Patient Privacy Is Not Optional

Key Takeaways:
  • HIPAA violations are often caused by everyday habits inside the office (not hackers) and even small lapses in how staff access, use, or discuss patient information can count as a breach.
  • Fines can add up fast because penalties are issued per violation, not per incident, and even small practices are being hit with costly settlements for basic compliance failures.
  • The biggest risk isn’t just the fine—it’s failing to have a current, documented plan with training, risk analysis and vendor agreements that prove your practice is actively protecting patient data.

 

Most healthcare practice owners believe they have HIPAA covered. The team was trained once. A privacy notice is posted somewhere. Everything feels fine.

But a few questions tend to change that confidence pretty quickly. Is there a written HIPAA action plan? When was it last reviewed? Who is the designated security officer? Are Business Associate Agreements in place for every vendor that touches patient data?

The answers are usually some version of “probably” or “we should look into that.”

Here is the reality. Personal health information is protected by federal law and protecting it falls on every person in the practice. That applies whether you are the owner, a provider, a billing coordinator or the person working the front desk.

What Counts as a Violation

The most commonly investigated compliance issues reported by the Office of Civil Rights (OCR) continue to include impermissible uses and disclosures of PHI — year after year, this tops the list. It ranked above hacking incidents and technical failures during the period from 2019 through 2021 and remains a top concern heading into 2026.

So what does that mean in practical terms?

  • Impermissible disclosure is when PHI is accessed or shared without authorization.
  • Impermissible use is when PHI is used without patient consent.

These are not rare cases. They play out in real practices every day. An employee shares login credentials so a coworker can access a system they are not authorized to use. Two staff members discuss a patient’s treatment in the hallway within earshot of other patients. A phone call about insurance verification happens at the front desk while the waiting room is full.

That is a breach. No hacker required. No stolen laptop. It happens inside your own office with your own team.

And here is the part that catches most practice owners off guard: when a breach occurs you are required to notify the affected patients and the Department of Health and Human Services within 60 days.

The Cost of Getting It Wrong

Nothing focuses attention faster than the penalty structure. And 2025 was a record-breaking year for HIPAA enforcement.

OCR carried out 22 major enforcement actions in 2025 — a record high. Total fines for the year exceeded $148 million, driven primarily by the $126 million Change Healthcare/UnitedHealth settlement — the largest in HIPAA history.

But this was not just about large hospital systems. Among those fined in 2025: a medical billing company, an eyewear retailer, an ambulance authority, a radiology practice and solo dental offices hit with penalties ranging from $50,000 to $70,000 simply for being late providing patient records.

A few of the notable 2025 settlements:

  • Solara Medical Supplies — $3,000,000. A phishing attack compromised employee email accounts. OCR’s issue was not the phishing itself — it was the missing risk analysis and delayed patient notification.
  • Warby Parker — $1,500,000. A credential stuffing attack exposed roughly 200,000 customer accounts. The penalty arrived six years after the breach. OCR has a long memory.
  • BayCare Health System — $800,000. An employee accessed patient records without authorization and shared them with an outside individual.
    Risk analysis failures were the top finding across 2025 enforcement actions. Eighteen of the 22 cases involved inadequate risk analysis and nine of those involved ransomware.

2026 Civil Penalty Tiers

HHS updated penalty amounts in January 2026 to account for inflation. The current structure:

Tier Description Min per Violation Max per Violation Annual Cap
Tier 1 Did not know $145 $73,011 $2,190,294
Tier 2 Reasonable cause $1,461 $73,011 $2,190,294
Tier 3 Willful neglect (corrected) $14,602 $73,011 $2,190,294
Tier 4 Willful neglect (not corrected) $73,011 $2,190,294 $2,190,294

 

These are per violation — not per incident. A single breach that exposes 500 records could be treated as 500 separate violations.

