A Year in Review: Lessons for Business Associates After One Year into OCR's Risk Analysis Initiative
OCR's Risk Analysis Initiative has reshaped HIPAA enforcement toward Business Associates. Learn what's required and how to avoid penalties in this comprehensive review.
As 2025 came to a close, OCR made it explicit: businesses' failure to carry out an "accurate and thorough" risk analysis under the HIPAA Security Rule would be a central focus for the department going forward. Since then OCR's Risk Analysis Initiative has quickly reshaped HIPAA enforcement, notably toward Business Associates (BAs), who have increasingly become targets of HHS enforcement actions and financial penalties. Now more than ever, Business Associates hoping to avoid penalties must understand what is being required of them under HIPAA, especially when it comes to their risk analysis practices.
The Launch of OCR's Risk Analysis Initiative
OCR launched the Risk Analysis Initiative in late October 2024 as part of a broader departmental enforcement push, hoping to reduce ransomware and other cyber incidents affecting ePHI. Statistics have shown an upward trend in healthcare data breaches over the past 14 years, with no sign of decrease.1 Faced with this unprecedented rise, OCR has increasingly focused enforcement actions on businesses that failed to meet the foundational safeguard for protecting ePHI: completing an accurate and thorough risk analysis. OCR's argument is that if the baseline risk analysis is not performed or performed insufficiently, all the other cascading safeguards and processes implemented to protect ePHI will also be insufficient, placing ePHI at exponentially increased risk. As former OCR Director Anthony Archeval asserts, "Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs."2
Impact on Business Associates
This initiative has resulted in increased investigations of CEs and BAs alike, but reflects an exponential increase in investigations of BAs. Since the establishment of the HITECH Omnibus Rule in 2013, BAs became directly subject to OCR enforcement and could be investigated and penalized directly. Having signed Business Associate Agreements, BAs are being seen as equivalent to CEs when it comes to the expectation of compliance with the Security Rule. Now under increased scrutiny due to the Risk Analysis Initiative, BAs are expected to understand and comprehensively implement HIPAA requirements as agreed to in their BAAs. It has never been more important for BAs to scrutinize, assess, and implement the procedures they have agreed to in these agreements.
Enforcement Actions: A Pattern of Failure
Looking at the enforcement actions against Business Associates since the beginning of the Risk Analysis Initiative, OCR consistently lists BA's failure to conduct an accurate and thorough risk analysis as the primary reason for enforcement actions. This is found in OCR's resolution agreements with Virtual Private Network Solutions, LLC (a.k.a. "VPN Solutions,")3 Elgon, Inc.,4 and Comstar, LLC.5 Each of these cases stemmed from BAs reporting to HHS following a ransomware attack, and the resulting investigation found that the reporting businesses had failed to conduct an accurate and thorough risk analysis.
This widespread failure to conduct acceptable risk analyses has many layers, but one notable impact is a lack of consensus on what constitutes an accurate and thorough risk analysis. Looking at the HHS Guidance on Risk Analysis, the page links to a Security Risk Assessment (SRA) Tool,specifically meant to assist small and medium-sized CEs and BAs with Security Rule compliance.6 Yet, as of November 2025, the tool has not been available for months.7 The tool's absence exemplifies how smaller businesses struggle to ensure that their privacy practices and risk analyses are sufficiently accurate and thorough to ensure Security Rule compliance.
The Flexibility Paradox
Throughout the Guidance, OCR emphasizes that the Security Rule is "not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement." This is not unique to the guidance, but is baked into HIPAA's Security Rule. There is no singular methodology that CEs or BAs can follow to ensure that their risk analyses are sufficient. By not providing a strict definition for an accurate and thorough risk analysis, the Security Rule intends to encompass how that methods for risk analysis may vary in effectiveness depending on the size, complexity, and capabilities of each organization. Thus, the flexibility allows the business in question to adopt the methods and practices that best suit their organization.
However, as a result of this adaptability, no single approach can definitively answer whether individual businesses' practices are sufficient to avoid penalties should they fall victim to a ransomware attack or data breach. Instead, OCR's Guidance provides recommendations based on the National Institute of Standards and Technology (NIST) guidelines for federal agencies, which offer valuable and worthwhile models for risk analysis that CEs and BAs can adopt.8 Furthermore, a more comprehensive view of the HIPAA Security Rule may help businesses meet their risk analysis requirements. The Security Rule establishes both required and addressable safeguards, but the Guidance asserts that "addressable" does not mean "optional." Rather, addressable specifications should be adopted, unless "an organization determines that the implementation specification is not reasonable and appropriate," and if so, the organization "must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so."9 Essentially, businesses should assume that addressable provisions apply, unless they can prove that they do not. By taking a more comprehensive view of the addressable provisions in the HIPAA Security Rule, businesses would be better equipped to face an OCR investigation with confidence that their risk analysis procedures and safeguards for ePHI will meet HIPAA's standards.
What This Means for Business Associates
Considering the increased focus OCR is placing on risk analysis in its investigations, the flexibility inherent in the Security Rule cannot be interpreted as leniency in enforcement actions. To assert that they have completed a risk analysis, Business Associates must have a comprehensive understanding of the vulnerabilities and threats to ePHI that exist within their environment. Likewise, BAs must factor their awareness of the increase in breaches and ransomware attacks within the health information space into their risk analysis procedures. OCR's guidance is clear that the flexibility in the Security Rule must be interpreted as encouraging businesses to adopt comprehensive and organization-specific risk analysis procedures, rather than mere compliance with the most surface-level reading of the required aspects of the Security Rule.
Conclusion
While upcoming changes to HIPAA can be expected in the near future, as it currently stands Business Associates cannot rely on a minimum-necessary approach to protecting ePHI and preventing breaches. Risk analysis procedures must take into account a realistic view of the threats faced by ePHI, including contending with the increased likelihood of large-scale ransomware attacks. As enforcement actions increase to address the threat to individuals' health data, proactive and comprehensive risk analysis procedures are BAs' best bet to avoid penalties and protect sensitive health data. As well, as BAs' HIPAA compliance falls under greater scrutiny, BAs must actively ensure that their BAAs are HIPAA-compliant when signing.
References
1. Alder, Steve. "Healthcare Data Breach Statistics." The HIPAA Journal, October 26, 2025.
2. U.S. Department of Health and Human Services, Office for Civil Rights. "HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Neurology Practice." HHS Press Room, April 25, 2025.
3. U.S. Department of Health and Human Services. "VPNs Resolution Agreement and Corrective Action Plan." HIPAA Compliance & Enforcement (HHS), January 6, 2025.
4. U.S. Department of Health and Human Services. "Elgon Inc. Resolution Agreement and Corrective Action Plan." HIPAA Compliance & Enforcement (HHS).
5. U.S. Department of Health and Human Services. "HHS HIPAA Agreement with Comstar." HIPAA Compliance & Enforcement (HHS).
6. U.S. Department of Health and Human Services. "Guidance on Risk Analysis under the HIPAA Security Rule." HIPAA for Professionals — Security Guidance (HHS).
7. U.S. Office of the National Coordinator for Health Information Technology. "Meaningful Use Maintenance Site." HealthIT.gov.
8. U.S. Department of Commerce, National Institute of Standards and Technology. NIST Special Publication 800-66 Revision 2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. February 2024. Available at: csrc.nist.gov.
9. U.S. Department of Health and Human Services. "Guidance on Risk Analysis under the HIPAA Security Rule." HIPAA for Professionals — Security Guidance (HHS).