OCR Enforcement 2025-2026: Why Incomplete Security Risk Analyses Are Still the #1 Settlement Driver
Picture this. You are the IT administrator at a 25-bed Critical Access Hospital in rural Minnesota. You manage the network, the servers, the workstations, the EHR, the printer fleet, and the security posture for about 150 employees. This morning, you open an email from the U.S. Department of Health and Human Services Office for Civil Rights informing you that your organization has been selected for a HIPAA compliance audit.
Your stomach drops. You pull up the Security Risk Analysis your organization paid a consultant to perform. It is from 2021. It does not mention the cloud-based patient portal you deployed in 2023. It does not reference the medication dispensing systems on the med-surg floor. It has never been updated after the ransomware attempt you narrowly avoided last spring.
Here is the hard truth: even with all the discussion about the proposed HIPAA Security Rule update that may be finalized later this year, OCR is actively enforcing the current rule right now. And incomplete Security Risk Analyses remain the single fastest route to a settlement, a corrective action plan, and years of federal monitoring.
OCR Is Not Waiting for the New Rule
In March 2025, OCR confirmed that its 2024-2025 HIPAA Audits - the third round of compliance audits and the first in seven years - were underway, having quietly commenced in December 2024. This round targets 50 covered entities and business associates and focuses specifically on HIPAA Security Rule provisions most relevant to hacking and ransomware prevention. Tim Noonan, OCR's deputy director for health information privacy, data, and cybersecurity, confirmed the scope at the Virtual 42nd National HIPAA Summit, noting that hacking incidents increased 30% and ransomware attacks rose 45% in large health data breaches reported to the agency between 2020 and 2024.
But the audits are only one part of the picture. OCR's dedicated Risk Analysis Initiative has been far more visible in its results. Through March 2026, the initiative has produced 12 enforcement actions, with the most recent settlements announced in February and March of this year. Across all of 2025, OCR announced 20 enforcement actions resulting in millions of dollars in combined penalties, and risk analysis failures were present in the overwhelming majority. Individual settlements ranged from $25,000 for small providers to $3 million for larger organizations, with most accompanied by multi-year corrective action plans.
The pattern is unmistakable. From January through August 2025 alone, 16 resolution agreements featured failure to conduct an accurate and thorough risk analysis as a primary or central violation. Then, after a six-month gap, OCR picked up right where it left off with two more settlements in early 2026.
These are not theoretical enforcement priorities. These are checks being written and corrective action plans being signed.
What the Rule Actually Says
The requirement at the center of all this enforcement activity is 45 CFR 164.308(a)(1), the Security Management Process standard. It is worth understanding exactly what it demands, because the gap between what organizations think they have done and what OCR expects them to have done is where settlements are born.
The standard itself is a Required implementation: covered entities and business associates must implement policies and procedures to prevent, detect, contain, and correct security violations. Under that standard, two implementation specifications are directly relevant here, and both are Required - not Addressable.
Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) requires organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.
Risk Management (45 CFR 164.308(a)(1)(ii)(B)) requires organizations to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
The critical words in the risk analysis requirement are "accurate and thorough." OCR has made clear through years of enforcement that this means enterprise-wide. It means every system, every device, every cloud service, and every business associate connection that touches ePHI. It means documenting specific threats and vulnerabilities, assigning likelihood and impact ratings, and linking findings to an actionable risk management plan.
A five-page questionnaire a consultant filled out three years ago does not meet that standard. A checklist you downloaded from the internet and checked a few boxes on does not meet that standard. And OCR has the enforcement receipts to prove it.
The Settlements Tell the Story
A look at recent enforcement actions reveals just how consistently OCR targets risk analysis failures - and how varied the organizations are in size and type.
In January 2025, Solara Medical Supplies agreed to a $3 million settlement after a phishing attack compromised employee email accounts and exposed ePHI for approximately 114,000 patients. OCR found that Solara had not conducted a thorough risk analysis before the attack. In May 2025, BayCare Health System settled for $800,000 after an investigation revealed the health system had not adequately restricted access to ePHI upon an employee's termination and lacked sufficient risk management measures. That same month, Comstar, a Massachusetts medical billing company serving over 70 covered entities, settled for $75,000 after a ransomware attack compromised approximately 585,000 individuals' records. OCR found Comstar had not conducted an accurate and thorough risk analysis.
Smaller organizations have not been spared. In April 2025, Comprehensive Neurology, a single practice, settled for $25,000 following a ransomware event that encrypted its network, with OCR finding no meaningful risk analysis in place. Vision Upright MRI, a small California imaging provider, paid $25,000 after failing to perform any risk analysis at all and delaying breach notification following a server attack.
The 2026 actions continued the trend. On February 19, 2026, OCR announced a $103,000 settlement with Top of the World Ranch Treatment Center, a substance use disorder treatment provider in Illinois. A phishing attack had compromised ePHI for 1,980 patients. OCR's investigation found the organization had failed to conduct an accurate and thorough risk analysis. The settlement included a two-year corrective action plan requiring a comprehensive risk analysis, updated policies, and annual workforce training. OCR Director Paula M. Stannard stated plainly that organizations cannot protect ePHI if they have not identified the risks to it.
