OCR Enforcement Trends in 2026: What's Getting Investigated

By ComplyCreate Editorial Team  ·  Published Apr 24, 2026  ·  10 min read

HHS Office for Civil Rights (OCR) has been active in 2026, continuing enforcement patterns established in recent years while expanding focus to new areas including reproductive health privacy and AI-generated health data. Here's an analysis of what OCR is prioritizing, what violations are driving Resolution Agreements and Civil Money Penalties, and what every covered entity and business associate should check now.

Priority 1: Right of Access Failures

OCR's Right of Access Initiative, launched in 2019, has continued to produce enforcement actions in 2026. Under 45 CFR § 164.524, covered entities must respond to patient access requests within 30 days, provide records in the format requested when readily producible, and may charge only a reasonable cost-based fee.

The most common violations driving right of access enforcement in 2026:

• Failing to respond within 30 days (or within the 60-day period available with one written extension)
• Providing incomplete records — particularly omitting imaging, lab results, or records from affiliated providers
• Charging excessive fees that function as deterrents (OCR has consistently found fees above cost-based amounts improper)
• Refusing access based on outstanding balances (the Privacy Rule does not permit conditioning access on payment of outstanding bills)
• Requiring patients to pick up physical records when electronic delivery was requested

Right of access violations often result from paper-based records processes that cannot efficiently fulfill digital access requests, or from front-desk staff unfamiliar with the 30-day timeline. OCR Resolution Agreements for right of access violations frequently include corrective action plans requiring staff training and updated policies, in addition to financial penalties ranging from $10,000 to $240,000.

Priority 2: Ransomware and Cybersecurity Incidents

Ransomware attacks on healthcare organizations remain a major driver of OCR investigations in 2026. Under the Breach Notification Rule, a ransomware attack that encrypts ePHI is presumed to be a reportable breach unless the covered entity can demonstrate that PHI was not accessed, exfiltrated, or used. Most organizations cannot make this demonstration, making OCR notification mandatory.

OCR's post-breach investigations typically focus on the Security Rule deficiencies that allowed the breach to occur:

• Missing or outdated Security Risk Analysis: This remains the most commonly cited deficiency in cybersecurity enforcement. A risk analysis that did not identify the exploited vulnerability is evidence of an inadequate process.
• Failure to implement risk management: Even where an SRA was conducted, failure to implement reasonable security measures to address identified risks violates § 164.308(a)(1)(ii)(B).
• Insufficient access controls: Many ransomware breaches exploit compromised credentials. Lack of multi-factor authentication, excessive access privileges, and shared login credentials are commonly cited.
• No workforce training on phishing: Most ransomware enters via phishing. Lack of documented phishing awareness training is a consistent finding.
• Slow breach notification: Covered entities have 60 days from discovery to notify HHS and affected individuals. Delays beyond this window are cited as separate violations.

Notable 2026 enforcement actions in the cybersecurity space have involved community hospitals, physician groups, and health IT vendors — OCR continues to pursue enforcement against organizations of all sizes.

Priority 3: Missing and Deficient Business Associate Agreements

BAA compliance continues to generate enforcement actions in 2026, including against both covered entities and business associates directly (under HITECH's direct liability provisions). Common BAA-related violations:

• No BAA in place: Disclosing PHI to a vendor without a signed BAA is a per-violation Privacy Rule breach. OCR has imposed penalties in cases where a covered entity had been using a vendor for months or years without a BAA.
• Expired or lapsed BAAs: BAAs without renewal clauses that have technically expired — or where the vendor's services have expanded beyond what the BAA covers — create compliance gaps.
• BAAs missing required provisions: Under 45 CFR § 164.504(e), BAAs must include specific provisions: permitted uses, safeguarding obligations, reporting of breaches, return or destruction of PHI at termination, and the right to terminate if the BA fails to perform. Generic contract language that doesn't include HIPAA-required elements is non-compliant.
• Business associate fails to sign customer BAA: Some vendors refuse to sign customer BAAs or only offer their own terms. This creates a compliance problem for the covered entity. Using a properly structured BAA template ensures all required provisions are included regardless of which party drafts the document.

Priority 4: Reproductive Health Privacy Violations

Following the 2022 Dobbs decision and subsequent state abortion laws, HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Final Rule (effective June 2024, with a compliance date of December 2024). OCR has begun investigating violations of this rule in 2025–2026.

The rule prohibits covered entities and business associates from using or disclosing PHI for the purpose of conducting a criminal, civil, or administrative investigation of a patient who seeks, obtains, provides, or facilitates reproductive health care that is lawful under the circumstances. Key enforcement focus areas:

• Responding to state law enforcement requests for PHI related to lawful reproductive health care without a court order
• Using claims data or pharmacy records for reproductive health investigations
• Failing to update Privacy Notices to reflect the new protections

This is a politically sensitive enforcement area. OCR has issued guidance and is monitoring compliance closely. Covered entities should review their NPPs for compliance with the December 2024 deadline requirements and ensure their law enforcement disclosure procedures account for the new reproductive health protections.

Priority 5: Impermissible PHI Disclosures Online

OCR has increasingly focused on the use of online tracking technologies that transmit PHI to third parties without authorization. Following OCR's 2022 bulletin on tracking technologies, covered entity websites that use pixels, cookies, or analytics tools that capture authenticated user data (including data from patient portals) must have BAAs with those tracking vendors — or disable the tracking.

In 2025, OCR settled cases involving hospital websites that used Meta Pixel and Google Analytics in ways that transmitted PHI. In 2026, OCR has signaled continued attention to:

• Patient portal authentication pages that include tracking code
• Telehealth platforms with embedded analytics that capture session data
• Health apps and digital therapeutics that share usage data with advertising partners

What to Do Now

Based on 2026 enforcement trends, the highest-priority compliance actions are:

1. Audit your patient access request process — confirm 30-day response time, proper fee structure, and digital delivery options
2. Conduct or update your Security Risk Analysis — ensure it addresses current threats including ransomware and phishing
3. Inventory all vendor relationships and confirm BAAs exist and contain required provisions
4. Update your NPP to reflect the December 2024 reproductive health privacy changes if you haven't already
5. Audit website tracking technologies — remove or BAA-cover any tools that transmit PHI to third parties