Following the Office for Civil Rights (OCR) recent publication of four settlements as part of a new Risk Analysis Audit Initiative. We explore the current regulatory language for Risk Analysis, the proposed language for Risk Analysis from the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Notice of Proposed Rule Making (NPRM), the implications of the regulatory freeze by the Trump Administration, and key insights for entities subject to these regulations.
Current Regulation and Risk Analysis Initiative
The current HIPAA Security rule defines Risk Analysis as: “Conducting an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity or business associate."1 Based on the current language, a Risk Analysis should include: (1) the identification of all electronic protected health information (ePHI) that is created, received, transmitted, or maintained by a regulated entity; (2) identification of external sources of ePHI (vendors and business associates); (3) identification of threats to the ePHI; and (4) identification of potential risks associated with legacy devices and replacing such legacy devices. It is important to point out that there is no defined process as to what constitutes a Risk Analysis. However, OCR and the National Institutes of Standards and Technology (NIST) have provided various guidelines and tools to demonstrate how to conduct a Risk Analysis.
The Risk Analysis Audit Initiative began with an OCR settlement on October 31, 2024, resulting from a cybersecurity incident.2 Quickly the OCR announced three more settlements under the Risk Analysis Initiative,3 with the last one announced on January 15, 2025.4 All four settlements involved a reported breach and alleged that a covered entity violated the HIPAA Security Rule as a result of a ransomware attack. These settlements demonstrate OCR’s commitment to the Risk Analysis Initiative and its continuation as a focus of upcoming settlements. Upon a review of the recommendations included in the settlements, we have identified the following criteria that can be used in OCR reviews to determine whether a proper Risk Analysis has been documented: (1) Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; (2) Implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in a risk analysis; (3) Regularly Integrating risk analysis and risk management measures into business processes.5
Proper understanding of what OCR deems an appropriate risk analysis and implementation of this risk analysis must be a top priority for all compliance, privacy, and security individuals. Currently, entities can evaluate the NIST Cybersecurity Framework6 and the Health and Human Services Guidance on Risk Analysis.7
Proposed NPRM
The recent HIPAA Security Rule NPRM indicates that OCR expects regulated entities to conduct proper Risk Analysis. Specifically, the NPRM states that:
“…in 2016 and 2017, the Department conducted audits of 166 covered entities and 41 business associates for their compliance with selected provisions of the HIPAA Rules.[474] These audits confirmed that only small percentages of covered entities (14 percent) and business associates (17 percent) were substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities. Entities generally failed to:
- Identify and assess the risks to all of the ePHI in their possession or even develop and implement policies and procedures for conducting a risk analysis.
- Identify threats and vulnerabilities to consider their potential likelihoods and effects, and to rate the risk to ePHI.
- Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
- Conduct risk analyses consistent with policies and procedures."8
The NPRM submits that due to the consistent findings from OCR of inaccurate or incomplete Risk Analysis, the determination is to create a list of items a written assessment must include. The NPRM also includes a proposal that the written assessment must be reviewed and updated on an ongoing basis but at least every 12 months or in response to changes in environment or operations. The proposed language has the positive effect of clearly delineating what each regulated entity must include as part of a Risk Analysis. Additionally, most of the proposed implementation specifications have been discussed in past guidance and by the NIST Cybersecurity Framework.
The proposed changes are now under federal regulatory freeze put in place by the new Trump administration. Hence, the comment period which was set to end on March 7, 2025, is on hold as is their evaluation or adoption. All regulated entities should closely monitor news from HHS on the matter to understand if the department plans to keep the proposed changes. While this proposed update to the HIPAA Security Rule has been put on hold, its language provides covered entities and business associates with an inside look at what the government may examine to determine if a Risk Analysis is completed appropriately. At the same time, regulated entities must continue to conduct risk analysis under the current HIPAA Security Rule in order to identify vulnerabilities and how to mitigate them.
Conducting a Comprehensive Risk Analysis
By conducting a comprehensive risk analysis and creating a risk management plan, organizations can not only demonstrate compliance with HIPAA requirements when faced with an inquiry or investigation but also strategically plan their compliance activities. Ankura's team of experts conduct frequent risk analyses of both security and privacy aspects of the HIPAA regulations and recommends the following steps.
- Review current written policies and procedures and map to HIPAA regulations.
- Identify where ePHI data is stored, received, maintained, or transmitted.
- Interview stakeholders and compliance individuals to discuss processes and controls around ePHI management, including security and privacy.
- Identify and document potential threats and vulnerabilities that could lead to inappropriate access to or disclosure of ePHI data.
- Analyze current security measures (including technical and non-technical measures) implemented to minimize or eliminate risks to ePHI data.
- Document all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability, and integrity of ePHI data.
- Determine the magnitude or criticality of harm that could result from each identified threat or exploited vulnerability.
- Cross-reference the likelihood of occurrence of each threat or vulnerability exploitation with the magnitude of resulting harm.
- Compile a detailed risk assessment that outlines control gaps to correct in order to achieve compliance with applicable regulations and manage risks.
[1] 45 C.F.R. 164.308(a)(1)(ii)(A) – Risk Analysis (Required)
[2] https://public3.pagefreezer.com/browse/HHS.gov/02-01-2025T05:49/https://www.hhs.gov/about/news/2024/10/31/hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-for-90000-dollars.html
[3] https://www.hhs.gov/about/news/2025/01/07/hhs-office-civil-rights-settles-9th-ransomware-investigation-virtual-private-network-solutions.html ; https://www.hhs.gov/about/news/2025/01/07/hhs-office-civil-rights-settles-8th-ransomware-investigation-elgon-information-systems.html
[4] https://www.hhs.gov/about/news/2025/01/15/hhs-office-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-northeast-surgical-group.html
[5] https://www.hhs.gov/about/news/2025/01/15/hhs-office-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-northeast-surgical-group.html
[6] https://www.nist.gov/cyberframework
[7] https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
[8] https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
Sign up to receive all the latest insights from Ankura. Subscribe now
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
