Skip to main content
ComplianceData Protection

HIPAA Fines Hit $1.7 Million for Risk Analysis Failures

Healthcare setting with laptop on desk, surrounded by medical equipment and files, emphasizing security and risk analysis.

"Hacking and ransomware are the most frequent type of large breach reported to OCR," said Paula Stannard, OCR director, in a statement.

HHS OCR findings and the financial tally

The U.S. Department of Health and Human Services' Office for Civil Rights concluded that poor or missing security risk analyses led to ransomware compromises that exposed electronic protected health information (ePHI) for roughly 427,000 individuals. OCR announced resolution agreements totaling $1.7 million in civil money penalties across four regulated entities. The agency framed the enforcement actions as a consequence of failing to carry out “accurate, timely and thorough” assessments required by the HIPAA Security Rule.

Who paid what — four settlements named

OCR detailed four settlements: a $375,000 agreement with Assured Imaging Affiliated Covered Entities, a medical imaging and screening service provider; a $320,000 settlement with Regional Women’s Health Group, which does business as Axia Women’s Health; a $245,000 settlement with Star Group, L.P. Health Benefits Plan (SG Health Plan); and a $225,000 settlement with Consociate Health, a third‑party administrator of employee‑sponsored benefit programs.

OCR also reported that the 2020 PYSA ransomware attack on Assured Imaging encrypted and stole patient data, affecting nearly 245,000 individuals. In Assured Imaging’s case OCR said the organization "never conducted a compliant" risk analysis.

Risk‑analysis failures OCR repeatedly finds

OCR’s enforcement message centers on recurring errors in how covered entities and business associates approach risk analysis. Key omissions cited include not conducting a risk analysis at all, conducting a risk analysis but failing to document it, taking no demonstrable remediation actions, and performing a compliance gap assessment in place of a full security risk analysis.

Keith Fricke, partner and principal consultant at security and privacy consultancy tw‑Security, explained the distinction: "OCR will not recognize a gap assessment as a risk analysis." He added that a gap analysis looks for the existence of policies and procedures, whereas "A risk analysis identifies reasonably anticipated threats, controls, vulnerabilities, a risk ranking and an action plan." Fricke further stressed that a proper HIPAA risk analysis must include all systems that store, process, or transmit ePHI.

Other common pitfalls highlighted in the OCR actions include carrying unresolved risks forward year‑to‑year and treating risk identification as a paperwork exercise rather than the basis for remediation. Kerry McConnell, a partner at tw‑Security, noted that budget constraints and lack of internal expertise often explain why organizations fail to complete thorough analyses: "Budget is often a primary factor, especially for small healthcare organizations. Some organizations know they are obligated to address risk findings once those risks are identified. Ignorance is not bliss - it can be seen as willful neglect."

Corrective action plans and federal monitoring

Each resolution agreement requires corrective action plans and two years of monitoring by OCR. The corrective actions mandate that the entities "conduct and document accurate and thorough assessments of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of all their ePHI" and implement security measures to address and mitigate identified problems.

OCR also offers a free Security Risk Analysis tool intended to guide users through the assessment process via a wizard-based approach that covers multiple-choice questions, threat and vulnerability assessments, and asset and vendor management.

What this means for technologists, regulators, and affected enterprises

  • Technologists and security teams: The story underscores the practical steps experts recommend — create and maintain an inventory of all ePHI systems, assess them against threats, document controls and vulnerabilities, assign risk scores, and track remediation. As Fricke advised: "Assign risk scores, create an action plan and track remediation."
  • Regulators and policymakers: OCR’s enforcement continues to prioritize demonstrable risk analysis and remediation. The agency has also flagged that a proposed update to the HIPAA Security Rule is more prescriptive about what a risk analysis must include; OCR "has not yet said how it might proceed with the proposed update to the HIPAA security rule."
  • Affected enterprises and procurement leaders: Organizations with limited budgets should weigh external assessment costs against potential enforcement penalties and breach fallout. McConnell urged practical pragmatism: "Don’t over think it. Start small if necessary" and "Don’t be afraid to get help - even if only every other year."

OCR’s actions deliver a blunt, repeated lesson: without documented, actionable risk analysis and follow‑through, covered entities expose patient data and invite civil penalties. The agency’s use of corrective action plans and two years of monitoring signals it will look for evidence that risk recognition actually led to risk reduction — and OCR has highlighted that a forthcoming, more prescriptive Security Rule could codify those expectations further. For now, the record is simple and stern: gaps in risk analysis have cost four firms $1.7 million and affected hundreds of thousands of patients.

Original story