Then on March 5, 2026, OCR announced a $10,000 settlement with MMG Fusion, a Maryland dental software company and HIPAA business associate. This case is notable: an unauthorized actor had infiltrated MMG's systems in December 2020, accessing the PHI of approximately 15 million individuals. The data was posted on the dark web. MMG had not conducted a risk analysis, and critically, had not notified the affected covered entities about the breach at all. OCR only learned of the incident through a complaint filed in January 2023. The settlement amount was low because OCR considered the company's financial condition, but it came with a three-year corrective action plan and the requirement to conduct and resubmit a risk analysis until OCR was satisfied with its thoroughness.
The dollar amounts vary. The corrective action plans do not. In every single case, OCR requires the organization to go back and do the risk analysis properly - the work they should have done before the incident occurred.
Selected Risk Analysis Initiative Settlements (2025-2026)
| Organization | Date | Settlement | Trigger | CAP |
|---|---|---|---|---|
| Solara Medical Supplies | Jan 2025 | $3,000,000 | Phishing; ~114K individuals | 2-year |
| Comprehensive Neurology | Apr 2025 | $25,000 | Ransomware; network encrypted | 2-year |
| Vision Upright MRI | May 2025 | $25,000 | Server breach; ~21K individuals | 2-year |
| BayCare Health System | May 2025 | $800,000 | Insider threat; unauthorized access | 2-year |
| Comstar, LLC (BA) | May 2025 | $75,000 | Ransomware; ~585K individuals | 2-year |
| Deer Oaks Behavioral Health | Jul 2025 | $225,000 | Security and Privacy Rule failures | 2-year |
| Syracuse ASC, LLC | Jul 2025 | $250,000 | Ransomware; ~24K individuals | 2-year |
| Top of the World Ranch (TWRTC) | Feb 2026 | $103,000 | Phishing; ~2K individuals | 2-year |
| MMG Fusion, LLC (BA) | Mar 2026 | $10,000 | Breach + no notification; ~15M individuals | 3-year |
All settlements listed above included risk analysis failure as a primary or central violation under 45 CFR 164.308(a)(1)(ii)(A). See OCR's Resolution Agreements page for full details. This is a representative selection, not a comprehensive list of all 2025-2026 enforcement actions.
The Gaps OCR Keeps Finding
Across these enforcement actions, the same deficiencies surface repeatedly. Understanding them is important because they map directly to the situations many health care IT professionals are living in right now.
The most common gap is that the risk analysis is not truly enterprise-wide. Organizations assess their EHR and maybe their email system but miss legacy clinical applications, networked medical devices, cloud services, remote access pathways, and the connections to business associates who handle ePHI on their behalf. At a Critical Access Hospital, this might mean the infusion pump system on the nursing floor, the cloud-based patient portal, the billing clearinghouse connection, or the IT managed services provider's remote access tools are all absent from the analysis.
The second most common gap is that the analysis is outdated. A risk analysis performed in 2020 does not account for the telehealth platform you stood up during COVID, the migration to Microsoft 365 you completed in 2022, or the new patient portal that went live last year. Risk analysis is not a one-time project. It is an ongoing process that must be updated when the environment changes and reviewed at regular intervals.
Third, many organizations lack documented likelihood and impact ratings. A narrative description of general risks is not enough. OCR expects to see specific threats and vulnerabilities identified, with each one rated for how likely it is to occur and how severe the impact would be. This is what turns a risk analysis from a vague awareness exercise into a tool that drives real decisions about where to invest limited resources.
Fourth, there is no linked risk management plan. Identifying risks without documenting how you plan to address them misses the second half of the requirement. Under 45 CFR 164.308(a)(1)(ii)(B), you must implement security measures that reduce those risks to a reasonable and appropriate level. That means a documented plan with specific remediation steps, assigned ownership, and target timelines.
Finally, organizations often fail to address known vulnerabilities. Unpatched systems, weak or absent multi-factor authentication, shared credentials, flat network architectures - if these are present in your environment and absent from your risk analysis, you have a documentation gap that OCR can and will cite.
For the solo IT person at a small clinic, this can feel overwhelming. You know these gaps exist. You may have even flagged them to leadership. But documenting them formally, with ratings and remediation plans, is the difference between a security program and a hope-for-the-best strategy.
Practical SRA Gap Checklist
Use this 10-point self-audit to test whether your current Security Risk Analysis documentation would survive OCR review. If you cannot answer "yes" to each question, you have a gap that needs to be addressed.
- Is the SRA truly enterprise-wide - covering every system, device, cloud service, and business associate connection that touches ePHI?
- Has it been reviewed or updated within the last 12 months, or after any significant change to your environment?
- Does it document specific threats and vulnerabilities to ePHI - not just general risk categories?
- Are likelihood and impact ratings included for each identified risk?
