With apologies to Santa:
You better mind risk (analysis).
You shouldn’t deny (access).
You better keep out those baddies who spy (with ransomware).
OCR is going to town!
With 2025 barely three weeks old, the US Department of Health and Human Services Office for Civil Rights (OCR) has already announced six enforcement actions for the new year. Particularly significant is the advancement of three OCR enforcement initiatives, the impact on business associates, and the sheer amount ($3 million!) of one negotiated settlement. OCR is clearly telegraphing priorities for the year ahead, and all regulated entities—covered entities and business associates alike—should respond accordingly.
OCR has three enforcement initiatives ongoing to address long-standing compliance trouble spots:
- Right of Access Initiative: This is the agency’s first and most populated initiative. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides individuals the right, with limited exceptions, to inspect and obtain a copy of protected health information (PHI) about them in a designated record set. There have been 52 enforcement actions in OCR’s Right of Access Initiative, often rooted in unreasonable delay, multiple patient requests, and provision of PHI only after a complaint is filed with OCR. The agency has been abundantly clear that a lack of access can impede the receipt of needed health care and that “[h]ealth care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”
- Risk Analysis Initiative: The HIPAA Security Rule requires a covered entity or business associate to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information [ePHI] held by” the entity. The analysis must be updated regularly to account for changes in the threat environment or the entity’s relevant administrative, physical, or technical profile. There have been enforcement actions in OCR’s Risk Analysis Initiative.
- Ransomware: Ransomware is a type of malicious software (malware) designed to deny an organization access to its data—typically by encrypting the data with a secret key—until the organization pays a ransom. According to OCR, ransomware and hacking are the “primary cyber threats in health care” large reported breaches involving ransomware have increased by 264% since 2018. Ransomware attacks often follow a deficient risk analysis. There have been 10 ransomware enforcement actions to date.
Highlights from the 2025 enforcement actions:
- Risk Analysis + Ransomware: A Michigan health care provider agreed to pay $10,000 and implement a two-year corrective action plan (CAP) after 15,298 patients’ ePHI was encrypted and exfiltrated in a ransomware attack. The provider had not conducted a compliant risk analysis. Per OCR, “One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information. A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”
- Right of Access: A Florida health system agreed to pay $60,000 to resolve administrative litigation—in lieu of a proposed $100,000 civil money penalty—after an individual alleged lack of timely access to PHI. The individual had made several requests using multiple channels but did not receive access until after OCR began an investigation. According to OCR, “[a] patient’s right to timely access their own health information is well-established by the HIPAA Privacy Rule. Health care entities must be responsive to their patients’ requests for their medical records. Patients should not have to file a complaint with OCR as a necessary step before receiving their records.”
- Phishing + Breach Notification: A health care provider agreed to pay $3,000,000 and implement a two-year CAP after a phishing incident compromised eight employees’ email accounts, affecting 114,007 individuals’ ePHI. A second breach occurred when the covered entity sent 1,531 notification letters to the wrong address. OCR also noted lack of a compliant risk analysis and risk management plan and emphasized: “[c]yberattacks have skyrocketed exponentially in recent years. Effective cybersecurity requires identifying potential risks and vulnerabilities to health information and implementing effective security measures to protect against them. Health care entities that fail to address identified cybersecurity issues leave themselves vulnerable to cyberattacks. OCR urges health care entities to prioritize securing their information systems and take all necessary steps to reduce and prevent cyberattacks and safeguard protected health information.”
- “Multiple Security Rule Failures.”: A Florida business associate agreed to pay $337,750 and implement a two-year CAP after unauthorized third parties accessed a database over 3.5 months and deleted ePHI, affecting 2,903 individuals. OCR found multiple Security Rule violations, including lack of an accurate and thorough risk analysis and failure to regularly review information system activity and maintain “retrievable exact copies” of ePHI. OCR cautioned: “H[h]ealth care entities need to ensure that they are proactively monitoring who is in their information systems, and that they have backup procedures in place to be able to create exact copies of the electronic protected health information they hold, in the event health information is held for ransom or deleted. Effective cybersecurity includes being able to restore access to electronic health information following a cybersecurity attack, so there is no interruption in the provision of health care.”
- Ransomware + Risk Analysis: A Virginia business associate (data hosting and cloud services provider) agreed to pay $90,000 and implement a one-year CAP after a ransomware attack compromised 12 covered entities’ ePHI. OCR’s investigation revealed the failure to conduct a compliant risk analysis. The agency admonished: “[a]n accurate and thorough risk analysis is foundational to both HIPAA Security Rule compliance and protecting health information from cyberattacks. Failure to conduct a risk analysis leaves health care entities exposed to future hacking and ransomware attacks. OCR urges health care entities to take the necessary steps to reduce risks and vulnerabilities and safeguard protected health information.”
- Ransomware + Risk Analysis: A Massachusetts business associate (electronic medical record and billing support provider) agreed to pay $80,000 and implement a three-year CAP after a ransomware attack compromised 31,248 individuals’ ePHI. The entity did not detect intrusion into its systems until a ransom note was found six days later. OCR’s investigation revealed lack of a compliant risk analysis. OCR emphasized: “[a] HIPAA-compliant risk analysis is not only required under the law, but is also an essential step in effective cybersecurity. The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”
These recent enforcement actions, coupled with OCR’s enforcement initiatives, provide important takeaways for covered entities and business associates alike. Put simply: Access and risk analysis should be a priority.
Trying to stay off the Naughty List? Review and refresh your policies, procedures, and workforce training for identifying and responding to access requests (they are not the same as requests with authorization!) and follow OCR’s suggested nonexclusive steps to mitigate or prevent cyber threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes regularly.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Use multifactor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical roles in protecting privacy and security.
While OCR’s emphasis on risk analysis is not new, the creation of the Risk Analysis Initiative and spate of related enforcement actions in 2025 signal more to come.
If it has been a while since you last reviewed your risk analysis and/or if you have implemented new technology (such as artificial intelligence) or other changes to your administrative, physical, or technical environment that impact ePHI, it is time to update your risk analysis risk management plan and workforce training.
We can help.