2026 HIPAA Compliance Alert: $103,000 Settlement for Risk Analysis Failure

February 23, 2026

 

The Office for Civil Rights (OCR) is back with a massive settlement to start 2026. 

A rehab center in Illinois, Top of the World Ranch Treatment Center (TWRTC), recently agreed to a $103,000 and 2-year Corrective Action Plan (CAP) settlement following a security breach that exposed major security vulnerabilities. This settlement is also the 11th enforcement of the Risk Analysis Initiative

The Top of the World Ranch Treatment Center HIPAA settlement was announced just days after the OCR officially enacted the Part 2 changes to the Notice of Privacy Practices. As of Feb 16, all Covered Entities, regardless of scope of practice, must update their Notices of Privacy Practices (NPP) to include special provisions regarding the handling of Substance Use Disorder (SUD) Protected Health Information (PHI). 

 

What Happened? 

In March 2023, an employee’s email account was compromised in a phishing attack, exposing fewer than 2,000 records. In the world of healthcare data breaches, where numbers often reach the millions, this was a relatively small but still severe incident.

However, the OCR’s enforcement was not based on the size of the breach, but on missing paperwork. This breach report initiated an investigation that led the OCR to find the SUD facility had failed to complete a compliant Security Risk Analysis (SRA). The SRA is the foundation of a HIPAA-compliant practice and an extensive assessment of the potential vulnerabilities your practice might face. The SRA reviews the administrative, physical, and technical safeguards your practice must have in place. 

Since TWRTC hadn’t completed this proactive assessment, they missed the specific vulnerabilities in their technical defenses that eventually allowed a phishing email to succeed.

 

The Bottom Line

The Top of the World Ranch Treatment Center HIPAA settlement proves that the OCR doesn’t punish based on how ‘big’ a mistake is, but for a lack of preparation. Breaches happen, but your team’s readiness and response are what determine whether you face an enforcement action.

You might think your practice is too small to be a target, but this settlement shows that if you have a breach, no matter the size, the first thing the OCR will ask for is your SRA. If you don’t have it, the legal repercussions could be far more painful than the breach itself.

Is your SRA current for 2026? If not, meet with our team of experts today to get compliant.

RECENT POSTS

Related posts

IT HIPAA compliance
Best Practices, HIPAA

“We Have IT”: Why That Doesn’t Mean You’re HIPAA Compliant

January 29, 2026 No comments yet

January 29, 2026 As a healthcare practice, your primary focus is patient care. You’ve likely hired an IT security team to keep your systems running smoothly. It feels like the final piece of the HIPAA compliance puzzle, right? Having an IT team doesn’t automatically make you HIPAA compliant. HIPAA requires documented administrative, physical, and technical safeguards, like a Security Risk Analysis (SRA), written policies and procedures, and ongoing HIPAA training for your workforce. While having an IT team is strongly recommended to keep your patients’ Protected Health Information (PHI) safe, it’s only the tip of the iceberg. HIPAA Requires Documentation (Not Just Fixes) While your IT team can assist with ensuring the technical side of HIPAA is in shape, like installing firewalls, antivirus software, encryption tools, and more, they might not know all of the legalese that comes along with HIPAA. In the world of HIPAA compliance requirements, if it isn’t documented, it didn’t happen. Your excellent IT team can get your network back online in record time, but the Office for Civil Rights (OCR) doesn’t just want to know that you’re back up and running; it wants a documented process for how your practice handles similar situations. That’s why extensive documentation is at the foundation of a compliant practice. The SRA reviews potential technical, administrative, and physical vulnerabilities your practice may face. HIPAA policies and procedures dictate how your office handles everything from a patient requesting their records to terminating an employee’s access on their last day. If your practice is investigated, the OCR won’t just look at your firewall; they’ll also ask to see your SRA, policies, and procedures. If your practice has nothing documented, “we have an IT guy” won’t save you from a fine. HIPAA Physical Safeguards Go Beyond the Firewall IT teams can get serious about their hardware, but the physical safeguards your practice must implement to be HIPAA compliant don’t stop at your tech stack. HIPAA physical safeguards include anything that serves as a barrier to the secure handling of PHI. At the end of the day, make arming the door alarm part of your closing routine to help protect PHI after hours. IT teams focus on digital support, but they can’t remotely verify that your staff has engaged your physical safeguards. No code can fix it when someone leaves a paper chart on the counter. HIPAA Training Requirements and the Human Element Your IT team can build the tallest digital fortress in the world, but they can’t stop an employee from leaving the front door unlocked. HIPAA compliance isn’t a software package; it’s a culture. While your IT team manages the technical safeguards, your staff is responsible for their behavior. Think of it this way: IT can block social media on your office network, but they can’t reach into a staff member’s pocket and stop them from posting about a patient on their personal phone. Technical safeguards are useless if your team doesn’t understand its individual responsibility to keep PHI secure. That’s why thorough HIPAA training and cultivating a culture of compliance are the real keys to success for your practice – and they happen to be things your IT team can’t patch or automate. IT Security and HIPAA Compliance: Working in Parallel Strongly consider an IT team to help your practice meet technical HIPAA requirements. However, your IT team can’t fulfill all the HIPAA requirements for your practice. That’s why the best solution is to use innovative compliance software alongside an IT company. Intelligent compliance platforms can generate dynamic documentation, pinpoint vulnerabilities with an intuitive SRA, and send out engaging training to staff. With these two working in tandem, you empower your staff, and you can feel confident that your practice complies with HIPAA. Want help turning HIPAA requirements into clear documentation, an SRA, and trackable training? Talk with our team to see how Abyde supports your practice.