- Is there a separate, actionable risk management plan with remediation timelines and assigned ownership?
- Does it address legacy clinical applications and networked medical devices?
- Are administrative, physical, and technical safeguards all evaluated?
- Is there evidence of workforce involvement and review - not just IT completing it in isolation?
- Has it been tied to your incident response and contingency planning?
- Would you be comfortable handing this document to an OCR auditor today?
This checklist is based on patterns observed in OCR enforcement actions under the Risk Analysis Initiative and the requirements of 45 CFR 164.308(a)(1). It is not exhaustive and does not constitute compliance advice.
Fix It Before OCR Comes Knocking
The good news is that a defensible Security Risk Analysis does not require a six-figure consulting engagement or an enterprise GRC platform. It requires deliberate effort, honest documentation, and follow-through.
Start with the free Security Risk Assessment (SRA) Tool jointly developed by OCR and the Assistant Secretary for Technology Policy (formerly ONC). Version 3.6, released in September 2025, includes updated risk scoring aligned to NIST standards, a new section-level review and approval tracking feature for audit readiness, and enhanced remediation reporting. The tool is designed specifically for small and medium-sized health care organizations. It walks you through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management using a wizard-based approach. All data stays local on your machine.
The SRA Tool is a starting point, not a finish line. To build a risk analysis that would survive OCR scrutiny, you need to go beyond the tool.
First, build your ePHI inventory. Identify every system, application, device, and connection that creates, receives, maintains, or transmits ePHI. This includes your EHR, email, patient portal, billing systems, medical devices, backup systems, remote access tools, and every business associate who touches your data. If you do not know where your ePHI lives, you cannot assess the risks to it.
Second, make the risk analysis a living document. Set a calendar reminder to review it annually at minimum, and update it any time you deploy a new system, change a vendor, experience a security incident, or make a significant infrastructure change. The date on the document matters. A 2021 analysis reviewed in 2026 is not a current analysis.
Third, tie every finding to your risk management plan. For each identified risk, document what you are doing about it, who is responsible, and when it will be addressed. If budget or staffing constraints prevent you from addressing a risk immediately, document the alternative measures you have in place and the timeline for full remediation. OCR does not expect perfection. It expects honest documentation and reasonable progress.
Fourth, involve your leadership. The risk analysis is not an IT exercise - it is an organizational responsibility. Your CEO, administrator, or practice manager needs to understand the findings, approve the risk management plan, and allocate resources accordingly. When OCR investigates, they want to see evidence that leadership was informed and engaged.
For organizations that are also tracking the proposed HIPAA Security Rule update - which remains on OCR's regulatory agenda for potential finalization in May 2026 - a solid current risk analysis positions you well. The proposed rule would require a technology asset inventory and network map, updated annually, which maps directly to the ePHI inventory you should already be building. Getting your house in order under the current rule is the best preparation for whatever the final rule requires.
The Bottom Line
Risk analysis is not a checkbox. It is the foundation that every other piece of your HIPAA security program rests on. When that foundation is weak, missing, or outdated, everything else collapses under scrutiny - and OCR has demonstrated, settlement after settlement, that it knows exactly where to look.
OCR's 2024-2025 audit program is active. The Risk Analysis Initiative is producing enforcement actions at a steady pace. And the proposed Security Rule update, if finalized, will only raise the bar further.
If your Security Risk Analysis is a dusty document from three years ago that does not account for half the systems in your environment, the time to fix that is today. Not next quarter. Not when the new rule drops. Today.
The work is not glamorous. It is not a project that generates visible wins for your users or your leadership team. But it is the one thing OCR will ask for first when they come looking - and the one thing that determines whether your organization faces a settlement or walks away clean.
This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.
Sources
- 45 CFR 164.308(a)(1) - Administrative Safeguards, Security Management Process. eCFR
- HHS Office for Civil Rights, "OCR's HIPAA Audit Program," 2024-2025 HIPAA Audits. HHS.gov
- HHS Office for Civil Rights, Resolution Agreements and Civil Money Penalties. HHS.gov
- HHS Office for Civil Rights, "HHS' OCR Settles HIPAA Security Rule Investigation with Top of the World Ranch Treatment Center," February 19, 2026. HHS.gov
- HHS Office for Civil Rights, "HHS' OCR Settles HIPAA Investigation of MMG Fusion, LLC Breach Affecting 15 Million Individuals," March 5, 2026. HHS.gov
- HHS Office for Civil Rights, "Guidance on Risk Analysis." HHS.gov
- HHS Office for Civil Rights and ASTP, Security Risk Assessment Tool v3.6. HealthIT.gov
- HHS Office for Civil Rights, HIPAA Security Rule NPRM. HHS.gov
- Feldesman LLP, "OCR's New Initiative Yields Seven HIPAA Enforcement Actions," April 2025. Feldesman.com
- McDonald Hopkins, "OCR announces 11th and 12th Risk Analysis Initiative enforcement actions," March 2026. McDonaldHopkins.com
