/>iIn the first five months of 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced it had entered into ten Health Insurance Portability and Accountability Act (HIPAA) resolution agreements reflecting the settlement of alleged HIPAA violations stemming from data breaches reported to OCR. These settlements span both the Biden and Trump administrations and involve a wide range of covered entities and business associates, from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, however, OCR’s enforcement focuses appear strikingly consistent. Each announcement indicates the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with a common emphasis on each organization’s failure to conduct a thorough risk analysis consistent with the HIPAA Security Rule.
Quick Hits
- The HIPAA Security Rule requires HIPAA-covered entities and business associates to complete a comprehensive risk analysis, aimed at identifying potential risks and vulnerabilities to the electronic Protected Health Information in their possession.
- Since January 1, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights has announced ten resolution agreements with HIPAA-covered entities and business associates that have highlighted the relevant organization’s failure to adhere to the HIPAA Security Rule’s risk analysis requirements.
- Penalties for these violations included civil monetary penalties from $25,000 to $3,000,000, and often included requirements to implement a corrective action plan mandating the completion of a risk analysis.
It is no secret that data breaches have many possible root causes, and this reality is reflected in the resolution agreements announced by HHS in the early months of 2025. Indeed, the nature of the underlying data breaches that prompted HHS’s inquiry into each affected entity’s HIPAA compliance posture varied meaningfully. Several involved ransomware attacks that infiltrated healthcare systems and affected patient data, as was seen in the resolution agreements HHS entered into with a New York neurology practice and a public hospital in Guam. Others were triggered by phishing schemes, such as a California health network where dozens of employee email accounts were compromised, exposing nearly 200,000 individuals’ records. There was also an incident of electronic Protected Health Information (ePHI) being left unsecured on internet-facing servers. In each instance, however, OCR’s investigation revealed that the affected organization had not met a fundamental HIPAA Security Rule requirement: conducting an enterprise-wide risk analysis. Accordingly, in each resolution, the regulator identified the entity’s failure to assess and address vulnerabilities in their systems in this manner as a major compliance gap.
The HIPAA Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” One of the methodologies required for meeting this standard involves completing a “risk analysis,” or an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” The penalties assessed by OCR in 2025 for failing to do this are significant. The monetary fines announced in conjunction with the resolution agreements ranged from as little as $25,000 at the low end to as much as $3 million for a national medical supplier that did not conduct a “compliant risk analysis” and subsequently suffered a major data breach after a phishing incident. Other financial penalties fell in between, with midsized providers and service companies typically agreeing to five- or six-figure fines. Beyond the dollar amounts, however, resolution agreements also included detailed corrective action plans, often requiring several years of close regulatory monitoring and mandating steps like the completion of fulsome risk analyses, implementation of risk management plans, completion of staff training, and regular updates to security policies, all with ongoing HHS involvement and oversight.
These recent OCR actions underscore that performing a HIPAA risk analysis is not an optional or “check-the-box” exercise for covered entities or business associates, but rather is a critical compliance step regulators are focusing on and actively enforcing against. OCR has made risk analyses a focal point of its enforcement initiatives in 2025, signaling to the industry that no organization is too large or too small to be held accountable for this basic requirement. The message for covered entities and business associates is clear: a comprehensive risk analysis is one of the simplest and most effective tools to protect against data breaches, and failing to complete one can directly lead to regulatory scrutiny and meaningful financial consequences.
In light of this enforcement focus, healthcare organizations and companies that provide services to healthcare organizations will be well served to proactively prioritize regular risk analyses and security improvements. Ensuring that all ePHI is accounted for and safeguarded—before an incident happens—is not only a straightforward compliance task, but also a central enforcement focus.
