What is OCR's Risk Analysis Initiative?

The Risk Analysis Initiative is an enforcement program launched by the Office for Civil Rights in 2024 focused on organizations that fail to conduct and document HIPAA-required security risk analyses. As of March 2026, OCR has settled 12 enforcement actions under this initiative, all involving hacking-related breaches where the organization could not produce a current, documented risk analysis.

What are the HIPAA penalties for not having a risk analysis?

HIPAA penalties for willful neglect that is not corrected reach $2,134,831 per violation as of 2026 inflation adjustments. OCR settlements under the Risk Analysis Initiative have ranged from $10,000 for organizations with demonstrated financial hardship to significantly larger amounts for well-resourced entities. All settlements include multi-year corrective action plans.

What should a HIPAA risk analysis include?

A compliant HIPAA risk analysis must identify all systems that store, process, or transmit electronic Protected Health Information; evaluate threats and vulnerabilities for each system; assess the likelihood and impact of each identified risk; document the current security measures in place; and produce a risk treatment plan showing what action was taken to address each identified risk. The analysis must be updated at least annually or whenever significant changes occur.

Back to Insights

OCR Is Enforcing Again. 12 Actions and Counting.

April 2, 2026 · Tech for Senior Living

For years, the conventional wisdom among small healthcare organizations was that the Office for Civil Rights (OCR) only went after large health systems. Small operators flew under the radar. That was never entirely true, but in 2026 it is definitively false.

OCR has settled 12 enforcement actions under its Risk Analysis Initiative, a program launched in 2024 that specifically targets organizations involved in hacking-related breaches where the investigation reveals one consistent finding: no documented risk analysis.

Every single enforcement action. The same root cause.

What the Risk Analysis Initiative Targets

The HIPAA Security Rule requires all covered entities and business associates to conduct a thorough risk analysis of their systems that handle electronic Protected Health Information (ePHI). This is not a new requirement. It has been in the Security Rule since 2005. What has changed is how aggressively OCR is enforcing it.

When a breach is reported to OCR, the first document investigators request is the organization's risk analysis. If it does not exist, is outdated, or identifies risks without documenting how they were addressed, OCR has the basis for an enforcement action regardless of what caused the breach itself.

The most recent settlement, announced March 5, 2026, involved MMG Fusion, a Maryland-based software company that experienced a breach affecting 15 million individuals. OCR found three violations: impermissible disclosure of PHI, failure to conduct an accurate risk analysis, and failure to notify affected covered entities. The settlement included a three-year corrective action plan.

The Enforcement Scope Is Expanding

OCR Director Paula Stannard confirmed that the initiative is expanding in 2026 to cover not just whether a risk analysis was performed, but whether identified risks were actually mitigated. This is a significant shift.

Previously, an organization could check the compliance box by completing a risk assessment, documenting the findings, and filing it. Under the expanded initiative, OCR will evaluate whether the risks identified in the analysis were addressed with specific, documented remediation actions. A risk analysis that identifies "lack of encryption" as a high risk, followed by no evidence of encryption being implemented, is now an enforcement trigger.

OCR has also named its three enforcement priorities for 2026: risk analysis failures, ransomware incidents, and right-of-access violations. Supply chain security is called out as the biggest emerging enforcement gap.

What This Means for Senior Living

Senior living communities are covered entities under HIPAA. Every community that handles resident health information, which is every community, must have a current risk analysis on file. The business associates serving those communities, including managed IT providers, also have independent risk analysis obligations under the Security Rule.

Three realities make this especially urgent for senior living operators.

State surveyors can request HIPAA documentation. While OCR handles federal HIPAA enforcement, state health department surveyors conducting licensure inspections can and do ask for evidence of HIPAA compliance. A missing risk analysis can become a survey finding independent of any breach.

Business associate breaches trigger covered entity obligations. If your IT provider, EHR vendor, or billing platform is breached, you as the covered entity must be notified and may need to report to OCR. The MMG Fusion case is instructive: the business associate's breach affected the covered entities it served, and OCR found that the BA failed to notify them. Your business associate agreements should specify notification timelines, and you should verify that your vendors can meet them.

Portfolio operators face multiplicative exposure. An operator managing five communities that all use the same IT infrastructure and the same risk analysis process has five times the regulatory exposure if that process is deficient. A single missing risk analysis becomes five missing risk analyses in the eyes of OCR.

What a Compliant Risk Analysis Looks Like

A risk analysis that will satisfy OCR scrutiny includes five components.

System inventory. A documented list of all systems that store, process, or transmit ePHI. This includes workstations, servers, cloud applications, mobile devices, and increasingly IoT devices like nurse call systems that integrate with clinical platforms.
Threat and vulnerability identification. For each system, what are the realistic threats (ransomware, unauthorized access, device theft, vendor breach) and what vulnerabilities exist (unpatched software, weak authentication, unencrypted storage)?
Risk rating. An assessment of the likelihood and potential impact of each identified threat-vulnerability pair. This does not need to be a complex quantitative model. It needs to be documented and defensible.
Current controls. What security measures are already in place for each identified risk? Multi-factor authentication, endpoint detection, encrypted backups, access controls, training programs.
Risk treatment plan. For each risk that is not fully mitigated by current controls, what specific action will be taken, by whom, and by when? This is the component that OCR's expanded initiative is now evaluating. The plan must show evidence of execution, not just intent.

The Penalty Scale

HIPAA penalties are tiered based on the level of culpability.

Tier 1: Lack of knowledge. Up to $68,928 per violation.
Tier 2: Reasonable cause. Up to $137,886 per violation.
Tier 3: Willful neglect, corrected. Up to $68,928 per violation.
Tier 4: Willful neglect, not corrected. Up to $2,134,831 per violation.

An organization that knows it needs a risk analysis (which all covered entities do, given the 20-year-old requirement) and does not have one is, at minimum, in Tier 2 territory. Inflation adjustments are expected again by January 2027.

Three Steps to Take This Week

Locate your current risk analysis. If you cannot find it, or it is older than 12 months, that is your first remediation item. A risk analysis must be updated at least annually or whenever significant changes occur to your IT environment.
Check for a risk treatment plan. A risk analysis without a treatment plan is incomplete. If your analysis identifies risks but does not document what was done to address them, OCR's expanded initiative considers that a deficiency.
Ask your business associates about their risk analysis status. Your IT provider, EHR vendor, billing platform, and any other vendor with access to resident PHI should maintain their own risk analyses. You have the right to ask, and the MMG Fusion case demonstrates why you should.

OCR's Risk Analysis Initiative is not a temporary enforcement wave. It is the new baseline. The 12 settlements to date are the beginning, not the peak.