For many organizations handling electronic protected health information (ePHI), HIPAA risk assessments have long felt like a checkbox item. But recent developments show that the U.S. Department of Health and Human Services (HHS) is paying closer attention than ever before.
A Quick History of OCR HIPAA Audits
HIPAA (Health Insurance Portability and Accountability Act) has required covered entities and business associates to perform risk analysis under the Security Rule since it was enacted in 2005. These assessments aim to identify threats and vulnerabilities to ePHI and ensure organizations are taking reasonable steps to protect it.
In the early 2010s, the Office for Civil Rights (OCR) launched formal HIPAA audit programs, but, after two pilot rounds in 2012 and 2016-2017, audit activity largely paused for several years due to budget and staffing constraints.
The 2024-2025 Turnaround: OCR's Renewed Focus
In late 2024, OCR launched a renewed HIPAA enforcement effort, including a Risk Analysis Initiative, targeting organizations that have failed to conduct thorough and timely risk assessments. OCR also resumed formal audits after a 7-year pause with a clear emphasis on Security Rule compliance.
Notably, several enforcement actions in 2025 cited the same core issue: failure to conduct a risk analysis or update it regularly. Recent data suggests that approximately 90% of Security Rule enforcement actions in 2025 involved inadequate or missing risk analysis, highlighting how seriously OCR is treating this issue.
This trend is expected to continue into 2026 and beyond, with OCR confirming that organizations must proactively identify and mitigate risks to ePHI.
Why This Matters Now
For organizations that are still maturing their compliance programs, the message is clear:
- A HIPAA risk assessment is not optional—it's a regulatory requirement.
- Risk assessments must be comprehensive, documented, and updated regularly to reflect changes in systems or threats.
- Simply having policies is not enough; OCR wants to see that risks are being identified and addressed.
What You Can Do
If your organization hasn’t performed a HIPAA risk assessment recently—or ever—now is the time to act. Start by evaluating the risk for each HIPAA Security Rule safeguard by following these steps for systems and processes where ePHI is created, received, maintained, or transmitted:
- Evaluating threats and vulnerabilities to those systems
- Documenting likelihood and impact to determine risk levels
- Developing a plan to address high and moderate risks
For a more robust initial risk assessment, consider the risk associated with all HIPAA rules requirements, not only the security rule. This is beyond the basic HIPAA requirements but demonstrates that your company is considering HIPAA holistically.
The most important thing is to start. Even a basic, well-documented risk assessment is far better than none, and it may help you avoid fines and operational disruption if OCR comes knocking.
Final Thought
HIPAA compliance is evolving. The OCR is clearly sending a message in 2025: organizations that handle ePHI must take risk assessment seriously. It’s not just about passing an audit — it’s about protecting your patients, your data, and your organization’s future.
IGI can help. We've developed a holistic risk assessment methodology that simplifies compliance with this HIPAA requirement. Contact us today to learn more.
