A one-location MRI clinic. A county ambulance service. A surgical group in Michigan. All of them settled HIPAA investigations with federal regulators in the last 20 months. If you run a small practice and assume enforcement is a hospital problem, the settlement list says otherwise.

Yes, a small practice can be fined for HIPAA violations. The HHS Office for Civil Rights (OCR) enforces HIPAA against covered entities of every size, and its recent enforcement run includes settlements with a single-facility MRI clinic ($25,000), a small surgical group ($10,000), a county EMS provider ($90,000), and a small billing vendor ($80,000). The most common finding across these cases is the same: the organization never conducted the security risk analysis required by 45 CFR § 164.308(a)(1)(ii)(A).

Key Takeaways
  • OCR settles with small entities, not just health systems: recent cases include a $10,000 settlement with a surgical group and a $25,000 settlement with a one-location MRI clinic.
  • The missing risk analysis is the pattern. OCR's own leadership has said the requirement is flagged in four out of five enforcement actions.
  • HIPAA civil penalties were inflation-adjusted effective January 28, 2026. The annual cap for the top tier now reaches $2,190,294 per violation category.
  • The proposed HIPAA Security Rule update is NOT final law. Enforcement of the current rule is what is reaching small practices right now.
  • A documented, current risk analysis is both the first thing OCR asks for and the strongest factor in keeping a violation in the lower penalty tiers.

The settlements nobody at a small practice reads

OCR publishes every resolution agreement on HHS.gov. The press releases about eight-figure hospital settlements get the headlines. The ones that should worry a 15-person practice are the small ones, and there is now a steady run of them.

In October 2024, OCR announced a $90,000 settlement with Bryan County Ambulance Authority, a county EMS provider in Oklahoma, after a ransomware attack encrypted the electronic protected health information (ePHI) of 14,273 patients. OCR’s investigation found the organization had never conducted a compliant risk analysis. That case was also the launch of something bigger: OCR named it the first enforcement action under its Risk Analysis Initiative, a program built specifically to investigate whether regulated entities have done the risk analysis the Security Rule has required since 2003.

The cases that followed stayed small:

Recent OCR settlements with small entities, October 2024 through May 2025

And for the practices that assume the worst case is a five-figure settlement, there is Gulf Coast Pain Consultants: in December 2024, OCR imposed a $1.19 million civil monetary penalty against the Florida pain management practice for Security Rule violations. Penalties, unlike settlements, are imposed, not negotiated.

Why the small dollar amounts are the point

A $10,000 settlement looks almost gentle next to a $1.19 million penalty. It is not gentleness. OCR calibrates resolution amounts to the size and financial position of the entity, which means the agency is deliberately structuring outcomes that small organizations can actually pay. A settlement a small practice can afford is a settlement OCR can pursue.

Every one of these agreements also comes with a corrective action plan, typically two to three years of OCR-monitored remediation: a risk analysis reviewed and approved by regulators, a risk management plan, rewritten policies, staff training with signed certifications, and quarterly reporting of internal violations. For a practice with no compliance staff, the monitoring is often more expensive than the check.

The message to small entities is direct. Enforcement is not reserved for organizations with a legal department.

The one control OCR checks first

Read the resolution agreements back to back and the repetition is striking. In case after case, the covered conduct includes a failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI, the requirement at 45 CFR § 164.308(a)(1)(ii)(A).

This is not a coincidence of ransomware cases. OCR’s then-director said publicly in late 2024 that the risk analysis requirement is flagged in four out of five enforcement actions, and the agency built the Risk Analysis Initiative to increase the number of completed investigations focused on exactly this provision.

The logic from the regulator’s side is simple. When OCR investigates a breach report, the risk analysis is the first document requested, because it answers the threshold question: did this organization ever sit down and figure out where its ePHI lives and what threatens it? A practice that cannot produce one has effectively answered the question for them.

