The OCR Risk Analysis Initiative, explained

Most HIPAA enforcement headlines you read are about somebody else: a hospital with a million stolen records, a health plan with a misconfigured cloud bucket, a tech vendor with an unpatched server. It is easy to read those stories and conclude that none of this applies to a five-person family practice that thinks of itself as low-risk.

That conclusion is now wrong.

In late 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched what it called the Risk Analysis Initiative — a deliberate enforcement focus on covered entities and business associates that have failed the most basic, most repeatedly cited HIPAA requirement: conducting an accurate, thorough, and current risk analysis. The pattern is distinctive: an incident brings OCR to the door (a breach report, a ransomware attack, a vendor compromise, a patient complaint), the investigation expands to foundational compliance, and the missing or inadequate risk analysis becomes the cited violation that drives the settlement amount — often independent of the underlying incident.

This article explains what the Initiative is, what the underlying rule actually requires, what the Northeast Radiology settlement (April 2025) tells us about how OCR is enforcing it, and what a defensible answer looks like. Every claim cites the underlying Code of Federal Regulations (CFR) section, Federal Register entry, or OCR publication so you can verify it yourself.

What the Risk Analysis Initiative is

OCR launches enforcement initiatives periodically to focus its limited investigative capacity on patterns it sees in complaints, breach reports, and audits. Previous initiatives targeted right-of-access failures (2019–present) and ransomware response.

The Risk Analysis Initiative is the newest of these, announced in late 2024. It is not a new rule. The risk-analysis requirement it enforces has been on the books since the HIPAA Security Rule took effect in 2005. What is new is OCR's posture: rather than waiting for a breach to surface and then citing the underlying risk-analysis failure as one finding among several, OCR has begun investigating risk-analysis failures as the standalone violation, in covered entities and business associates of every size.

As of April 23, 2026, OCR reported 13 completed investigations under the Initiative, and it has resolved several closely related Security Rule risk-analysis settlements in the same window.¹ Settlement amounts have ranged from $5,000 to $375,000, with corrective action plans running one to three years. The full list appears below. None of the entities reached a settlement large enough to make general-press headlines — which is part of the point. The Initiative is not about marquee cases. It is about consistent, predictable pressure on a population of small and mid-sized organizations that historically assumed they were too small to be investigated.

OCR Risk Analysis Initiative and related risk-analysis settlements (2024–April 2026)

#	Entity	Date	Settlement	OCR enforcement type	Issue	Individuals Affected
1	Bryan County Ambulance Authority (OK)	Oct 2024	$90,000	Risk Analysis Initiative	Never conducted risk analysis	14,273
2	Elgon Information Systems (MA)	Jan 2025	$80,000	Risk Analysis Initiative	Failed risk analysis; ransomware via open firewall ports	31,248
3	Virtual Private Network Solutions (VA)	Jan 2025	$90,000	Risk Analysis Initiative	No comprehensive risk analysis	6,400
4	Northeast Surgical Group (MI)	Jan 2025	$10,000	Risk Analysis Initiative	Never conducted comprehensive risk analysis	15,298
5	Health Fitness Corporation (IL)	Mar 2025	$227,816	Risk Analysis Initiative	No risk analysis until 2024	4,304
6	Northeast Radiology (NY/CT)	Apr 2025	$350,000	Risk Analysis Initiative	Failed to conduct comprehensive risk analysis	298,532
7	Guam Memorial Hospital Authority	Apr 2025	$25,000	Risk Analysis Initiative	Never conducted HIPAA-compliant risk analysis	5,000
8	Vision Upright MRI (CA)	May 2025	$5,000	Security & Breach Notification Rules	Never conducted risk analysis; late breach notification	21,778
9	Deer Oaks (TX)	Jul 2025	$225,000	Privacy & Security Rules	Impermissible disclosure; failed to conduct risk analysis	171,871
10	BST & Co. CPAs (NY)	Aug 2025	$175,000	Risk Analysis Initiative	No comprehensive risk analysis	170,000
11	Top of the World Ranch (IL)	Feb 2026	$103,000	Risk Analysis Initiative	Failed to conduct thorough risk analysis	1,980
12	MMG Fusion (software vendor)	Mar 2026	$10,000	Risk Analysis Initiative	No accurate risk analysis; failed to notify clients	15,000,000

OCR enforcement type reflects how OCR framed each resolution. "Risk Analysis Initiative" marks the settlements OCR has expressly identified as enforcement actions under that Initiative; the remaining rows are closely related risk-analysis settlements OCR framed under the Security, Privacy, or Breach Notification Rules. Comstar, LLC (May 2025, $75,000), OCR's ninth Initiative action, is a business associate matter covered in the business associate enforcement record and is not repeated here.

