Skip to main content
CoreFolioHIPAA
Enforcement

The OCR Risk Analysis Initiative, explained

OCR is now investigating small practices that have never had a breach — because they never did a risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.

12-minute read

Most HIPAA enforcement headlines you read are about somebody else: a hospital with a million stolen records, a health plan with a misconfigured cloud bucket, a tech vendor with an unpatched server. It is easy to read those stories and conclude that none of this applies to a five-person family practice that has never had a breach.

That conclusion is now wrong.

In late 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched what it called the Risk Analysis Initiative — a deliberate enforcement focus on covered entities and business associates that have failed the most basic, most repeatedly cited HIPAA requirement: conducting an accurate, thorough, and current risk analysis. The Initiative specifically targets the paperwork failure, not the breach. You can be investigated, fined, and named in an OCR press release without anyone ever having stolen a single record from you.

This article explains what the Initiative is, what the underlying rule actually requires, what the Northeast Radiology settlement (April 2025) tells us about how OCR is enforcing it, and what a defensible answer looks like. Every claim cites the underlying CFR section, Federal Register entry, or OCR publication so you can verify it yourself.

What the Risk Analysis Initiative is

OCR launches enforcement initiatives periodically to focus its limited investigative capacity on patterns it sees in complaints, breach reports, and audits. Previous initiatives targeted right-of-access failures (2019–present) and ransomware response.

The Risk Analysis Initiative is the newest of these, announced in late 2024. It is not a new rule. The risk-analysis requirement it enforces has been on the books since the HIPAA Security Rule took effect in 2005. What is new is OCR's posture: rather than waiting for a breach to surface and then citing the underlying risk-analysis failure as one finding among several, OCR has begun investigating risk-analysis failures as the standalone violation, in covered entities and business associates of every size.

By April 2025, OCR had publicly announced six settlements under the Initiative.1 Settlement amounts have ranged from tens of thousands to several hundred thousand dollars, with corrective action plans running multiple years. None of the entities reached a settlement large enough to make general-press headlines — which is part of the point. The Initiative is not about marquee cases. It is about consistent, predictable pressure on a population of small and mid-sized organizations that historically assumed they were too small to be investigated.

What HIPAA actually requires here

The rule the Initiative enforces is at 45 CFR § 164.308(a)(1)(ii)(A) — sometimes called the "risk analysis specification."2 It requires every covered entity and business associate to:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Three words in that sentence do most of the work, and they are the words OCR keeps citing in its findings.

Accurate. The analysis must reflect the systems you actually use — your real EHR, your real billing service, the laptop your office manager actually takes home. A template downloaded from the internet and partially filled in does not meet this bar.

Thorough. The analysis must cover every system that creates, receives, maintains, or transmits ePHI ("electronic protected health information" — any digital record tied to a patient). One missed system is one vulnerability you cannot have mitigated, because you did not know it was there.

Current. OCR has long taken the position that risk analysis is an ongoing obligation. In practice this means at minimum an annual refresh, and additional refreshes whenever the practice meaningfully changes — new EHR, new location, new business associate, major workforce change. The proposed 2026 Security Rule update would make the annual cadence explicit.3

OCR's 2010 final guidance on what a compliant risk analysis looks like points squarely at NIST SP 800-30 as the methodology benchmark.4 NIST 800-30's framework is straightforward in shape: identify threats and vulnerabilities, estimate likelihood and impact for each pairing, derive a risk level, and document the analysis with enough detail that someone else could reproduce it. The actual work is unglamorous, but the structure is defensible because OCR itself points to it.

The other half OCR enforces alongside § 164.308(a)(1)(ii)(A)

The risk analysis is half of the obligation. The matching half is right next to it in the rule: 45 CFR § 164.308(a)(1)(ii)(B), the Risk Management standard.5 It requires every covered entity and business associate to:

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…

In OCR's 2010 guidance and in every recent Risk Analysis Initiative settlement, (A) and (B) are cited together. A practice that has a defensible risk analysis but no documented response to each identified risk is still exposed. A practice that has neither is what the $350,000 settlement letters address.

In practical terms this means a defensible answer is two linked artifacts, not one:

  1. A Risk Analysis Report \u2014 the assessment under (A).
  2. A Risk Management Plan \u2014 the documented response under (B), typically organized as a tiered action plan (what you can do this week, what needs a vendor conversation, what needs budget).

What Northeast Radiology tells us

The most recent settlement under the Initiative as of this writing is Northeast Radiology, P.C., resolved in April 2025 for $350,000 plus a multi-year corrective action plan.6 Northeast Radiology is a small practice by hospital standards — exactly the segment that historically assumed it was below OCR's radar.

The published resolution agreement says, in essence: Northeast Radiology had a breach reportable under the Breach Notification Rule. When OCR investigated, it found the practice had never conducted a compliant risk analysis in the years preceding the breach. The settlement was specifically tied to that failure, not to the technical control that allowed the breach itself.

Three things stand out for any small practice reading this.

First, the dollar figure. $350,000 is not a marquee number by hospital standards. For a small radiology group, it is several months of operating expense. The Initiative's typical settlement size is calibrated to be painful for the segment being targeted, not for the general health-system press.

Second, the cause of OCR's finding. OCR did not fine Northeast Radiology for the underlying breach. OCR fined them for not being able to produce a risk analysis that should have existed all along. This is the Initiative's signature pattern. The paperwork failure stands on its own as the violation.

Third, the breach was the trigger but not the basis. Northeast Radiology came to OCR's attention because of a Breach Notification Rule report. But once OCR had the door open, the investigation expanded to foundational compliance — and the risk-analysis gap was what stuck. Any small practice that files a breach report, responds to a complaint, or receives a routine audit selection is now realistically exposed to the same pattern.

