HIPAA compliance in the era of OCR's risk analysis initiative

History of OCR's risk analysis initiative

Though OCR's risk analysis initiative has not yet reached the one-year mark, it has already resulted in numerous enforcement actions.

"But the recent surge of actions underscores that encouraging compliance with the requirements of the Security Rule relating to risk analyses remains a top priority for OCR," said Angela Matney, attorney at Reed Smith.

The first enforcement action under the initiative was settled in October 2024, under the Biden administration. The action involved an Oklahoma ambulance company that had to pay $90,000 and implement a corrective action plan to make up for its risk analysis gaps.

"Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA," Melanie Fontes Rainer, who was the OCR director at the time of the enforcement action, said in the October 2024 settlement announcement.

"OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement."

At an October 2024 conference co-hosted by OCR and the National Institute of Standards and Technology, OCR leaders, including Fontes Rainer, stressed that while risk analysis is a new focus area for OCR, it is not a new problem for covered entities.

"If you look at our press releases of our enforcement over the last year, really over the last decade, continually, there is a trend of covered entities -- whether health plan providers, clearinghouses, whether they're small, medium, large -- not having a risk analysis or having an insufficient risk analysis or having a risk analysis and not using it," Fontes Rainer toldTechTarget Editorial at the October event. "And the idea is that we're drawing more attention to it."

The change of administration came with a change of leadership at OCR, with Paula M. Stannard taking over as OCR director in June 2025.

Even with the leadership changes, OCR has continued to prioritize its risk analysis initiative, as exemplified by the numerous enforcement actions announced by OCR this year, including the settlement with BST.

Enforcement actions can guide risk analysis compliance

OCR's continued prioritization of HIPAA risk analyses is telling, experts say.

"The risk analysis initiative should be a reminder to regulated entities that this is an important exercise," said Shannon Hartsfield, partner at law firm Holland & Knight. "The latest enforcement action continues to bring that point home."

The corrective action plan (CAP) that BST is required to implement addresses the types of risk analysis deficiencies that OCR typically sees and offers best practices for eliminating them.

"The HIPAA rules themselves don't contain the level of detail regarding the risk analysis that we see in this CAP," Hartsfield noted. "The CAP provides insight into what the government might view as adequate security measures."

For example, the CAP requires BST to analyze potential risks to the confidentiality, integrity and availability of its protected health information, develop written policies and procedures to comply with HIPAA and implement a risk management plan to address the vulnerabilities identified in its risk analysis. The company is also required to review the risk analysis annually, document its security actions and complete an inventory of all systems that store electronic protected health information.

"The exercise of conducting a risk analysis is challenging because it almost requires a crystal ball to predict everything that might go wrong with electronic protected health information. It has to be 'an accurate and thorough assessment of the potential risks and vulnerabilities' to the data," Hartsfield said.

"While there's virtually no way that a regulated healthcare entity could protect against everything that could go wrong, when something does happen, it's easy for regulators to conclude that the risk analysis must have been lacking."

Hartsfield noted that HHS maintains useful guidance for entities looking to improve their risk analysis efforts. For example, small and medium entities can use the security risk assessment tool, co-created by OCR and the Office of the National Coordinator for Health Information Technology, to guide them through a security risk assessment.

Matney recommended that regulated entities look toward HHS' proposed updates to the HIPAA Security Rule to further inform risk analysis activities.

"The proposed rule would require covered entities and business associates to conduct an annual risk analysis incorporating, among other things, a review of technology asset inventories and network maps," Matney said. "While these requirements have not yet been and ultimately may not be incorporated into the Security Rule, they reflect cybersecurity best practices."

In addition to monitoring OCR's enforcement actions and proposed rules, Matney recommended that covered entities integrate risk analysis into business processes, ensure asset controls are in place and regularly provide training specific to job responsibilities.

Covered entities are always required to comply with all provisions of HIPAA, regardless of whether OCR is prioritizing certain areas. However, the focus areas that OCR chooses can give covered entities a view into top security and privacy pain points and a roadmap for improving their HIPAA compliance efforts.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.