A breach
A breach brings OCR to your door.
Small practices are frequent targets for ransomware and phishing, and a reported breach triggers a mandatory OCR investigation. The first thing they request is your risk analysis. In April 2025, a small New York radiology practice paid $350,000 after a breach exposed nearly 300,000 patients’ images — OCR found no current risk analysis on file, the cited violation under 45 CFR § 164.308(a)(1)(ii)(A), in one of several settlements under its Risk Analysis Initiative.1
What the Risk Analysis Initiative means for you

