OCR Risk Analysis, an Update for Covered Entities

A review of OCR Enforcement Findings from 2025 (March-July)

OCR’s latest enforcement push is driving healthcare organizations to conduct a thorough review of their HIPAA risk analysis to find any weaknesses or gaps — before the agency does. OCR Risk Analysis update for Covered Entities reviews the current environment and enforcement findings.

Whether you’re a covered entity or a business associate, the penalties — and the reputational damage — could be severe if your risk analysis can’t withstand scrutiny now. Here’s what you need to know, and what you should be doing now.

One Key Issue Behind 90% of Fines

Among all the HIPAA Security Rule requirements, one issue is consistently highlighted in the vast majority of enforcement actions: Non-compliant risk analysis.

The OCR Risk Analysis Initiative reflects this focus. It’s a targeted enforcement effort to identify where organizations fall short in assessing and managing risk to electronic protected health information (ePHI). OCR is doubling down on holding organizations accountable for incomplete or outdated assessments that leave ePHI exposed.

What is the OCR Risk Analysis Initiative, and When Did It Start?

The HIPAA Security Rule has long required covered entities and business associates to conduct an accurate and thorough risk analysis of threats to electronic protected health information (ePHI). That requirement isn’t new.

What’s changed is the level of enforcement — and the urgency behind it. The ultimate goal?

Ensuring the entire healthcare industry understands the importance of this requirement.

OCR’s Final Guidance on Risk Analysis

Learn the Differences Between HIPAA Security Evaluations and Risk Analysis

The Risk Analysis Initiative began under the Biden administration as a targeted effort to reduce breaches tied to weak or non-existent risk analyses. But under the Trump administration, the initiative has continued, with enforcement actions and expectations becoming more explicit.

Now under the leadership of  OCR Director, Paula M. Stannard, it is clear that a comprehensive risk analysis is vital in today’s environment, as ransomware and supply chain threats continue to escalate.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,”
— Paula M. Stannard, OCR Director

Her first HIPAA enforcement announcements reinforce that the Risk Analysis Initiative is not only continuing, but could be expanding. Expect OCR to demand greater depth, more precise documentation, and real accountability from covered entities and business associates.

What Do Enforcement Numbers Tell Us?

Even before the enforcement initiative began, risk analysis has been a significant factor in how OCR handles HIPAA enforcement.

In fact, inadequate risk analysis has been involved in 90% of OCR’s HIPAA Security Rule enforcement actions so far. That’s not happening by accident. This shows you exactly where OCR is putting its attention and resources.

OCR has already announced two significant HIPAA enforcement actions under the new Director Paula M. Stannard, both reinforcing the same point: failure to conduct an adequate risk analysis is a persistent and costly mistake.

Behavioral Health Solution of Deer Oaks
Announced July 7, 2025
OCR reached a $225,000 settlement with Deer Oaks following violations of the HIPAA Security and Privacy Rules. The organization failed to conduct a sufficient risk analysis and lacked appropriate safeguards to protect ePHI. A two-year corrective action plan was imposed.

Syracuse ASC
Announced July 24, 2025
OCR reached a $250,000 settlement and a two-year corrective action plan, requiring full risk analysis, policy updates, and workforce training.  The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals.

Key findings for Syracuse ASC that stand out:

• No HIPAA-compliant risk analysis had been conducted
• Breach notification was delayed

“Cybersecurity threats in healthcare are real and put patients at risk,” said OCR Director Paula M. Stannard. “HIPAA covered entities and their business associates must conduct risk analyses, identify threats and vulnerabilities to electronic protected health information, and have appropriate safeguards in place.”

— Paula M. Stannard, OCR Director

A Growing List of Enforcement Actions

The Deer Oaks and Syracuse ASC cases are not outliers. Here’s a look at recent enforcement actions tied to risk analysis failures since March 2025:

• Comstar, LLC (May 30, 2025): Settled for $75,000 following a ransomware breach affecting 586,000 individuals. OCR found Comstar did not “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to ePHI.
• BayCare Health System (May 28, 2025): Fined $800,000 for HIPAA Security Rule failures tied to insider threats. A missing or weak risk analysis was the common thread.
• Vision Upright MRI (May 15, 2025): Fined $25,000 after failing to perform any risk analysis and delaying breach notification following a server attack.
• Comprehensive Neurology, PC (April 25, 2025): A $25,000 settlement followed a ransomware event that encrypted the practice’s network. OCR again found no meaningful risk analysis.
• PIH Health, Inc. (April 23, 2025): $600,000 in penalties and a two-year corrective plan after a phishing attack compromised nearly 190,000 records. OCR noted inadequate risk analysis and failure to notify within required timeframes.
• Guam Memorial Hospital Authority (April 17, 2025): Settled for $25,000 after ransomware affected 5,000 individuals. Another case highlighting the failure of risk analysis.
• Northeast Radiology, P.C. (April 10, 2025): Paid $350,000 after unauthorized access to its picture archiving and communication system (PACS) server exposed patient images. Again, OCR found issues with its risk analysis.
• Health Fitness Corporation (March 21, 2025): Paid $227,816 after OCR determined a server misconfiguration exposed ePHI online from August 2015 until HFC discovered the breach in June 2018.

