OCR closed 21 enforcement actions in 2025 — most began with a breach report or a complaint, not an audit. Get ahead of the letter

Frameworks · HIPAA Security Rule

OCR doesn't grade
good intentions.

Healthcare has been the most expensive breach industry for 14 straight years, and the failure OCR cites most isn't exotic — it's the missing or inadequate security risk analysis. Lionfish runs HIPAA in the Cyber Tackle Box™: a defensible risk analysis, the policies, the workforce training the rule requires, and the evidence trail that turns an OCR letter from a crisis into a reply.

Covered EntitiesBusiness AssociatesMSPs serving healthcareSecurity Rule + NPRM-ready

The numbers behind every OCR settlement

$00K×10
average cost of a healthcare data breach — $7.42M, the highest of any industry (IBM 2025)
$0M÷100
maximum annual HIPAA penalty per violation category — $2,190,294 (2026-adjusted)
0
OCR enforcement actions closed in 2025 — the second-highest year on record
0 days
average time to identify and contain a healthcare breach

Sources: IBM Cost of a Data Breach 2025; HHS/OCR enforcement releases; HIPAA Journal penalty tables. The proposed Security Rule update (mandatory MFA and encryption) is delayed to 2027 — enforcement of the current rule is not.

Who this is for

Covered entities — and the business associates OCR is now naming

HIPAA isn't just for hospitals. OCR settles with billing companies, IT vendors, and software firms — anyone who touches ePHI under a BAA.

  • Independent practices and clinics — medical, dental, behavioral health, imaging — where the "compliance officer" is the practice manager with a day job.
  • Health tech and digital health companies whose covered-entity customers demand a signed BAA plus proof of a real security risk analysis before contracting.
  • MSPs and IT vendors serving healthcare — you're a business associate whether you signed up for it or not, and your clients' OCR risk is your OCR risk.

Sound familiar?

The pain we hear on every first call

  • !The risk analysis you don't have. Inadequate risk analysis is the failure OCR cites in the overwhelming majority of Security Rule enforcement — and a template PDF doesn't survive an investigator.
  • !Training that exists on paper. The Security Rule requires workforce training. "We showed a video once" is how five-figure settlements start.
  • !No certification, no finish line. There is no HIPAA certificate — just your documentation on the day the letter arrives. Ambiguity paralyzes small teams.

The platform

How the Cyber Tackle Box™ runs your HIPAA program

One platform holds the risk analysis, policies, training records, and evidence — the exact artifact set OCR asks for in its first data request.

Policy Templates

Contingency plans, sanction policy, access management, breach response — the full Security Rule document set, pre-built and tailored to your practice or product.

Risk Analysis, For Real

A control-by-control security risk analysis with findings, likelihood, and impact — the OCR-defensible artifact, refreshed annually instead of rebuilt in a panic.

Remediation & POA&Ms

Findings become assigned, dated remediation items driven to closure — evidence of a working program, not a binder.

Evidence & BAA Tracking

Business associate agreements, training records, and control evidence in one timestamped system of record.

Playbooks

Step-by-step breach response and incident playbooks — because the 60-day breach-notification clock starts whether you're ready or not.

Workforce Training Included

The training the rule requires, delivered so people actually finish it — 52 modules including our music-based series, tracked to the individual employee.

Why Lionfish

A platform with humans attached

Practitioners, not just software

Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.

One system of record

Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.

Veteran-owned & battle-tested

SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.

Straight answers

HIPAA questions we answer every week

What are the actual HIPAA penalties in 2026?

Civil penalties are tiered by culpability, running from about $145 per violation to over $72,000 per violation, with an annual cap of $2,190,294 per violation category at the highest tier. Most OCR settlements land in the five-to-mid-six figures — an existential number for a small practice or MSP.

Is there a HIPAA certification?

No. HIPAA has no official certification — compliance is demonstrated through your documentation: a current security risk analysis, written policies, workforce training records, BAAs, and evidence your safeguards operate. That's exactly the artifact set the Cyber Tackle Box maintains, so an OCR inquiry is a document export rather than a scramble.

What's happening with the new HIPAA Security Rule?

HHS proposed a major Security Rule update in January 2025 — mandatory MFA, encryption of ePHI at rest and in transit, written asset inventories, and annual audits — but final action has slipped to 2027 and the proposal may be narrowed. Our advice: don't buy panic, but don't wait either. Everything in the proposal is already best practice, and enforcement of the current rule is accelerating right now.

We're an MSP with healthcare clients — where do we start?

You're a business associate, which means direct OCR liability plus contractual exposure to every client. The Cyber Tackle Box is multi-tenant: run your own HIPAA program and your clients' programs from one console, and turn compliance from a liability into a billable service line. We'll show you the MSP model on a demo.

Get in touch

Get HIPAA off your worry list

Tell us whether you're a provider, a business associate, or an MSP with healthcare clients. You'll get a straight assessment of your exposure and a scoped plan within one business day.

  • 1We reply within one business day — usually faster.
  • 2A 30-minute call with someone who can actually answer your questions.
  • 3A straight recommendation — even if it's that you don't need us yet.

Prefer to skip the form? Book a time directly or call 1-877-732-6772.

Book a Free Call