HIPAA Settlements Continue Emphasis on Risk Analysis

Blog Post

The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) continues to focus on risk analysis in its investigation and enforcement activities.  

In the first seven months of 2025 OCR has announced 15 resolution agreements with covered entities or business associates featuring failure to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (“ePHI”). This assessment is commonly referred to as “risk analysis.”

Yesterday, OCR announced its OCR’s 15th ransomware enforcement action and 10th enforcement action in OCR’s Risk Analysis Initiative. In the August 18 press release regarding the settlement with a HIPAA business associate, OCR Director Paula M. Stannard emphasized the importance of risk analysis, stating that: "A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it” and “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

Risk analysis is a common element of recent Corrective Action Plans (“CAPs”) that are incorporated into resolution agreements between HHS and a covered entity or business associate. Recent CAPs require that the risk analysis incorporate all of the organization’s locations and facilities that contain, store, transmit or receive ePHI, and that the risk analysis evaluate the risks to the security of ePHI in electronic equipment, data systems, programs and applications.

OCR has provided the following recommendations to mitigate or prevent cyber-threats:

  • Identify where PHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems
  • Integrate risk analysis and risk management into the organization’s business processes
  • Periodically conduct and update risk analysis
  • Develop and implement a risk management plan to address the identified risks and vulnerabilities to the confidentiality, integrity and availability of ePHI
  • Ensure that audit controls are in place to record and examine information system activity
  • Implement regular review of information system activity
  • Implement procedures to authenticate users so that only authorized users are accessing ePHI
  • Encrypt ePHI (both in transit and at rest) to guard against unauthorized access to ePHI
  • Incorporate into the organization’s overall security management process lessons learned from incidents
  • Provide workforce members with regular HIPAA training that is specific to the organization and to each workforce member’s job duties.

It is also important to be prepared to investigate, mitigate and report breaches of ePHI and then respond to any investigations or litigation. OCR’s repeated emphasis on risk analysis highlights the importance of risk analysis (as well as managing related security risks) in safeguarding the confidentiality and security of ePHI and, in the event of a breach or related investigation or litigation, minimizing harm and potential exposure.

For more information on this or related topics, please contact McDonald Hopkins Healthcare attorneys, Rick Hindmand and Emily Johnson.

Related Services

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.