Criminal Penalties

The Department of Justice can impose criminal penalties for intentional or fraudulent actions involving PHI:

  • Knowingly accessing PHI without authorization: up to $50,000 and one year in prison
  • Obtaining PHI under false pretenses: up to $100,000 and five years
  • Using PHI for personal gain or to cause harm: up to $250,000 and ten years

And that does not even account for the reputational damage. A fine can be paid. Rebuilding trust with patients who learned their private health information was compromised? That is a different conversation entirely. The average cost of a healthcare data breach reached $10.93 million in 2025 — the highest of any industry for the 14th consecutive year.

Where Healthcare Practices Fall Short

Four areas create the most exposure and all of them are preventable.

  1. Conversations in Open Spaces

Voices carry. Down the hall. Into exam rooms. Out to the reception area. Most healthcare offices were not designed with HIPAA in mind. The front desk is steps from the waiting room. Staff members confirm patient names and procedures on the phone while other patients are sitting nearby.

If patients in the waiting room can hear details about other patients there is a problem. Physical awareness matters every single day.

  1. Network Security

Technical safeguards have been a consistent enforcement focus and hacking incidents increased 89% between 2019 and 2023 while ransomware attacks increased 102% over the same period. The office network must be protected from outside threats. That means current operating systems on every machine, security tools on the server and all workstations and an IT provider that understands the specific demands of healthcare.

Not every IT company is equipped for this work. The compliance requirements and the stakes are different from other industries. This is not the place to cut costs.

  1. Administrative Safeguards

Administrative safeguards remain among the most commonly investigated compliance issues. These include:

  • Minimizing PHI access based on employee role. Not everyone needs access to everything.
  • Security awareness and training. Every employee, clinical and non-clinical, needs to understand how to handle PHI.
  • Risk assessments. Regular evaluations of office protocols to identify vulnerabilities before they become violations. This was the single most common deficiency cited in 2025 enforcement actions.
  1. Business Associate Agreements

If a third-party vendor has access to patient data — a billing company, a cloud storage provider, an IT partner or even a document shredding service — a signed Business Associate Agreement is required. This is not a best practice. It is a HIPAA mandate. If that vendor mishandles data the responsibility traces back to the practice.

Are these agreements in place? For every vendor? If the answer is not a confident yes, it is time to fix that.

Build a HIPAA Action Plan

Every healthcare practice needs a plan. An actual written plan that the team follows and that gets reviewed every year. Without one the practice is exposed. A plan from five years ago that no one has looked at since might as well not exist.

And OCR has made clear that having a policy on the shelf is no longer enough. Regulators now expect demonstrable, real-time evidence of compliance — audit trails, training records with completion dates and incident response documentation with timestamps.

Here is where to start:

  1. Assign a Security Officer. Designate someone in the office to own HIPAA compliance. This should be a defined responsibility — not a side task squeezed in between patients.
  2. Train all employees. Everyone in the practice needs training on PHI handling. That includes providers, front desk staff, billing coordinators and anyone else who works in the environment.
  3. Implement procedures to identify, report and respond to incidents. When something happens the team needs to know exactly what steps to take and how quickly to take them.
  4. Implement policies for authorized access. Restrict system access based on each employee’s role. Only grant the minimum level of access required for someone to do their job.
  5. Obtain Business Associate Agreements. Document and sign agreements with every third-party vendor that touches patient data.

These are the basics, but they are not the full list. The plan should be specific to the practice and should evolve as operations change. Review annually. Update as needed.

Secure the Network

On the technology side, the practice needs an IT provider that takes a security-first approach and understands the regulatory landscape of healthcare. Adams Brown Technology Specialists works with healthcare practices to secure networks and hardware with that exact mindset.

The gap between a generalist IT provider and one built for healthcare shows up during an audit or worse, after a breach. Make sure the practice is working with a team that understands the difference.

Questions?

Patient privacy is not a poster on the breakroom wall. It is a daily responsibility that requires planning, training and follow-through from every person in the practice. The cost of prevention is a fraction of the cost of a violation. And no one, not the owners, not the staff, not the patients, wants the practice to be the one making headlines. Contact Adams Brown healthcare technology advisory today.