In nearly every case, OCR’s investigation revealed systemic failures to identify vulnerabilities and implement risk-based controls.

Core Enforcement Still a Focus

Despite a broad reorganization at HHS, OCR’s mission continues under the newly defined Assistant Secretary for Enforcement (ASE) —its core structure remains intact and capable of pursuing compliance action in the HIPAA space.

Key context:

• The OCR case backlog has doubled from 6,532 in FY 2024 to 13,274 in May 2025
• For FY 2026, HHS’ budget request is for nearly $237.7 million for ASE, including OCR, with a combined 893 full-time employees.
• The Risk Analysis Initiative will still drive toward resolution despite staffing shortages. The focus on increasing completed investigations makes this a high-leverage enforcement tool in a constrained environment.

In other words: Enforcement doesn’t seem to be slowing down. As of now, all signs point to continued momentum in HIPAA Security Rule enforcement, especially as OCR’s leadership and funding solidify.

What Healthcare Organizations Should Expect

Expect continued pressure.

Organizations should prepare for:

• Stricter expectations around the scope and quality of risk analyses
• Greater scrutiny of methodologies, system-level coverage, and ePHI mapping
• More frequent audits, especially focused on ransomware and hacking controls
• Larger fines, especially for failures tied to breach response or ongoing vulnerabilities
• Upcoming HIPAA Security Rule changes, currently under review by OCR

If your current risk analysis process can’t demonstrate real alignment with OCR’s expectations, it’s time to reassess.

Priority Actions for Covered Entities

• Locate all ePHI – You can’t protect what you haven’t identified
• Integrate risk management – Make it a continuous process, not a one-time audit
• Implement and monitor audit logs – Not just logs, but active review
• Use encryption and access control – Enforce least privilege and safeguard data in transit and at rest
• Train by role – Tailor HIPAA education to job duties and risk exposure
• Learn from incidents – Incorporate breach lessons into future planning

Priority Actions for Business Associates

OCR is placing business associates under the same microscope as covered entities. If you manage or access ePHI:

• Conduct a HIPAA-compliant risk analysis
• Update policies to reflect real risk
• Secure shared environments with appropriate controls
• Vet subcontractors and track obligations
• Maintain audit-ready documentation
• Stay aligned with clients and evolving regulations

Common Questions About OCR’s Risk Analysis Initiative

What is the OCR Risk Analysis Initiative?

A targeted enforcement effort to ensure organizations conduct HIPAA-compliant risk analyses that go beyond surface-level reviews.

Why does risk analysis matter?

It’s a foundation of HIPAA Security Rule compliance—and the starting point for preventing breaches.

What’s changed under the Trump administration?

Under Director Paula M. Stannard, the Risk Analysis initiative is continuing with more investigations and expectations.

What mistakes does OCR see most?

High-level gap assessments that don’t provide a comprehensive view of risk, outdated assessments, no follow-up, and treating risk analysis as a one-time task.

How often should my Risk Analysis be updated?

At least annually, but it is best to perform a continuous risk analysis — and after any major change or incident.

Do Business Associates need to comply?

Yes. OCR holds business associates to the same standards as covered entities.

What frameworks should we follow?

OCR favors alignment with NIST CSF and 405(d). These also count as recognized security practices under HITECH.

How Clearwater Can Help

Whether you’re preparing for OCR scrutiny, responding to a recent incident, or working to strengthen your overall security posture, Clearwater delivers the expertise and tools to help you move from uncertainty to action.

Our team supports covered entities and business associates with:

🔹 OCR-Quality® Risk Analysis powered by purpose-built software
Asset-based analysis aligned to all nine HIPAA Security Rule elements—designed to uncover real system- and component-level risk.

🔹 Expert-Guided Risk Response
Consultant-led planning and assistance to drive remediation efforts, communicate with leadership, and document defensible actions.

🔹 Interactive Dashboards & Reporting
Clear views of risk, maturity, and remediation progress—built for boardrooms, regulators, and operational teams alike.

Whether you engage with us for a single assessment or through our full Enterprise Cyber Risk Management approach, you’ll get more than a report. You’ll gain a roadmap backed by healthcare’s most proven methodology—and a team that knows how to help you act on it.

Talk to an expert to help understand what it means to have an OCR-Quality® Risk Analysis.