As a cybersecurity professional, I’ve seen firsthand how vital risk analysis is for safeguarding sensitive data. For healthcare organizations, it’s not just best practice, it is a key component of HIPAA compliance. The HHS Office for Civil Rights (OCR) has made it clear: failing to conduct thorough risk assessments can lead to significant penalties.
Why Risk Analysis Matters
HIPAA’s Security Rule requires covered entities to assess risks to electronic protected health information (ePHI) to ensure confidentiality, integrity, and availability (See 45 C.F.R. § 164.308(a)(1)(ii)(A)). A robust risk analysis identifies vulnerabilities—like outdated systems or weak access controls—before they become breaches.
Without it, organizations are flying blind, risking patient trust and regulatory action. Risk analyses can help firms prioritize the most critical cybersecurity risks facing the firms and avoid costly data breaches.
Breaches and Fines Tell the Story
OCR has ramped up enforcement for risk analysis failures in 2025 with the following settlements recently announced on their Resolution Agreements page.
- April 4th, 2025: OCR settles with Northeast Radiology, P.C. (NERAD) for $350K indicating potential violation of “the requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and available of ePHI held by the covered entity.”
- March 21st, 2025 OCR settles with Health Fitness Corporation for $227K finding that “Health Fitness failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI that it holds until January 19, 2024.”
- February 20, 2025 OCR settles with Warby Parker for $1.5M finding “evidence of three violations of the HIPAA Security Rule, including a failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems, a failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a failure to implement procedures to regularly review records of information system activity.”
- January 14, 2025 OCR settles with Solara Medical Supplies, LLC for $3M finding potential violations including “the requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Solara.”
These fines highlight the trend in OCR’s Risk Analysis Initiative, launched to curb rising cyberattacks.
What’s Coming: Annual Risk Assessments
On December 27, 2024, HHS proposed updates to the HIPAA Security Rule, mandating annual risk assessments with written documentation. The comment period for this proposed Security Rule closed on March 7, 2025 with over 4,600 comments. If finalized as is, it will make annual, detailed risk analysis non-negotiable.
Takeaway for Healthcare Leaders
Risk analysis isn’t just compliance—it’s your first line of defense. With OCR’s focus on enforcement and new rules looming, now’s the time to prioritize:
- Conduct thorough, documented risk assessments.
- Update policies to reflect evolving threats.
- Train staff to spot and mitigate risks.
What steps is your organization taking to stay HIPAA-compliant? Reach out to GrowthPoint at [email protected] for more information on HIPAA-compliant risk analyses.
Want to Learn More?
Download our HIPAA Compliance PDF