Analyze This: OCR Kicks Off 2025 with Two New HIPAA Enforcement Actions Against Business Associates as Part of New Risk Analysis Initiative

Just two weeks into the year, 2025 is already shaping up to be a busy year for privacy lawyers, especially those tasked with helping covered entities and business associates comply with the HIPAA Security Rule. As we discussed in our last post, HHS is proposing to overhaul the Security Rule to "clarify and provide more specific instructions" on the protection of Protected Health Information ("PHI") and impose more robust requirements for assessments, technical and administrative safeguards, and oversight of business associates.

Meanwhile, OCR is also stepping its focus on a key provision in the existing Security Rule: risk analysis. To that end, OCR announced last week two new enforcement actions as part of the office's "Risk Analysis Initiative." First announced in connection with a ransomware settlement last Halloween, the Risk Analysis Initiative, according to OCR, is intended "to highlight the need for more attention and better compliance" with, and "to increase the number of completed investigations" regarding, the risk analysis requirement.

Last week's enforcement actions both arose from ransomware incidents (another recent focus of OCR ire) suffered by business associates: Elgon Information Systems, a business associate that provided electronic medical record and billing support services, and VPN Solutions, a business associate that provided data hosting and cloud services. In each case, OCR's investigation determined the company failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems. And each company agreed a settlement that requires a substantial monetary payment ($80,000, in Elgon's case, and $90,000, in VPN's case) and for the company to (i) review and update it risk analysis and (ii) implement an enterprise-wide risk management plan to address and mitigate any identified risks.

These enforcement actions, and OCR's pursuit of the new Risk Analysis Initiative, teach some important lessons about risk analysis for covered entities and business associates looking to avoid falling within OCR's enforcement crosshairs.

Risk Analysis should be a priority-for Covered Entities and Business Associates Alike

One clear takeaway from the Elgon and VPN solutions settlements is that risk analysis is and will continue to be, in the words of OCR, "the foundation for effective cybersecurity and the protection of ePHI" for covered entities and business associates alike.

In a sense, that's always been the case: labeling the latest round of investigations as an official "Initiative" is just highlighting a subject that has already be a consistent focus of OCR's Security Rule enforcement efforts. Failure to conduct an accurate and thorough risk analysis has regularly been cited as a violation in Security Rule enforcement actions stretching back to at least 2012. Still, the "Initiative" label is ominous and suggests there's a lot more to come: OCR's other major enforcement initiative-the Right of Access Initiative-has led to 50 enforcement actions and settlements in the last five years.

Both covered entities and business associates should therefore prioritize compliance with the Security Rule's risk analysis requirements, which are found at 45 CFR 164.308(a)(1)(ii)(A).

Risk Analysis ≠ Gap Analysis
In our experience, a common misconception is that conducting a risk analysis means assessing whether and how an entity has implemented the safeguards required by the Security Rule. As OCR made clear in a 2018 newsletter, however, that's not the case.

Instead, as the newsletter explains, the risk analysis required under the Security Rule must comprehensively assess the risks and vulnerabilities to "all of an entity's ePHI" (emphasis in the original) and include:

• identification of the locations, systems, and applications that handle ePHI;
• identification of potential threats and vulnerabilities;
• assessment of the effectiveness of current security controls;
• determination of the likelihood that that a particular threat will trigger or exploit a particular vulnerability, and the corresponding impact;
• determination of the risk level for each of the threat and vulnerability combinations identified by the risk analysis; and
• documentation of each of these activities to demonstrate that the risk analysis was conducted in an accurate and thorough manner.

A gap analysis, by contrast, maps an entity's current practices against the standards and implementation specifications in the Security Rule. To be sure, that sort of analysis, which measures compliance with the Security Rule rather than assessing the risks to ePHI held by the entity, can facilitate compliance with other parts of the Security Rule, including the Evaluation Standard. But as OCR's newsletter makes clear, it won't satisfy the Security Rule's risk analysis requirement.

What Gets Analyzed Must Get Managed

The Elgon and VPN Solutions settlements also highlight the Security Rule's requirement for covered entities and business associates to "[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level." In other words, risk analysis is just one step in the Security Rule-required risk management process: once the risk analysis is complete and the threats and vulnerabilities to ePHI have been identified and assessed, the entity must then implement an enterprise-wide plan to manage and reduce the corresponding risk level.

As explained in its 2019 Guidance on Risk Analysis, OCR expects this "integrated risk analysis and risk management process" to be performed in a timely manner as new technologies and business operations are planned and other developments occur.

* * * *

If you would like to discuss strategies for complying with the Security Rule's risk analysis and risk management requirements, please contact any member of the Wyrick Robbins Privacy and Data Security team.

Public link

Please use the above public link if you want to share this noodl on another website.