What HIPAA actually requires here

The rule the Initiative enforces is at 45 CFR § 164.308(a)(1)(ii)(A) — sometimes called the "risk analysis specification."² It requires every covered entity and business associate to:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Three words in that sentence do most of the work, and they are the words OCR keeps citing in its findings.

Accurate. The analysis must reflect the systems you actually use — your real electronic health record (EHR), your real billing service, the laptop your office manager actually takes home. A template downloaded from the internet and partially filled in does not meet this bar.

Thorough. The analysis must cover every system that creates, receives, maintains, or transmits ePHI ("electronic protected health information" — any digital record tied to a patient). One missed system is one vulnerability you cannot have mitigated, because you did not know it was there.

Current. OCR has long taken the position that risk analysis is an ongoing obligation. In practice this means at minimum an annual refresh, and additional refreshes whenever the practice meaningfully changes — new EHR, new location, new business associate, major workforce change. The proposed 2026 Security Rule update would make the annual cadence explicit.³

OCR's 2010 final guidance on what a compliant risk analysis looks like points squarely at National Institute of Standards and Technology (NIST) SP 800-30 as the methodology benchmark.⁴ NIST 800-30's framework is straightforward in shape: identify threats and vulnerabilities, estimate likelihood and impact for each pairing, derive a risk level, and document the analysis with enough detail that someone else could reproduce it. The actual work is unglamorous, but the structure is defensible because OCR itself points to it.

The other half OCR enforces alongside § 164.308(a)(1)(ii)(A)

The risk analysis is half of the obligation. The matching half is right next to it in the rule: 45 CFR § 164.308(a)(1)(ii)(B), the Risk Management standard.⁵ It requires every covered entity and business associate to:

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…

In OCR's 2010 guidance, (A) and (B) are described as a paired obligation. The enforcement pattern is more precise. Across the Risk Analysis Initiative settlements reviewed for this article, the risk analysis specification at § 164.308(a)(1)(ii)(A) is the consistently cited violation in the Covered Conduct (the formal statement of the violation); a handful of settlements also cite a related Privacy Rule disclosure or a Breach Notification Rule failure. § 164.308(a)(1)(ii)(B) — the risk management plan — appears in the corrective action plan of every settlement as a required remediation step, but OCR has not charged it as a standalone cited violation in any Initiative settlement to date. A practice that has a risk analysis but no documented response to the risks it identifies will be required to produce one under any CAP. The practical exposure is real; the citation pattern is narrower than commonly reported.

In practical terms this means a defensible answer is two linked artifacts, not one:

1. A Risk Analysis Report — the assessment under (A).
2. A Risk Management Plan — the documented response under (B), a prioritized action plan that maps each identified risk to a specific remediation step, a responsible party, and a timeline.

What the settlement pattern shows

Northeast Radiology, P.C., resolved in April 2025 for $350,000 plus a multi-year corrective action plan, illustrates the Initiative's signature pattern.⁶ Northeast Radiology is a small practice by hospital standards — exactly the segment that historically assumed it was below OCR's radar.

The published resolution agreement says, in essence: Northeast Radiology had a breach reportable under the Breach Notification Rule. When OCR investigated, it found the practice had never conducted a compliant risk analysis in the years preceding the breach. The settlement was specifically tied to that failure, not to the technical control that allowed the breach itself.

Three things stand out for any small practice reading this.

First, the dollar figure. $350,000 is not a marquee number by hospital standards. For a small radiology group, it is several months of operating expense. The Initiative's typical settlement size is calibrated to be painful for the segment being targeted, not for the general health-system press.

