Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) is a bipartisan mandate. Protecting the privacy of protected health information (PHI) has remained a priority for HIPAA under Trump.

Cyber threats to healthcare have increased over the past decade, and accountability remains a top priority for regulators. Enforcement trends from the first Trump administration (2017–2020) through Biden’s term (2021–2024) and to the present show that, as cyber threats to healthcare continue to grow dramatically, protecting patient data is more urgent and vital than ever.

Major breaches, such as the 2024 Change Healthcare incident, demonstrate that lax cybersecurity poses a significant threat to national security and healthcare. The Change Healthcare data breach affected over 192 million people — more than half of the U.S. population and cost the healthcare sector billions of dollars.

The U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are the primary enforcers of HIPAA at the federal level; however, states and civil lawsuits also play a role in upholding privacy rights. Increasingly, class action lawsuits play a larger role in holding non-compliant organizations accountable when individuals experience a data breach.

The Bipartisan Consensus: Security and Cyberattacks

Across all administrations, there is no significant difference between the two major political parties regarding the HIPAA Security Rule. Both the first Trump administration and the Biden administration prioritized enforcement related to fundamental security failures. This consensus is driven by the reality that cybersecurity is a critical bipartisan priority because healthcare is part of the United States’ critical infrastructure.

The Catastrophic Rise of Hacking and HIPAA Violations

The data is overwhelming and illustrates a sector under attack:

• From 2020 through 2024, major health data breaches reported to the HHS Office for Civil Rights (OCR) saw hacking incidents increase by 30% and ransomware attacks rise by 45%.
• In 2024, 81% of major breaches affecting 500 or more individuals reported to the OCR involved hacking.

These cybersecurity incidents have resulted in substantial financial losses for the industry and have affected millions of individuals whose personal information was compromised. This level of damage has required cooperation among federal agencies, including the FBI, HHS, and CISA, to help the healthcare sector defend against cyber threats that jeopardize the delivery of healthcare services.

Enforcement Priority: New OCR Leadership and Risk Analysis  

Enforcement today focuses on holding organizations accountable for neglecting the essential, fundamental protection: the HIPAA Risk Analysis.

OCR also continues to pursue investigations under its Right of Access Initiative, which has been active since 2019.

OCR’s Risk Analysis Initiative

HIPAA has long mandated that covered entities and business associates conduct a Risk Analysis and implement a Risk Management plan.

In 2024, the OCR launched a Risk Analysis Initiative to emphasize the importance of this essential requirement. The initiative has already led to numerous enforcement actions, demonstrating that compliance with the Security Rule’s risk analysis provision remains a top priority.

• The Problem: The most significant failure among regulated entities, identified during the last audit phase (2016-2017) and confirmed by enforcement over the past decade, is the inability to conduct accurate and thorough HIPAA risk analyses.
• The Impact: As then-OCR Director Melanie Fontes Rainer noted, “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware.” Settlements, such as those involving the Guam Memorial Hospital Authority ($25,000) and BST & Co. CPAs, LLP ($175,000), demonstrate that even after an attack, the primary reason OCR imposes a penalty is often a lack of proper risk analysis. Corrective Action Plans always require the entity to conduct a detailed risk analysis and develop a risk management plan.

OCR’s Right of Access Initiative

In 2019, during Trump’s first term, OCR launched the Right of Access Initiative to emphasize this fundamental right of patients to access their own medical records. According to HIPAA’s right of access rules, healthcare providers must promptly provide patients with access to their medical records and cannot charge unreasonable fees for doing so.

New Leadership, Continued Priorities

In June 2025, the Trump administration appointed Paula M. Stannard as the new Director of the OCR. Ms. Stannard, with her extensive background in HHS policy from her service under the first Trump and George W. Bush administrations, brings thorough familiarity with the Privacy Rule and administrative law.

Despite any administrative restructuring or budget cuts, Ms. Stannard remains committed to advancing the “significant and highly visible priorities of OCR.” Regulatory experts agree that her leadership is unlikely to slow the enforcement trend established by the Risk Analysis Initiative, as these actions address a core, bipartisan cybersecurity challenge.

Enforcement Targets All Entities, Large and Small

HIPAA enforcement is not limited to the biggest names. OCR consistently shows that its mandate applies to organizations of all sizes and types. Below are six examples of enforcement actions and the settlement amounts paid to resolve them, all announced this year.

• Large Hospital Network (PIH Health Inc.) paid $600,000 due to failed risk analysis, breach notification failure and phishing attack
• Small Provider (Comprehensive Neurology, PC) paid $25,000 due to failed risk analysis and ransomware attack
• Small Imaging Center (Vision Upright MRI) paid $5,000 due to failed risk analysis, breach notification failure and unsecured server
• Business Associate (BST & Co. CPAs, LLP) paid $175,000 due to failed risk analysis and ransomware attack
• Public Hospital (Guam Memorial Hospital) paid $25,000 due failed risk analysis and ransomware attack
• Public Health Center and University (Oregon Health & Science University) paid $200,000 due to failure to provide patient right of access

These enforcement actions from 2025 reveal two ongoing priorities that go beyond any administration:

1. Risk Analysis Initiative: Risk Analysis failure is the single most significant cause of financial penalties.
2. Right of Access Initiative: Begun in 2019 under the first Trump administration, this enforcement initiative remains a priority, with OCR continuing to settle investigations into patients being denied timely access to their records (e.g., the 53rd action against Oregon Health & Science University).

The Multi-Layered Enforcement Landscape

Regulated entities must contend with enforcement from federal regulators, state officials, and private litigants.

HIPAA is Not Political, But Reproductive Rights Are

While the Security Rule is universally enforced, parts of the Privacy Rule have been influenced by political priorities. Last year’s changes to the Privacy Rule, aimed at protecting reproductive health privacy, were halted when a federal district court in Texas ruled that the changes were invalid nationwide.

The Privacy Rule remains in full force and effect and continues to be enforced.

Furthermore, State Attorneys General have independent authority under the HITECH Act to enforce HIPAA and related state privacy laws. Some states have passed health privacy laws protecting reproductive healthcare rights that belong to their citizens.

Class Action Lawsuits Drive Compliance

HIPAA does not give individuals a direct right to sue, but class action lawsuits filed by private plaintiffs have become one of the most aggressive ways to enforce patient privacy. Lawyers follow a strategy that uses state tort and privacy laws, often citing HIPAA violations to show that a provider failed to meet the necessary standard of care, which leads to significant financial pressure and settlements.

Conclusion: Follow the Fundamentals of HIPAA

Despite political shifts, budget cuts, and new leadership, the core message for HIPAA-regulated entities stays the same: Strong compliance is the best protection against regulatory investigations, state actions, and private lawsuits.

The main step to strengthen your defense and fight the rising threat of cyberattacks is the HIPAA Risk Analysis. By emphasizing this key requirement and providing workforce training, organizations not only avoid penalties but also help protect patient privacy, which is the basis of quality healthcare.

The proposed updates to the Security Rule, including requirements for annual risk analyses and detailed documentation, highlight that proactive security measures are now a mandatory best practice, regardless of the pace of federal rulemaking.