In the fall of 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the first enforcement action in its "Risk Analysis Initiative." Since then, a total of seven enforcement actions have been announced. For many years, the failure to perform an adequate security risk analysis has been a top finding in OCR enforcement actions and a focus of the corrective action plans OCR has entered into with covered entities and business associates. The Risk Analysis Initiative comes as OCR reported a 264% increase in reported large breaches involving ransomware attacks since 2018.1 OCR has stated that failing to conduct a comprehensive risk assessment significantly increases the risk of ransomware attacks.
Risk Analysis under the Security Rule
The Risk Analysis Initiative is an enforcement effort by OCR aimed at ensuring covered entities and their business associates ("regulated entities") comply with the risk analysis and risk management requirements under the HIPAA Security Rule's administrative safeguards found at 45 CFR § 164.308. Under the Security Rule, regulated entities must:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the regulated entity.
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
As described in its press releases, OCR created the Risk Analysis Initiative to focus select investigations on compliance with the HIPAA Security Rule risk analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of ePHI. OCR designed the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with the Security Rule requirements.
Enforcement Action Summaries
Below, is a brief review of the Risk Analysis Initiative enforcement actions to date, highlighting key findings, trends, and recommendations for organizations to bolster their cybersecurity.
- Enforcement Action 1: An Oklahoma provider of emergency medical services (EMS) was targeted by a ransomware attack which encrypted the ePHI of 14,273 patients. Settlement amount: $90,000; issued on October 31, 2024.
- Enforcement Action 2: A Massachusetts business associate that provided cloud-based electronic health record (EHR) and billing support services was targeted by a ransomware attack which exposed the ePHI of approximately 31,248 patients. Settlement amount: $80,000; issued on January 7, 2025.
- Enforcement Action 3: A Virginia business associate that provided data hosting and cloud services company experienced a ransomware attack targeting portions of its server infrastructure. The breach encrypted the ePHI of twelve covered entities. Settlement amount: $90,000; issued on January 7, 2025.
- Enforcement Action 4: A Michigan surgical group experienced a ransomware attack that encrypted and exfiltrated the ePHI of 15,298 patients from its network. Settlement amount: $10,000; issued on January 15, 2025.
- Enforcement Action 5: An Illinois-based business associate exposed ePHI online for several years due to a server misconfiguration, affecting up to 4,304 patients. Settlement amount: $227,816; issued on March 21, 2025.
- Enforcement Action 6: A provider of clinical imaging services based in both New York and Connecticut reported a breach of unsecured ePHI, affecting 298,532 patients whose information was potentially accessible on the server. Settlement amount: $350,000; issued on April 10, 2025.
- Enforcement Action 7: A public hospital in Guam experienced a ransomware attack affecting the ePHI of approximately 5,000 patients. In a separate incident, two former employees of the same hospital accessed the network systems after their employment had ended. Settlement amount: $25,000; issued on April 17, 2025.
In every single case, OCR indicated that after their investigation, the regulated entities failed "to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic PHI (ePHI). See 45 C.F.R. § 164.308(a)(1)(ii)(A)." While each settlement mentioned above included an individual resolution agreement and corrective action plan, OCR's general recommendations to regulated entities to mitigate the risk of a cyberattack include:
- Conduct regular assessments : Perform thorough and periodic security risk analyses (SRAs) to identify and address potential vulnerabilities. Ensure SRAs include both internal systems and third-party vendors.
- Align policies and training with the SRA: Ensure that all security and privacy policies, as well as workforce training programs, are informed by the findings of your SRA.
- Develop a documented implementation plan: Maintain a clear plan that outlines the mitigation activities selected in response to the SRA findings.
- Track progress and timelines: Record when each mitigation activity was initiated and completed to ensure accountability and progress tracking.
- Assess effectiveness: Audit, monitor and evaluate the implemented activities to determine whether they successfully reduced or addressed the identified risks.
Risk Analysis in the Security Rule NPRM
In the HIPAA Security Rule notice of proposed rulemaking (NPRM) published on January 6, 2025, OCR proposed to clarify and expand the scope of the security risk analysis requirement—placing greater emphasis on documenting methodologies, incorporating emerging threats, and ensuring the analysis directly informs risk management activities:
| Current Rule – 45 CFR 164.308(a)(1)(ii) | Proposed Rule – 45 CFR 164.308(a)(2) |
|---|---|
| Implementation specifications:
A. Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the regulated entity. |
Implementation specifications:
Maintenance. Review, verify, and update the written assessment on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity's environment or operations that may affect ePHI. |
Don't Wait: Make Risk Analysis Central to Your HIPAA Compliance Program
While it may be several months (or more) before a revised HIPAA Security Rule is issued, the enforcement actions under the Risk Analysis Initiative underscore OCR's position that a comprehensive and accurate security risk analysis is essential to protecting ePHI and forms the foundation of a robust HIPAA compliance program. By identifying and understanding their specific risks, regulated entities can more effectively protect patient information and continue to provide the care their communities need.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
