In 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has intensified its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, placing significant emphasis on the requirement for covered entities and business associates to conduct a comprehensive risk analysis. Since launching its Risk Analysis Initiative in October 2024, the OCR has already entered into several resolution agreements – signaling a clear shift toward proactive enforcement and greater accountability for noncompliance.

The OCR’s Risk Analysis Initiative

The OCR’s recent initiative targets organizations that fail to conduct accurate and thorough assessments of the risks to electronic protected health information (ePHI). These enforcement actions have resulted in resolution agreements – formal settlement agreements between the OCR and a HIPAA-covered entity or business associate that include monetary penalties and multi-year Corrective Actions Plans (CAPs) with ongoing oversight.

While the reported security incidents involve different types of alleged violations – from ransomware to unsecured servers – the risk analysis requirement plays a central role in the OCR’s enforcement actions. Financial penalties tied to the resolution agreements ranged from $25,000 to $3 million—the highest was imposed on a national medical supplier that failed to conduct a compliant risk analysis and later experienced a significant data breach following a phishing attack. Other fines, typically in the five- to six-figure range, were levied against mid-sized providers and service companies. These enforcement outcomes reflect broader industry-wide gaps that the initiative aims to address.

The initiative was prompted by a 264% increase in large ransomware breaches since 2018, with many breaches linked to incomplete or outdated risk assessments. A 2016-2017 audit revealed that only 14% of covered entities were substantially fulfilling their risk analysis obligations. These trends, combined with the growing number of individuals affected by cyber incidents, highlight the critical need for HIPAA-regulated entities to proactively evaluate and strengthen their compliance with the HIPAA Security Rules.

The HIPAA Security Risk Analysis Requirement

Conducting a risk analysis is not just a best practice – it’s a core requirement under the HIPAA Security Rule. This applies to all covered entities (such as healthcare providers, health plans, and healthcare clearing houses) and their business associates (vendors or subcontractors who handle protected health information on their behalf).

A compliant risk analysis involves:

  • Identifying where ePHI is stored, received, maintained, or transmitted
  • Assessing potential threats and vulnerabilities to the confidentiality, integrity, and availability of e PHI
  • Evaluating the likelihood and impact of potential risks
  • Implementing appropriate security measures to reduce risks to a reasonable and appropriate level
  • Reviewing and updating the risk analysis regularly, especially after significant changes to operations or technology

Organizations that fail to perform an analysis not only face increased exposure to attacks, but significant financial penalties and heightened regulatory oversight.

Recommended Actions for Employers

The OCR recommends that entities covered by HIPAA – including health care providers, health plans, clearinghouses, and business associates – take the following actions to mitigate or prevent cyber threats:

  • Review vendor and contractor relationships to confirm that the appropriate business associate agreements are in place, and that they clearly define responsibilities related to breaches and security incidents.
  • Integrate risk analysis and risk management into routine business operations. These assessments should be conducted regularly and whenever new technologies or business processes are introduced.
  • Implement audit controls to monitor and evaluate activity within information systems.
  • Use multi-factor authentication (MFA) to ensure that only authorized individuals can access electronic protected health information (ePHI).
  • Encrypt ePHI to protect it from unauthorized access.
  • Apply lessons learned from past incidents to strengthen the overall security management strategy.
  • Provide regular, role-specific training to staff, emphasizing their essential role in maintaining privacy and security.

The OCR’s recent enforcement actions underscore the critical importance of completing a comprehensive HIPAA risk analysis. To support organizations in meeting this requirement, the OCR provides official guidance along with a Security Risk Assessment (SRA) Tool, designed to help covered entities and business associates through the process.

While the SRA Tool can serve as a helpful starting point, HHS emphasizes that it is intended for informational purposes only. Organizations must still exercise their own judgment in assessing the likelihood, impact, and overall risk of specific threats and vulnerabilities. As such, HIPAA-regulated entities are strongly encouraged to consult with cybersecurity professionals and legal counsel for further support.

Additional Resources

Connect with a Sequoia consultant to learn how Sequoia’s compliance services are integrated in our benefits services and tailored solutions. And if you’re already a Sequoia client, stay on top of your employer obligations with your Compliance Checklist that highlights important compliance dates, action items, and resources.

The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2025 Sequoia Consulting Group. All Rights Reserved.

Tina Read — Tina is a Client Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Tina enjoys being with family, cooking, reading, and playing sports.