medical record retention requirements
Best Practices, HIPAA

Patient Records: What to Keep, How Long to Keep It, and When to Destroy It

January 23, 2026 No comments yet

January 23, 2026   Looking to bring that “New Year, New Me” energy into your practice by clearing out records in the practice? Not so fast. It’s not as simple to declutter Protected Health Information (PHI) as it is your closet of old clothes.  Each state upholds strict retention requirements, ensuring that PHI is secure and accessible for several years before proper disposal.  That’s why we’re breaking down the retention rules today, so that whatever you shred today doesn’t become a legal headache tomorrow.    So, how long?  Like most legal requirements, it depends on the situation and what state you’re in. Each state medical board’s goal is to give patients plenty of time to request their records and ensure their data is protected by the high standards they deserve. Although these are mandates, your practice must also comply with any stricter state-specific guidelines. Some states require records to be kept for a minimum of 10 years, and the duration may depend on whether the documents pertain to a minor or an adult. For example, in North Dakota, minor records must be held, at a minimum, until the patient turns 21.  It also depends on whether your organization is considered a hospital or a smaller practice. Hospitals usually have stricter requirements. In Colorado, hospitals must preserve records for at least 10 years. If the patient is a minor, these 10 years start after the patient turns 18.  The Office for Civil Rights (OCR) also requires that all compliance documentation, such as policies, procedures, and Security Risk Analyses (SRAs), be retained for at least 6 years after creation, including the date it was in effect.  Overall, when in doubt, hold onto records and consult with legal counsel before disposing of any documentation.    How do I properly dispose of documentation?  Throwing documentation into the recycling bin isn’t going to cut it. When disposing of sensitive PHI, you must ensure that records are destroyed so that they cannot be linked to a patient. This includes shredding, burning, or pulverizing the records. In terms of ePHI (electronic Protected Health Information), clearing the records with compliant software or physically destroying the device is key to ensuring PHI is correctly disposed of.  Business Associates can assist with these processes, specializing in the disposal of sensitive data.    How do I streamline compliance?  Handling documentation is just the tip of the iceberg when it comes to compliance.  Thankfully, intelligent software can simplify compliance for your practice by providing training, policies, and procedures to guide staff in remaining compliant. Questions like handling the disposal of documentation can be answered quickly on the platform by on-call compliance experts.  Meet with our team today to learn more about HIPAA compliance for your practice. 

Basic HIPAA Requirements
Abyde News, Best Practices, HIPAA

HIPAA Basics You Can’t Skip (Even If You’ve ‘Always Done It This Way’)

January 15, 2026 No comments yet

January 15, 2026 As your practice shakes off the post-holiday haze, it’s time to go back to basics. Before picking up the pace, it’s worth slowing down to look at the foundations. While your practice might have routine procedures, it’s time to double-check if they’re even compliant.   The Training Refresh Staff must complete HIPAA training when joining your practice, but that’s not all. HIPAA requires annual training and updates after policy changes or breaches, and whenever staff review is needed. Long story short, your practice needs a lot of training. When in doubt, provide staff training to ensure they are comfortable and confident in handling Protected Health Information (PHI).   Titles Matter Even in a small practice, it’s required to assign a HIPAA Compliance Officer (HCO). We know that ‘wearing many hats’ is the reality of a small team, but designating a clear leader for compliance provides a vital anchor. It ensures your staff knows exactly who to turn to for guidance. If the OCR ever comes knocking, they require a single point of contact to streamline the investigation. Social Media Savviness We hate to break it to you, but your Gen Z receptionist could make your practice viral for all the wrong reasons. Social media can be beneficial for sharing your practice to a larger audience, but your staff needs to handle it very carefully. While it might be fun to partake in the latest TikTok trend, make sure that any PHI cannot be seen in the clips, and do not include a patient in any content unless there is explicit consent to do so. Having a media consent form is key in these situations. Keep it General Alongside social media, Google reviews can be a great way to show you’re listening, but HIPAA changes what you can say. Even if the review is favorable, you cannot identify whether the patient has been in your practice or not. Even if the review details a specific experience at your practice, it’s their choice to disclose this information, and your job, under HIPAA, is not to confirm it. For instance, a good public review would be: Thanks for the kind words! If you have additional feedback, please call us at xxx-xxx-xxxx. If you get a negative review, keep your response brief and offline. First, check for spam or rule violations and report if necessary. Otherwise, don’t clarify details or if they’re a patient. A good response: Thank you for your feedback. We’d like to learn more. Please contact us at xxx-xxx-xxxx. Practices can, and have been, fined for improper Google review responses, so your team must remain calm and neutral online. Lock it Down While it might feel easier for your practice to use a single, shared email to log in and access everything, it’s much safer (and wiser) for every team member to have their own login with role-based permissions. Individual accounts create accountability, keep information organized, and enable the implementation of role-based access. Not everyone in your practice needs access to the same information, and they shouldn’t have it. For example, your receptionist likely doesn’t need access to X-rays or clinical notes, but they do need access to scheduling software. When permissions align with the job, you reduce the risk of accidental exposure and keep sensitive data limited to those who genuinely need it. Individual logins make off-boarding easy. When someone leaves, remove their access immediately without disrupting the team or requiring a shared password change. This small shift greatly boosts compliance and protects patient information. Change Habits Today It’s easy to let compliance fall to the bottom of the to-do list when you’ve “always done it this way”. Thankfully, intelligent software can streamline these requirements for you. With the right platform, you can ensure training is handled correctly, that dynamic policies and procedures are properly formatted for your team, and that you have access to a team of compliance experts when navigating difficult compliance questions. Take the next step: schedule a compliance consultation with our team. We’ll show you exactly how to meet HIPAA requirements, simplify your processes, and protect your practice with confidence. Contact us today to get started.

Is your dental practice OSHA-ready? Cut through the complexities with our latest eBook.

DOWNLOAD NOW
X