Why this changes the math for small practices

Three implications follow from the Initiative for any practice with fewer than 25 employees.

1. The "we're too small to be investigated" calculation no longer holds. The Initiative was explicitly designed to investigate small entities at a steady cadence. The economics of the Initiative for OCR are the opposite of marquee enforcement: high volume, mid-size penalties, straightforward findings.

2. The cost of a defensible risk analysis is now strictly less than the cost of one settlement. A boutique HIPAA consultant runs $5,000 to $25,000+ for a single risk analysis engagement. Even at the high end of that range, the cost is meaningfully below the smallest Initiative settlement to date. Self-assessment software runs an order of magnitude less. There is no longer a reasonable "we couldn't afford it" defense.

3. "Our EHR handles it" is not an answer. A risk analysis covers your practice's full ePHI environment — your EHR, yes, but also your email, your imaging archive, your backup vendor, the personal phone your billing manager uses, the laptop in the front office. Your EHR vendor cannot do this analysis for you, because they cannot see most of your systems. They can sign a BAA covering their part of the environment, and they should. That is not the same thing.

What a defensible risk analysis looks like

You do not need a $15,000 consultant to produce a defensible risk analysis. You do need an output that meets four criteria.

A documented scope. Every system that creates, receives, maintains, or transmits ePHI, named explicitly: the EHR, the practice management software, the imaging server, the backup target, every workforce member's device that ever touches ePHI, every vendor with access. Missing systems are the single most common OCR finding.

A structured risk register. A list, not a narrative, of identified threats paired to identified vulnerabilities, each with an estimated likelihood and impact and a derived risk level. The NIST SP 800-30 format is what OCR points to in its 2010 final guidance.4

A documented methodology. A reader who is not you should be able to look at the analysis and answer the question "how was each risk level arrived at?" This is the part most templated analyses fail. OCR's investigators read these, and an analysis that cannot defend its own reasoning is treated as if it does not exist.

A date. The analysis must be dated, and it must be recent. OCR's informal but consistent position is that a risk analysis older than twelve months is presumptively stale, and the proposed 2026 Security Rule would make annual cadence the explicit floor.3

Common myths, briefly

"We have an EHR vendor — they handle compliance." Your EHR vendor is responsible for their portion of the ePHI environment, which is governed by a business associate agreement. They cannot conduct a risk analysis of your practice because they cannot see most of it. The risk-analysis obligation runs to the covered entity.

"We did one back in 2019." A risk analysis from 2019 is presumptively stale, and it almost certainly does not reflect any of the systems, vendors, or workforce changes that have happened since. OCR's investigators explicitly look for the date of the most recent analysis.

"We're a behavioral health / dental / PT practice — HIPAA is for hospitals." HIPAA covers every covered entity and business associate regardless of size or specialty. Several of the Initiative's settlements have been with small specialty practices. There is no specialty exemption in 45 CFR Part 164.

"We use the free HHS SRA Tool, so we're covered." The HHS Security Risk Assessment Tool produces a static output that some practices then file and forget. The Tool itself does not produce a compliant risk analysis unless the practice actually completes it accurately and thoroughly, dates it, and acts on what it reveals. OCR investigators treat an unsigned, undated, or incomplete SRA Tool output as non-evidence.

What to do this month

If you have not produced a dated, defensible risk analysis in the last twelve months, three steps are reasonable to take this week without spending money.

  1. Inventory the systems. Write down every place ePHI lives or moves in your practice. Include shadow systems — the personal phone, the shared drive, the legacy billing platform nobody has logged into for a year but still has the data.
  2. Find your most recent risk analysis. If it exists, note the date. If it does not exist, note that too — that is itself a finding.
  3. Make a calendar entry for the analysis itself. Block two uninterrupted hours within the next month. Risk analysis is not a thing you fit in between patients; it is a project.

The actual analysis — running threats against vulnerabilities, estimating likelihood and impact, deriving risk levels, documenting methodology — is the work the Initiative is now enforcing. So is the matching Risk Management Plan under § 164.308(a)(1)(ii)(B). HIPAA CoreFolio is built to produce both linked artifacts from one 60-minute pass, in a format OCR investigators recognize.

Sources

Footnotes

  1. U.S. Department of Health and Human Services, Office for Civil Rights, settlements announced under the Risk Analysis Initiative, October 2024–April 2025. Full list of resolution agreements available at the OCR newsroom: https://www.hhs.gov/about/news/index.html. Northeast Radiology, P.C. (April 2025) is the sixth publicly announced settlement under the Initiative as of this writing.

  2. 45 CFR § 164.308(a)(1)(ii)(A). Current text at the Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308.

  3. Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Comment period closed March 7, 2025; the rule is not yet final. The proposed § 164.308(a)(1)(ii)(A) text would make annual risk-analysis cadence explicit and eliminate the "addressable" designation for many controls. 2

  4. National Institute of Standards and Technology, Guide for Conducting Risk Assessments, NIST Special Publication 800-30 Rev. 1 (September 2012). Available at https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. OCR's 2010 final guidance on the risk-analysis requirement, Guidance on Risk Analysis Requirements under the HIPAA Security Rule, cites NIST SP 800-30 as the methodology benchmark. 2

  5. 45 CFR § 164.308(a)(1)(ii)(B). Same eCFR section as the risk analysis specification; the two paragraphs are consecutive and OCR treats them as a paired obligation. The 2010 OCR guidance on risk analysis explicitly frames the risk management plan as the required next step following the analysis.

  6. U.S. Department of Health and Human Services, Office for Civil Rights, Resolution Agreement and Corrective Action Plan with Northeast Radiology, P.C., April 2025. The published resolution agreement is available in the OCR newsroom under the press-release for the Initiative's sixth settlement.