HIPAA Radar tracks publicly disclosed enforcement actions, settlements, corrective action plans, and penalty decisions under the Health Insurance Portability and Accountability Act (HIPAA). Its purpose is to provide a clear, practical view of how U.S. regulators enforce healthcare privacy and security obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the covered entity or business associate involved, the financial penalty or settlement amount, the legal basis of the violation, and the core compliance failures identified in each matter. By presenting these cases in one place, HIPAA Radar helps privacy, legal, compliance, and security teams better understand which weaknesses most often lead to regulatory scrutiny and enforcement.
More than a list of enforcement outcomes, HIPAA Radar is designed as a working compliance resource. It shows how regulators approach issues such as risk analysis, access controls, business associate agreements, impermissible disclosures, breach notification, workforce training, and safeguards for protected health information. This makes it easier to translate enforcement activity into practical lessons for internal compliance programs, privacy governance, and healthcare risk management.
BayCare Health System
Penalty:
$800 000
Insider access and monitoring failures
Core issue:
May 28, 2025
Date:
Main public findings:
OCR publicly cited weak workforce access controls, insufficient monitoring, and failures to detect or prevent improper PHI access.
Cause of the violation:
Description of events
Recommendations:
Source:
No adequate enterprise-wide risk analysis and incomplete risk management; poor workforce access governance and log review.
Improper employee access to electronic PHI; insufficient minimum-necessary access controls, risk management, and activity review. The matter involved an individual patient request or disclosure and ended with a settlement and corrective action plan.
Perform and document regular risk analyses, enforce MFA, patch and harden systems, monitor logs, and test backups and incident response; Apply least-privilege access, timely deprovisioning, periodic access reviews, and continuous audit-log monitoring.