OCR Settlements Signal Continued Crackdown on Inadequate HIPAA Risk Analyses

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced two new HIPAA settlements:

• A settlement with Top of the World Ranch Treatment Center (TWRTC), a substance use disorder treatment provider. This settlement resolves an OCR investigation into TWRTC following a March 2023 breach report. A phishing attack allowed unauthorized access to a staff email account, compromising the ePHI of 1,980 patients. OCR found that TWRTC had not conducted a sufficient risk analysis to identify potential vulnerabilities.

• A settlement with MMG Fusion, LLC (MMG), a software company, which resolves an OCR investigation into MMG following a March 2023 complaint about an unreported security incident and PHI appearing on the dark web. The breach stemmed from a 2020 system infiltration that exposed sensitive data of approximately 15 million individuals. OCR found potential HIPAA violations, including unauthorized disclosure of PHI, failure to conduct a proper risk analysis, and failure to notify affected covered entities.

These settlements marked the 11^th and the 12^th enforcement cases respectively under OCR’s Risk Analysis Initiative, first announced in October 2024. These enforcement actions reinforce OCR’s position that risk analysis is not a one-time or superficial exercise, but an ongoing, comprehensive process that must align with the organization’s size, complexity, and systems.

It has been six months since OCR’s last settlement announcement. There was a surge of enforcement activity in early 2025, with OCR announcing multiple resolution agreements between January and August, all centered on a common issue: failure to conduct an accurate and thorough assessment of potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), commonly known as a “risk analysis”, as required by 45 CFR 164.308(a)(1)(ii)(A).

What does it mean for healthcare providers?

OCR is doubling down on risk analysis as a core compliance expectation. Healthcare organizations and business associates should expect continued scrutiny and should treat risk analysis as a critical, actively maintained component of their HIPAA compliance program, not a “check-the-box” requirement.