If you want the deeper mechanics of what that document has to contain, and how it differs from the risk management plan OCR asks for next, we broke that down in HIPAA risk analysis vs. risk management.

What a HIPAA fine actually costs in 2026

HIPAA civil monetary penalties are adjusted for inflation every year, and HHS published the current amounts effective January 28, 2026. The structure has four culpability tiers:

HIPAA civil penalty tiers for 2026, with the top-tier annual cap of $2,190,294

Tier Culpability What it means
1 Lack of knowledge You did not know and could not reasonably have known
2 Reasonable cause You knew or should have known, but not willful neglect
3 Willful neglect, corrected Conscious disregard, fixed within 30 days
4 Willful neglect, not corrected Conscious disregard, left unfixed

For the top tier, the annual cap now reaches $2,190,294 per violation category, per calendar year. Two details matter for a small practice:

Culpability is an evidence question, and your risk analysis is the evidence. The difference between Tier 1 and Tier 4 is whether you can demonstrate you made a good-faith effort to identify and manage risk. A current, documented risk analysis is the single strongest artifact for keeping a violation in the lower tiers. Its absence is what “willful neglect” findings are built from.

Violations stack. Penalties are assessed per violation, and a breach that exposes thousands of records across multiple failed safeguards can involve multiple violation categories. The annual cap applies per category, not per incident.

You will find conflicting per-violation dollar figures across compliance blogs, partly because different sites quote different years’ inflation adjustments. When in doubt, the annual HHS penalty adjustment notice in the Federal Register is the source that counts.

About the “new HIPAA Security Rule” you keep hearing about

One more thing worth getting exactly right, because a surprising amount of published content gets it wrong: the sweeping HIPAA Security Rule update that would mandate encryption, multi-factor authentication, and annual penetration testing is a proposed rule, not law.

The Notice of Proposed Rulemaking was published in the Federal Register on January 6, 2025. The comment period closed March 7, 2025, drawing roughly 4,745 comments and organized industry pushback over cost. As of July 2026, no final rule has been issued, and the federal regulatory agenda now projects final action no earlier than July 2027.

So no, you are not currently required to comply with the proposed rule. But notice what actually reached the small practices above: enforcement of the existing Security Rule, the one that has required a risk analysis for over two decades. Waiting to see what the final rule says is a reasonable posture on encryption tooling. It is not a reasonable posture on the risk analysis, because that obligation is already live and already being enforced.

What a small practice should actually do this quarter

Skip the 40-page compliance program for a moment. Based on what OCR keeps finding, the priority order for a small practice looks like this:

  1. Inventory every system that touches ePHI. EHR, imaging systems, billing platform, email, laptops, phones, cloud storage, and every vendor with access. The Vision Upright MRI case started with one server nobody was tracking.
  2. Conduct and document a risk analysis against that inventory. Threats, vulnerabilities, likelihood, impact, in writing, dated. This is the document OCR asks for first.
  3. Turn the findings into a risk management plan. Ranked risks, named owners, target dates. OCR’s initiative has expanded from checking whether the analysis exists to checking whether you acted on it.
  4. Check your business associates. Two of the settlements above were vendors. Their breach becomes your notification obligation, and BAAs are the paper trail OCR reviews.
  5. Repeat annually and after any material change. A risk analysis from 2021 describing systems you no longer run is, for enforcement purposes, close to no risk analysis at all.

If you want a structured way through steps 1 to 3 without hiring a consultant, the HIPAA Security Risk Assessment Tool: Excel + Guide ($57) walks a small practice through the asset inventory, the threat and vulnerability scoring, and the documented output that maps to what 45 CFR § 164.308(a)(1)(ii)(A) requires.

The bottom line

The question “can a small practice get fined for HIPAA violations” has a documented answer: it already happens, at dollar amounts calibrated so that it can happen to almost anyone. The pattern across those cases is not exotic hacking or bad luck. It is the absence of the one foundational document the Security Rule has required all along. That part, at least, is fixable this quarter.

Sources