HIPAA Compliance June 5, 2026 8 min read

Top 5 Reasons OCR Fines Small Healthcare Practices in 2026

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Missing or stale Risk Analysis is the #1 root cause. OCR's Risk Analysis Initiative reached 13 settlements by April 2026. Bryan County EMS paid $90,000 in October 2024, Deer Oaks paid $225,000 in July 2025, Northeast Radiology paid $350,000 in April 2025, and Syracuse ASC paid $250,000 in July 2025. In every case, OCR found the practice had no written Risk Analysis or had one that did not reflect current systems.
Right of Access failures are the most prolific category. The Concentra $112,500 settlement announced December 16, 2025 was OCR's 54th Right of Access enforcement action. Gums Dental Care paid $70,000 in October 2024 for a related access-and-disclosure case. A solo dental practice paid $30,000 for missing the 30-day deadline.
Ransomware fallout drives the largest single-day settlement totals. On April 23, 2026, OCR announced four ransomware settlements at once, more than $1 million total across 427,000 patients. By April 2026, OCR had completed 19 ransomware investigations. The legal hook is usually the Security Rule, but the trigger is almost always a missing or stale Risk Analysis.
Business Associate Agreement gaps expose both the BA and the covered entity. BST & Co. CPAs LLP paid $175,000 in August 2025 as a Business Associate. MMG Fusion settled in March 2026 over a breach affecting 15 million individuals. The average mid-market provider has 100 to 300 BAAs on file, and most are unmanaged, stale, or missing entirely.
Tracking pixels and impermissible online disclosures are now a small-practice issue. Aspen Dental Management settled a $18.7 million class action in October 2025 over Meta Pixel use on its booking flow. OCR's December 2022 tracking technology bulletin still applies to authenticated patient portals, even after the June 2024 court ruling in American Hospital Association v. Becerra rolled back the unauthenticated-page portion.

Quick answer

OCR’s 2026 enforcement pattern against small healthcare practices is not random. The same five root causes appear in nearly every settlement: no written Risk Analysis, Right of Access failures, ransomware preceded by inadequate safeguards, missing or stale Business Associate Agreements, and impermissible disclosures through online tracking technologies. Bryan County EMS paid $90,000, Concentra paid $112,500, Northeast Radiology paid $350,000, Deer Oaks paid $225,000, Syracuse ASC paid $250,000, BST & Co. CPAs paid $175,000, and the Risk Analysis Initiative reached 13 settlements by April 2026. The 2026 inflation-adjusted penalty tiers run up to $2,190,294 per violation. Most small practices that get fined are not running rogue. They are running uncoordinated. The fix in each case is the same paper trail OCR keeps asking for and never finding.

OCR’s enforcement playbook against small healthcare practices in 2026 is more predictable than most practice owners realize. Two enforcement initiatives drive the bulk of small-practice activity (Risk Analysis and Right of Access), and a third (ransomware) has rapidly scaled since 2024. The pattern is consistent enough that any practice owner can read the most recent settlements and predict, with high accuracy, what OCR will ask for first if a complaint or breach report lands.

This post walks through the five root causes that have driven nearly every small-practice settlement OCR closed in 2025 and the first half of 2026, with specific dollar amounts and case names, and then explains how to address each one without an enterprise budget.

Why is OCR focused on small practices in 2026?

Two reasons. First, OCR formally launched the Risk Analysis Initiative in late 2024 as a templated, repeatable enforcement model. The investigation runs the same questions every time, so OCR can process more cases with the same staff. Second, the Right of Access Initiative has been running since 2019 and crossed 54 enforcement actions in December 2025. Both initiatives reward small-case throughput over large headline numbers, which means more small practices end up on the Resolution Agreements page.

The 2026 inflation-adjusted civil monetary penalty tiers, published in Federal Register 2026-01688 and effective January 28, 2026, set the minimum per-violation fine at $145 and the maximum at $2,190,294, with a $2,190,294 annual cap per identical provision. OCR has applied lower annual caps since 2019 as a matter of enforcement discretion, but those caps are not statutory and can change.

Reason 1: No written Risk Analysis

45 CFR 164.308(a)(1)(ii)(A) requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information it creates, receives, maintains, or transmits.