Second, the cause of OCR's finding. OCR did not fine Northeast Radiology for the underlying breach. OCR fined them for not being able to produce a risk analysis that should have existed all along. The risk-analysis failure stands on its own as the cited violation, even though the breach is what opened the investigation.

Third, the breach was the trigger but not the basis. Northeast Radiology came to OCR's attention because of a Breach Notification Rule report. But once OCR had the door open, the investigation expanded to foundational compliance — and the risk-analysis gap was what stuck. Any small practice that files a breach report, responds to a complaint, or receives a routine audit selection is now realistically exposed to the same pattern.

April 2026: Four simultaneous ransomware settlements

In April 2026, OCR announced four more settlements — all involving ransomware attacks where the root cause was the same: no HIPAA-compliant risk analysis. ⁷

Entity	Settlement	Issue	Individuals Affected
Regional Women's Health Group (NJ)	$320,000	Failed to conduct organization-wide risk analysis	37,989
Assured Imaging (AZ/CA)	$375,000	Never conducted accurate risk analysis	244,813
Consociate Health (business associate)	$225,000	No HIPAA-compliant risk analysis	136,539
Star Group Health Benefits Plan (CT)	$245,000	Failed to conduct organization-wide risk analysis	9,316
Total	$1,165,000		428,657

With these four resolutions, OCR reported 13 completed investigations under the Risk Analysis Initiative and 19 completed ransomware investigations overall.⁷

Why this changes the math for small practices

Four implications follow from the Initiative for any practice with fewer than 25 employees.

1. The "we're too small to be investigated" calculation no longer holds. The Initiative was explicitly designed to investigate small entities at a steady cadence. The economics of the Initiative for OCR are the opposite of marquee enforcement: high volume, mid-size penalties, straightforward findings.

2. The cost of a defensible risk analysis is now strictly less than the cost of one settlement. A boutique HIPAA consultant runs $5,000 to $25,000+ for a full engagement; self-assessment software costs less and suits a standard environment. Either way, the cost sits well below the smallest Initiative settlement to date — there is no longer a reasonable "we couldn't afford it" defense.

3. "Our EHR handles it" is not an answer. A risk analysis covers your practice's full ePHI environment — your EHR, yes, but also your email, your imaging archive, your backup vendor, the personal phone your billing manager uses, the laptop in the front office. Your EHR vendor cannot do this analysis for you, because they cannot see most of your systems. They can sign a business associate agreement (BAA) covering their part of the environment, and they should. That is not the same thing.

4. The Initiative is expanding in 2026. In January 2026, OCR Director Paula M. Stannard confirmed the Risk Analysis Initiative will continue through 2026 — and will now also target risk management failures, not just risk analysis.⁸ Going forward, practices under investigation must demonstrate not only that they conducted a comprehensive risk analysis, but also that they took action to reduce identified risks to a "low and acceptable level." A binder that contains a risk analysis but no matching risk management plan is now doubly exposed.

What a defensible risk analysis looks like

A defensible risk analysis does not depend on any one path — a consultant, guided software, or careful in-house work can each produce one. What it must do is meet four criteria.

A documented scope. Every system that creates, receives, maintains, or transmits ePHI, named explicitly: the EHR, the practice management software, the imaging server, the backup target, every workforce member's device that ever touches ePHI, every vendor with access. Missing systems are the single most common OCR finding.

A structured risk register. A list, not a narrative, of identified threats paired to identified vulnerabilities, each with an estimated likelihood and impact and a derived risk level. The NIST SP 800-30 format is what OCR points to in its 2010 final guidance.⁴

A documented methodology. A reader who is not you should be able to look at the analysis and answer the question "how was each risk level arrived at?" This is the part most templated analyses fail. OCR's investigators read these, and an analysis that cannot defend its own reasoning is treated as if it does not exist.

A date. The analysis must be dated, and it must be recent. OCR's informal but consistent position is that a risk analysis older than twelve months is presumptively stale, and the proposed 2026 Security Rule would make annual cadence the explicit floor.³

Common myths, briefly

"We have an EHR vendor — they handle compliance." Your EHR vendor is responsible for their portion of the ePHI environment, which is governed by a business associate agreement. They cannot conduct a risk analysis of your practice because they cannot see most of it. The risk-analysis obligation runs to the covered entity.

