OCR announces 11th and 12th Risk Analysis Initiative enforcement actions

Alert

Recently, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced two HIPAA settlements, one with a substance use disorder (SUD) provider and one with a software company.

These settlements were OCR’s 11th and 12th  enforcement actions in its Risk Analysis Initiative and follow a 6 month gap in announced settlements after 16 resolution agreements were announced from January to August 2025 with covered entities or business associates featuring failure to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). This assessment is commonly referred to as “risk analysis.”

Settlement with SUD provider Top of the World Ranch Treatment Center

On February 19, 2026, OCR announced its settlement with Illinois SUD provider Top of the World Ranch Treatment Center (TWRTC) which resolved OCR’s investigation of TWRTC’s 2023 breach report of unauthorized access to ePHI though a workforce member’s email account resulting from a successful phishing attack. OCR found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

In the email announcing the settlement OCR Director Paula M. Stannard stated: “In a time where health care providers and other HIPAA regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever” and “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”

This settlement was announced a mere 3 days after the February 16, 2026 enforcement date for the 42 CFR Part 2 final rule and the launch of a new civil enforcement program for the confidentiality of SUD patient records under 42 C.F.R. Part 2.  The Resolution Agreement and Corrective Action Plan, however, were dated June 2025 and were under HIPAA.

Settlement with software company MMG Fusion

In the past week, OCR announced its settlement with software company MMG Fusion, LLC (MMG), which helps oral healthcare professionals market, manage and grow their practices and provides software that communicates with patients.  

The settlement resolved an investigation that began in 2023 relating to an unreported security incident and posting of PHI on the dark web. OCR determined that MMG violated HIPAA rules by impermissibly disclosing PHI, failing to conduct an accurate and thorough risk analysis, and failing to notify affected covered entities of the breach.

The Resolution Agreement and Corrective Action Plan were dated June 30, 2025, although the settlement was announced yesterday.  

In the email announcing the settlement OCR Director Paula M. Stannard emphasized the importance of timely breach notification as well as risk analysis: “When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery” and “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

Cybersecurity safeguards

OCR has provided the following recommendations to mitigate or prevent cyber-threats:

  • Identify where PHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate risk analysis and risk management into the organization’s business processes
  • Periodically conduct and update risk analysis
  • Develop and implement a risk management plan to address the identified risks and vulnerabilities to the confidentiality, integrity and availability of ePHI
  • Ensure that audit controls are in place to record and examine information system activity
  • Implement regular review of information system activity
  • Implement procedures to authenticate users so that only authorized users are accessing ePHI
  • Encrypt ePHI (both in transit and at rest) to guard against unauthorized access to ePHI
  • Incorporate into the organization’s overall security management process lessons learned from incidents
  • Provide workforce members with regular HIPAA training that is specific to the organization and to each workforce member’s job duties.

It is also important to be prepared to investigate, mitigate and report breaches of ePHI and then respond to any investigations or litigation. OCR’s repeated emphasis on risk analysis highlights the importance of risk analysis (as well as managing related security risks) in safeguarding the confidentiality and security of ePHI and, in the event of a breach or related investigation or litigation, minimizing harm and potential exposure.

For more information on this or related topics, don't hesitate to get in touch with attorney Rick Hindmand or your McDonald Hopkins healthcare attorney. 

Related Services

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

scullery23