This is the document OCR asks for first. It is also the document most small practices either do not have or have not refreshed in years. The Risk Analysis Initiative, launched fall 2024, has produced the following completed settlements:

Bryan County Ambulance Authority (Oklahoma EMS) paid $90,000 on October 31, 2024 after a ransomware attack encrypted the ePHI of 14,273 patients. OCR found the practice had never conducted a Risk Analysis. See the Resolution Agreement.
Northeast Radiology, P.C. paid $350,000 announced April 10, 2025, OCR’s sixth Risk Analysis Initiative action.
Behavioral Health Solution of Deer Oaks paid $225,000 announced July 7, 2025, with 171,871 patients affected.
Syracuse ASC paid $250,000 announced July 24, 2025, with 24,891 individuals affected.

By April 2026 the Initiative had reached 13 settlements. The total dollar amount across all completed actions exceeded $1 million. None of these are large hospital systems.

The fix is the document itself. A written Risk Analysis under HHS Final Guidance includes an inventory of every system that touches ePHI, identification of threats and vulnerabilities, a likelihood and impact rating for each risk, an evaluation of existing safeguards, and a Risk Management Plan under 45 CFR 164.308(a)(1)(ii)(B) with named owners and target completion dates.

Reason 2: Right of Access failures

OCR’s Right of Access Initiative has run since April 2019. The settlement announced December 16, 2025 with Concentra for $112,500 was the 54th enforcement action under the Initiative. The complaint dated back to February 2018, and the patient did not receive his records until March 2019, more than a year after his first request. Gums Dental Care in Maryland paid $70,000 under a Notice of Final Determination on October 17, 2024, in a related access-and-disclosure case where 35 patients’ discharge summaries had been exposed online from at least December 2021 until May 2023. A solo dental practice was fined $30,000 for failing to provide a patient access to records within the statutory 30-day window.

The rule under 45 CFR 164.524 is procedural and clear: a request, an identifiable patient, a 30-day clock (with one 30-day extension on written notice). Most failures are not malicious. They are practices that lost track of the request because the patient asked the front desk verbally and nobody wrote it down.

The fix is a written intake-and-tracking process for access requests, a designated staff member with the workflow in their job description, and a 30-day calendar reminder triggered when the request is logged.

Reason 3: Ransomware fallout

Ransomware is technically a security incident, not a standalone enforcement category. But OCR’s enforcement pattern in 2025 and 2026 has converted ransomware incidents into HIPAA settlements with remarkable consistency. By April 2026, OCR had completed 19 ransomware investigations. On April 23, 2026 alone, OCR announced four settlements at once, totaling more than $1 million across 427,000 patients.

The legal claim is usually a Security Rule violation: inadequate access controls, no encryption, missing audit logs, missing or stale Risk Analysis. The trigger is the ransomware event. The investigation is templated. BST & Co. CPAs, LLP, a Business Associate, paid $175,000 on August 18, 2025 after a ransomware investigation.

The fix is not to prevent every ransomware event. The fix is to make sure that when one happens, the practice can produce a Risk Analysis, evidence of training, executed BAAs with every vendor, and a documented Incident Response Plan. Insurers and OCR look at the same paper trail.

Reason 4: Business Associate Agreement gaps

45 CFR 164.502(e) requires a covered entity to obtain satisfactory assurances, in the form of a written contract, that a Business Associate will appropriately safeguard PHI. MMG Fusion settled with OCR on March 5, 2026 over a breach affecting 15 million individuals. The settlement payment was $10,000 plus a three-year corrective action plan, illustrating how small the financial penalty can be relative to the scale of the breach when OCR exercises enforcement discretion. The corrective action plan is what costs the practice money over time.

The standard estimate is that a mid-market provider has 100 to 300 Business Associate Agreements on file. Most practices do not have a maintained inventory. The same BAA signed five years ago with a vendor who has since been acquired, rebranded, or moved to a sub-processor model is now substantively a different contract. The vendor cannot answer for what they did with PHI, and the practice cannot prove it had satisfactory assurances at the time of the incident.

The fix is a BAA inventory, refreshed annually, with vendor type, BAA execution date, contract expiration, and the specific PHI category each vendor touches. The inventory is a one-page spreadsheet, but it has to be current.

Reason 5: Tracking pixels and impermissible online disclosures

This category did not exist in OCR’s enforcement playbook five years ago. It exists now because patient portals, online appointment booking, and patient-facing forms have moved aggressive marketing analytics inside the HIPAA boundary. OCR’s December 2022 tracking technology bulletin (revised March 2024) set the position that tracking pixels can create PHI when they capture identifiers tied to a healthcare-related page.

