HIPAA Radar
HIPAA Radar tracks publicly disclosed enforcement actions, settlements, corrective action plans, and penalty decisions under the Health Insurance Portability and Accountability Act (HIPAA). Its purpose is to provide a clear, practical view of how U.S. regulators enforce healthcare privacy and security obligations in real cases.
The radar brings together key information on enforcement trends, including the regulator, the covered entity or business associate involved, the financial penalty or settlement amount, the legal basis of the violation, and the core compliance failures identified in each matter. By presenting these cases in one place, HIPAA Radar helps privacy, legal, compliance, and security teams better understand which weaknesses most often lead to regulatory scrutiny and enforcement.
More than a list of enforcement outcomes, HIPAA Radar is designed as a working compliance resource. It shows how regulators approach issues such as risk analysis, access controls, business associate agreements, impermissible disclosures, breach notification, workforce training, and safeguards for protected health information. This makes it easier to translate enforcement activity into practical lessons for internal compliance programs, privacy governance, and healthcare risk management.
Top of the World Ranch Treatment Center
Public penalty
$103 000
Date
February 19, 2026
Core issue
Phishing / email compromise
Main public findings
OCR publicly described phishing incident involving unauthorized access to an email account containing patient PHI and identified compliance failures under Security Rule (risk analysis).
Providence Medical Institute
Public penalty
$240 000
Date
October 3, 2024
Core issue
Ransomware / cybersecurity safeguards
Main public findings
OCR publicly described ransomware cybersecurity investigation found inadequate restriction of PHI access and business associate agreement failures and identified compliance failures under Security Rule; Business Associate Agreement requirements.
PIH Health, Inc.
Public penalty
$600 000
Date
April 23, 2025
Core issue
Phishing / email compromise
Main public findings
OCR publicly described phishing attack compromised 145 employee email accounts; delayed notices to OCR, individuals, and media and identified compliance failures under Security Rule (risk analysis); Privacy Rule (impermissible disclosure); Breach Notification Rule.
USR Holdings, LLC
Public penalty
$337 750
Date
January 8, 2025
Core issue
Loss / deletion of ePHI
Main public findings
OCR publicly described deletion of ePHI and related safeguards failures, including lack of retrievable exact copies and audit activity records and identified compliance failures under Security Rule (risk analysis; activity records; contingency/copies); Privacy Rule.
Syracuse ASC (Specialty Surgery Center of Central New York)
Public penalty
$250 000
Date
July 23, 2025
Core issue
Ransomware / cybersecurity safeguards
Main public findings
OCR publicly described ransomware attack; delayed notices to affected individuals and HHS Secretary and identified compliance failures under Security Rule (risk analysis); Breach Notification Rule.