HIPAA Enforcement in 2026: OCR Expands Its Reach

The HHS Office for Civil Rights (OCR) imposed $4.18 million in HIPAA penalties across 13 enforcement actions in the most recent enforcement year—nearly double the prior year's total. More than 50 Right of Access enforcement actions have now been completed since the initiative launched. In one case, an academic medical center paid a $200,000 settlement for taking more than two years to fulfill a single records request. OCR is not slowing down. It is expanding.

That enforcement push is happening against a backdrop of record-breaking data exposure. More than 375 million individuals were impacted by healthcare breaches in 2025. The Change Healthcare breach alone compromised 192.7 million records. Business associates accounted for 77% of all breached records. The scope of the problem has forced OCR to widen its enforcement posture beyond traditional targets.

Right of Access Gets Teeth

The Right of Access Initiative has become OCR's most active enforcement program. HIPAA requires covered entities to provide individuals access to their protected health information within 30 days of a request—extendable once to 60 days with written notice. OCR has now used that requirement to pursue more than 50 actions against providers who failed to respond within the required window.

The penalties are not limited to outright refusal. Delays, bureaucratic runarounds, and imposing unreasonable fees have all triggered enforcement. The $200,000 settlement with an academic medical center in March 2025 involved a request that went unanswered for more than two years—not because the records did not exist, but because the institution failed to process the request through its system.

A newer dimension of the initiative is parental access. OCR has flagged health systems that apply age-based restrictions—designed to protect adolescent privacy in limited clinical contexts—too broadly, inadvertently blocking parents from accessing their minor children's records. Systems with automated access rules based on patient age are under particular scrutiny.

New Enforcement Frontiers

OCR's 2026 posture extends well beyond Right of Access. The agency has signaled expanded priorities across several enforcement areas that were previously lower-profile.

Tracking Technology

OCR's scrutiny of tracking technologies—website pixels, software development kits, and analytics tools—has intensified. Any covered entity or business associate that uses tracking code on pages where users interact with PHI must now demonstrate that it understands where data flows and who receives it. The use of Meta Pixel, Google Analytics, or third-party advertising SDKs on patient portals or appointment-scheduling pages has been specifically flagged as a compliance risk.

42 CFR Part 2 Enforcement

OCR launched civil enforcement of 42 CFR Part 2 on February 16, 2026. For the first time, mishandling substance use disorder treatment records carries civil money penalties aligned with HIPAA's tiered structure. Providers and their business associates must now treat SUD records with the same operational rigor as any other PHI category—and in many cases, more. Authorization forms, breach reporting protocols, and privacy notices must all be updated to reflect Part 2 requirements.

Corrective Action Plans

The substance of OCR's corrective action plans is also shifting. Earlier enforcement actions often resulted in corrective action requirements that were broad and process-oriented. Current plans are more prescriptive, requiring entities to demonstrate ongoing security risk management—not just producing a risk analysis document, but showing evidence of review, implementation, and remediation at regular intervals.

What This Means for Law Firms

The enforcement trends cut two ways for plaintiff firms that rely on medical records.

Faster records requests. Increased Right of Access enforcement puts real financial pressure on providers to respond to records requests within the 30-day window. Firms that have historically waited 60–90 days or more for records from unresponsive providers may see faster turnaround as compliance officers prioritize timely responses to avoid OCR scrutiny.

But compliance obligations apply to firms too. Any law firm that handles electronic protected health information is a business associate under HIPAA. That means the same enforcement posture that pressures providers also applies downstream. Three areas deserve attention.

Tracking technology on firm websites. Law firms that use advertising pixels, chat widgets, or analytics SDKs on pages where clients submit health information—intake forms, case evaluation questionnaires, client portals—face the same tracking technology scrutiny as covered entities. If a pixel fires on a page where a claimant describes their injuries or uploads medical records, the firm must demonstrate it understands and controls that data flow.

Business Associate Agreements. With OCR requiring deeper corrective action plans and holding business associates to higher standards, firms should review BAAs with every vendor that touches PHI—record retrieval services, cloud storage providers, case management platforms, and IT contractors. Agreements written before 2025 may not address current breach notification timelines, Part 2 obligations, or corrective action expectations.

SUD record handling. Firms handling cases involving addiction history—DUI-related personal injury, opioid litigation, workers' compensation—must now ensure their authorization forms, storage protocols, and redisclosure practices comply with 42 CFR Part 2 in addition to HIPAA.

The Enforcement Outlook

The Bottom Line

OCR's 2026 enforcement posture is not a single initiative. It is an expansion across multiple fronts: Right of Access, tracking technology, Part 2, parental access, and deeper corrective action requirements. The $4.18 million in penalties and 50-plus completed enforcement actions represent the baseline, not the ceiling.

For law firms that request and handle medical records, the practical takeaway is dual-edged. Provider compliance pressure means faster records. But the same enforcement apparatus that benefits firms on the retrieval side applies to them on the handling side. Tracking technology, BAAs, SUD record protocols, and security risk management all fall within OCR's expanded scope—and all carry real financial exposure.

Sources: Healthcare Law Insights — Enforcement Ramps Up on Patient Right of Access, Elliott Davis — OCR Signals Expanded HIPAA Enforcement Priorities for 2026, Mondaq/Foley Hoag — HIPAA Enforcement: A Look Ahead at 2026, HHS.gov — HIPAA Enforcement Data.

This article is for informational purposes only and does not constitute legal or medical advice. Consult with qualified professionals for advice specific to your situation.