The June 2024 federal court ruling in American Hospital Association v. Becerra (N.D. Tex., Fort Worth Division) vacated the portion of that bulletin that applied to unauthenticated public pages. HHS withdrew the appeal in August 2024, so the ruling is final. Authenticated patient portals are still squarely inside HIPAA’s reach. Sam wrote about this in detail in his tracking pixel risk for dermatology practices post.

Class action exposure is the bigger surprise. Donnelly et al. v. Aspen Dental Management, Inc. settled in October 2025 for $18.7 million over Meta Pixel use on Aspen’s appointment booking flow. The plaintiffs sued under California’s wiretapping and consumer protection statutes plus the federal Electronic Communications Privacy Act, none of which depend on the OCR bulletin. The same plaintiffs’ bar is now targeting smaller dental and medical groups.

The fix is a written inventory of every tracking script on the practice website, online booking flow, patient portal, and intake forms, plus a documented decision about each one. Any pixel running on an authenticated portal or a page that captures appointment data has to come off or move to server-side conversion tracking.

What should small practices do next?

If your practice has not produced a written Risk Analysis in the last 12 months, that is the most useful compliance work you can complete this quarter. Pair it with a BAA inventory and a Right of Access intake process and you have addressed the three top OCR enforcement categories with a single coordinated effort.

NPA delivers a written HIPAA Risk Analysis in three weeks for a flat fee of $3,500 to $4,500, structured to match HHS Final Guidance methodology. The deliverable includes the Risk Management Plan under 45 CFR 164.308(a)(1)(ii)(B), a BAA inventory review, and a documentation index mapped to OCR investigation requests. See the HIPAA Risk Analysis service page for the scope, deliverables, and what the engagement looks like week by week.

If your practice is renewing cyber insurance in the next 90 days, read the cyber insurance HIPAA attestation post first. The same Risk Analysis document supports the truthful answer to most attestation questions and protects against the most common claim denial.

Last Updated: June 5, 2026

Frequently Asked Questions

What's the most common reason small healthcare practices get fined by OCR?

Failure to conduct a written, current Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). It is the documented root cause in every Risk Analysis Initiative settlement (13 by April 2026) and is the first document OCR requests in nearly every investigation. The pattern is not 'no security at all,' it is 'security without the written analysis that proves the controls were chosen on purpose.'

How much can OCR fine a small practice in 2026?

The 2026 inflation-adjusted civil monetary penalty tiers, published in Federal Register 2026-01688 and effective January 28, 2026, run from $145 minimum per violation (Tier 1, did not know) to $73,011 per violation (Tiers 1 through 3) and $2,190,294 per violation at Tier 4 (willful neglect not corrected within 30 days). The annual cap per identical provision is also $2,190,294. OCR has applied lower annual caps in practice since 2019, but those are discretionary.

Does OCR really fine small practices, or only big hospitals?

Yes, OCR fines small practices. Bryan County Ambulance Authority is a small Oklahoma EMS provider. Gums Dental Care is a single Maryland dental practice. The Risk Analysis Initiative has explicitly targeted smaller covered entities since its 2024 launch. The penalty amounts are scaled to size, but the compliance expectations are not. A solo dental office and a 1,000-bed hospital owe the same Risk Analysis under the same regulation.

What's the difference between an OCR fine and a class action?

OCR fines come from the federal government for HIPAA violations. Class actions come from private plaintiffs under state wiretapping, consumer protection, or common-law privacy theories. The June 2024 ruling in American Hospital Association v. Becerra rolled back part of OCR's tracking technology bulletin, but did nothing to private class action exposure. The Aspen Dental Management $18.7 million settlement in October 2025 is a class action, not an OCR fine. Both can hit the same practice for the same conduct.

How long does an OCR investigation take after a complaint or breach report?

Months to years. Concentra received its first complaint in February 2018 and the settlement was announced December 16, 2025, nearly eight years later. Bryan County's ransomware attack happened November 24, 2021 and the settlement closed October 31, 2024. The Risk Analysis Initiative cases have moved faster, often within 12 to 24 months, because OCR is using a templated investigation. Plan for a multi-year process and a paper trail that has to survive it.

Can a small practice avoid OCR fines by buying compliance software?

Software alone has never satisfied OCR. The Security Rule requires written analysis, written policies, documented training, written sanctions, executed BAAs, and a Risk Management Plan with named owners. Most software products produce templates and dashboards. The work product OCR asks for is a signed document by a person who took responsibility for the conclusions. Software helps. It does not substitute.

Last updated: June 5, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation