protected Health Information (PHI), the 18 identifiers, limited data sets, and the Safe Harbor method for de-identification, with regulatory citations.
BAA
A complete guide to HIPAA Business Associate Agreements, who needs one, what it must include, and how to get one signed.