"We did one back in 2019." A risk analysis from 2019 is presumptively stale, and it almost certainly does not reflect any of the systems, vendors, or workforce changes that have happened since. OCR's investigators explicitly look for the date of the most recent analysis.

"We're a behavioral health / dental / PT practice — HIPAA is for hospitals." HIPAA covers every covered entity and business associate regardless of size or specialty. Several of the Initiative's settlements have been with small specialty practices. There is no specialty exemption in 45 CFR Part 164.

"We use the free HHS SRA Tool, so we're covered." The HHS Security Risk Assessment Tool produces a static output that some practices then file and forget. The Tool itself does not produce a compliant risk analysis unless the practice actually completes it accurately and thoroughly, dates it, and acts on what it reveals. OCR investigators treat an unsigned, undated, or incomplete SRA Tool output as non-evidence.

What to do this month

If you have not produced a dated, defensible risk analysis in the last twelve months, three steps are reasonable to take this week without spending money.

1. Inventory the systems. Write down every place ePHI lives or moves in your practice. Include shadow systems — the personal phone, the shared drive, the legacy billing platform nobody has logged into for a year but still has the data.
2. Find your most recent risk analysis. If it exists, note the date. If it does not exist, note that too — that is itself a finding.
3. Make a calendar entry for the analysis itself. Block two uninterrupted hours within the next month. Risk analysis is not a thing you fit in between patients; it is a project.

The actual analysis — running threats against vulnerabilities, estimating likelihood and impact, deriving risk levels, documenting methodology — is the work the Initiative is now enforcing. So is the matching Risk Management Plan under § 164.308(a)(1)(ii)(B). CoreFolio HIPAA is built to produce both linked artifacts from one 60-minute pass, in a format OCR investigators recognize.

Sources

Footnotes

1. U.S. Department of Health and Human Services, Office for Civil Rights. Resolution agreements and press releases for the Risk Analysis Initiative, October 2024–April 2026. Full list available at the OCR newsroom: https://www.hhs.gov/about/news/index.html and individual resolution agreements at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/. ↩

2. 45 CFR § 164.308(a)(1)(ii)(A). Current text at the Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308. ↩

3. Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Comment period closed March 7, 2025; the rule is not yet final. The proposed § 164.308(a)(1)(ii)(A) text would make annual risk-analysis cadence explicit and eliminate the "addressable" designation for many controls. ↩ ↩²

4. National Institute of Standards and Technology, Guide for Conducting Risk Assessments, NIST Special Publication 800-30 Rev. 1 (September 2012). Available at https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. OCR's 2010 final guidance on the risk-analysis requirement, Guidance on Risk Analysis Requirements under the HIPAA Security Rule, cites NIST SP 800-30 as the methodology benchmark. ↩ ↩²

5. 45 CFR § 164.308(a)(1)(ii)(B). Same eCFR section as the risk analysis specification; the two paragraphs are consecutive. OCR's 2010 guidance frames the risk management plan as the required next step following the analysis. In every Risk Analysis Initiative settlement reviewed for this article, § 164.308(a)(1)(ii)(B) appears in the corrective action plan as a required remediation step; it has not appeared in the Covered Conduct (the cited violation) of any Initiative settlement to date. Source: HHS resolution agreements, October 2024–April 2026, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/. ↩

6. U.S. Department of Health and Human Services, Office for Civil Rights, Resolution Agreement and Corrective Action Plan with Northeast Radiology, P.C., April 2025. Available at the OCR Resolution Agreements page: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ ↩

7. U.S. Department of Health and Human Services, Office for Civil Rights, HHS' Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations (April 23, 2026). The announcement states the resolutions "mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR's Risk Analysis Initiative." https://www.hhs.gov/press-room/ocr-settles-four-ransomware-investigations.html ↩ ↩²

8. HIPAA Journal. OCR's Risk Analysis Initiative to Continue in 2026 with Expanded Focus, January 2026. ↩