OCR brought 22 HIPAA enforcement actions in the last year and collected $9.9M in settlements and CMPs. Workforce training appears in every published Corrective Action Plan we have read: even when it was not the cited violation. A field reading on what your training file actually needs to defend.
Most HIPAA training programs we audit end the day the certificate prints. The LMS records completion, the certificate goes into the personnel file, and the file is closed for another year. That is not a program. That is a receipt for a transaction.
OCR's Risk Analysis Initiative gets the headlines: and risk analysis is the dominant 2024–2025 finding. But read the Corrective Action Plans, not the press releases. Every CAP we have read in the last 18 months obligates the entity to augment its workforce training program. Training isn't the violation OCR walks in the door looking for. It's the violation OCR finds once they're inside.
A $548,265 civil money penalty for cyberattacks in 2017 and 2020 affecting 14,000+ individuals. Among OCR's findings: failure to train workforce members on HIPAA Privacy Rule requirements. CHC waived its right to a hearing and did not contest the determination. The cleanest "training was the finding" record in the OCR docket.
A workforce member stole and sold patient data. The breach was the headline; the OCR-cited Security Rule failures around access management, audit controls, and risk analysis were the substance. The CAP obligated Montefiore to retrain workforce on HIPAA policies and report workforce non-compliance to OCR: sanctions-program language, not training-program language.
A $175,000 settlement after a ransomware incident at a HIPAA business associate. OCR cited Security Rule risk-analysis failures. The CAP explicitly required BST to "augment its existing HIPAA and security training program" and provide annual training to all workforce members with PHI access. The BA training obligation, in OCR's own language.
Citations · OCR resolution agreements + press releases at hhs.gov/hipaa/for-professionals/compliance-enforcement · 2024 enforcement summary: 22 actions, $9.9M collected, per WilmerHale (Jan 2025)
The empty register is the implausible artifact. Most workforce populations of any size produce policy violations every quarter: small ones, mostly. The defensible register names them, names the response, and dates the closure.
Ours, in plate-style monospace, is rendered to the right. Six columns, one row per event, every cell traceable to a documented action. Empty rows for a 24-month period are themselves a finding.
Not four binders: four documents. Short, current, signed. This is the file an OCR data-request letter actually opens, in the order it opens it.
Every workforce role mapped to the module it receives, the cadence at which it is delivered, and the named author. One page; updated when roles change.
Source · 164.530(b) · 164.308(a)(5)A calendar of micro-content: monthly two-minute modules, quarterly tabletop, annual full-length. Cadence is the program; cadence is what OCR asks for.
Cited gap · §02 · 2025 specialty caseDate · role · event · sanction · documentation reference · closure. Empty registers are findings; populated-and-graduated registers are the defense.
Cited gap · §02 · 2024 hospital caseThe workflow that names which events automatically produce targeted retraining: small breach, near-miss, complaint. Workflow plus dated retraining records, one folder per trigger.
Cited gap · §02 · 2025 BA caseSanctions policy without a sanctions program is not a defense. It is the language OCR cites when it writes the resolution agreement.- Resolution Agreement & Corrective Action Plan, 45 CFR 164.530(e), pattern across 2024–2025 OCR settlements
Business associates carry the parallel obligation under 164.530's flow-through and OCR enforcement against BAs accelerated through 2023. The four-document program scales down cleanly to a BA workforce in 90 days: and we have run this sequence on six engagements since Q3 2024.
Inventory roles. Three to five categories is enough for most BAs. Map each to a module that exists or one we author this period.
Stand up the monthly cadence. Two minutes is enough; consistency is the artifact OCR is looking for.
Backfill the sanctions register from the last 12 months of incident logs. Even small ones. Empty registers are the worst finding.
Write the four-trigger workflow. Test it once on a real or simulated event. Document the test. Hand to compliance officer to sign.
The cases in §02 are real and publicly cited. The thesis is ours. If the next 12 months show otherwise, we will say so in print, in the next volume's masthead.
The 2024–2025 pattern: 22 actions, $9.9M, training in every CAP: is unambiguous. We will revise here if 2026 inverts it.
A 45-minute call. We walk your training file against the four documents above and tell you which two are missing. No deck, no nurture sequence, no follow-up unless you reply.