HIPAA BAA Enforcement Actions: What OCR Has Penalized
By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 6 min read
Key Takeaways
- ✓ OCR has issued settlements and penalties in cases where BAA failures contributed to or caused PHI exposure
- ✓ Civil monetary penalties range from $141 per violation (unknowing) to $1,919,173 per year (willful neglect, uncorrected)
- ✓ BAA failures typically appear alongside other HIPAA violations — they are rarely isolated compliance issues
- ✓ Self-disclosure combined with documented remediation consistently results in better enforcement outcomes
Understanding actual OCR enforcement provides a realistic picture of what the consequences of BAA failures look like. The pattern across enforcement cases is consistent: BAA gaps rarely cause enforcement alone — they combine with other compliance failures to constitute a systemic problem OCR takes seriously. Knowing what a BAA is required to contain helps prevent the most common compliance failures.
Real OCR Enforcement Actions Involving BAAs
Lifespan Health System (2021) — $1.04 million
Lifespan settled with OCR for $1.04 million and a corrective action plan. The investigation was triggered by a breach involving an unencrypted laptop. Among the findings: Lifespan had not entered into a BAA with a business associate that had access to PHI on the device. The case illustrates how a device security incident exposes underlying documentation failures during investigation.
University of Rochester Medical Center (2019) — $3 million
URMC settled for $3 million. The investigation, initiated after two breach reports involving lost/stolen unencrypted devices, revealed systemic compliance failures including issues with business associate oversight. The settlement required a comprehensive corrective action plan covering BAA management alongside encryption and device controls.
Cottage Health (2018) — $3 million
Cottage Health settled a combined action with OCR and the California Attorney General for $3 million. The breach involved a business associate's misconfigured server exposing PHI. OCR found that Cottage had a BAA in place but had failed to adequately monitor and oversee the BA's compliance — demonstrating that having a BAA is necessary but not sufficient; the CE must also monitor BA compliance.
CardioNet (2017) — $2.5 million
CardioNet, a business associate, settled for $2.5 million after a breach involving an unencrypted laptop. The investigation revealed, among other issues, that CardioNet had not entered into BAAs with its own subcontractors — demonstrating that sub-BAA requirements (45 CFR § 164.308(b)(2)) are actively enforced against business associates, not just covered entities.
QCA Health Plan (2014) — $250,000
QCA Health Plan settled for $250,000 after a breach investigation revealed that the plan had disclosed PHI to a business associate without a proper BAA. This is a direct "no BAA" enforcement case — smaller settlement amount reflecting the organization's size, but illustrative of OCR's willingness to pursue BAA-specific violations.
Penalty Tiers for BAA Violations
Civil monetary penalties under HIPAA are structured in four tiers based on the organization's culpability level. These amounts are inflation-adjusted annually by HHS (current figures as of 2024):
| Tier | Culpability Level | Per Violation Range | Annual Cap per Violation Category |
|---|---|---|---|
| Tier 1 | Unknowing — did not know and with reasonable diligence could not have known | $141–$71,162 | $71,162 |
| Tier 2 | Reasonable cause — knew or should have known, but not willful neglect | $1,424–$71,162 | $71,162 |
| Tier 3 | Willful neglect, corrected within required timeframe | $14,232–$71,162 | $71,162 |
| Tier 4 | Willful neglect, not corrected | $71,162–$1,919,173 | $1,919,173 |
A "violation" can be counted per-occurrence (each instance of sharing PHI without a BAA), per-day (each day the violation continued), or per-affected-individual, depending on OCR's determination. A single missing BAA for a billing service that processed claims for a full year could theoretically represent 365 separate daily violations before annual caps apply — though in practice, OCR applies a more holistic analysis in negotiated settlements.
What Makes OCR More Likely to Investigate
OCR investigation triggers, in rough order of frequency:
- Breach reports — any breach affecting 500 or more individuals is submitted to OCR's breach portal and may trigger investigation. The investigation reviews overall HIPAA compliance, including BAAs.
- Patient and workforce complaints — filed directly with OCR; even small complaints can reveal systemic issues during investigation
- OCR audit program — OCR's phase-based audit program randomly selects covered entities and business associates for compliance audits; BAA documentation is a standard component
- Media reports — significant data incidents covered in news media may prompt OCR to initiate an investigation without waiting for a formal complaint
- Self-disclosure — organizations may proactively report violations to OCR; this typically results in more favorable treatment
State Attorney General Actions for BAA Violations
In addition to OCR, state attorneys general have authority under HITECH to bring HIPAA enforcement actions on behalf of state residents. Several states — including New York, Connecticut, Massachusetts, and California — have active HIPAA enforcement programs. State AG penalties are separate from OCR penalties and can be imposed concurrently.
Notably, California's CMIA (Confidentiality of Medical Information Act) and New York's SHIELD Act impose additional requirements and penalties beyond federal HIPAA. An organization with a BAA violation that also affects residents of these states may face layered regulatory exposure.
For a practical guide to staying compliant, see the HIPAA BAA audit readiness checklist.
Frequently Asked Questions
What are the penalties for a missing HIPAA BAA?
Civil monetary penalties for a missing BAA range from $141 per violation (Tier 1, unknowing) to $1,919,173 per year per violation category (Tier 4, willful neglect not corrected). The 2024 per-violation figures are: Tier 1: $141–$71,162; Tier 2: $1,424–$71,162; Tier 3: $14,232–$71,162; Tier 4: $71,162–$1,919,173.
Has OCR ever fined a practice for a missing BAA?
Yes. The QCA Health Plan settlement ($250,000, 2014) directly involved disclosing PHI to a business associate without a BAA. Larger settlements like Lifespan ($1.04M, 2021) and URMC ($3M, 2019) involved BAA failures alongside other compliance issues. BAA failures rarely result in enforcement in isolation — they typically surface during breach investigations that reveal broader compliance gaps.
How does OCR find out about BAA violations?
Primarily through breach reports (breaches affecting 500+ individuals are submitted to OCR's public breach portal), patient and workforce complaints, OCR's proactive audit program, and media reports. Organizations that self-disclose BAA gaps alongside breach reports are consistently treated more favorably than those whose gaps surface through external investigation.
Don't let a missing BAA become an enforcement action
Generate a properly structured, HIPAA-compliant BAA in minutes — before your next vendor relationship starts.
Generate BAA for Free →