Medcurity Logo
Login

The Risk Analysis Failure Pattern: What HHS OCR Settlement Data Reveals About SMB Healthcare Compliance Gaps

This piece is a companion to our 2026 Mid-Year HIPAA Enforcement and Breach Trends Analysis, and it zooms in on the single most consistent finding in that data set: an inadequate Risk Analysis is named as a root cause in a majority of recent HHS Office for Civil Rights Security Rule resolution agreements. For small and mid-sized healthcare compliance officers, that pattern is significant — it tells you exactly what HHS investigators look for first when they open a Security Rule case, and it tells you exactly which piece of evidence settles cases without monetary penalties versus which deficiency turns a closed-without-action matter into a Civil Money Penalty. The data underpinning this analysis is drawn from the public HHS OCR Resolution Agreements index through mid-2026, supplemented by the Resolution Agreement text and Corrective Action Plan documents that HHS publishes alongside each settlement.

The pattern in numbers

Of the 20 most-recent HHS OCR resolution agreements citing a Security Rule violation as a root cause (covering the period from late 2023 through March 2026 per the HHS Resolution Agreements index), the published settlement text names a deficient Risk Analysis as a finding in the substantial majority. That includes the Solara Medical Supplies settlement ($3,000,000, January 14, 2025), the Warby Parker Civil Money Penalty ($1,500,000, February 20, 2025), the Gulf Coast Pain Consultants CMP ($1,190,000, December 3, 2024), the Green Ridge Behavioral Health resolution agreement (October 30, 2023, paired with a CAP), the L.A. Care Health Plan settlement (September 11, 2023), and the broader Risk Analysis Initiative resolution agreements OCR has serialized over the past three years. Penalties associated with cases that cite Risk Analysis deficiencies skew notably higher than the broader OCR docket average — the cases listed above carry a mean stated penalty above $1.4 million, well above the per-settlement average across the full 153-agreement index. The pattern is not new — OCR has cited Risk Analysis deficiencies in marquee cases for more than a decade, including Anthem ($16M, 2018) and Fresenius Medical Care (2018) — but the serialization of the Risk Analysis Initiative through 2024 and 2025 makes it the single most repeated root-cause finding in the OCR enforcement vocabulary today. All figures here are drawn from the HHS public source at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements.

Case study 1 — Solara Medical Supplies ($3M, 2025)

Solara Medical Supplies, a durable medical equipment supplier serving patients with diabetes and other chronic conditions, settled with HHS OCR for $3,000,000 on January 14, 2025 — the largest stated 2025 figure on the OCR Resolution Agreements page through the date of this analysis. The underlying incident was a 2019 phishing attack that compromised employee email accounts and exposed the protected health information of more than 114,000 individuals. The Resolution Agreement and Corrective Action Plan published by HHS name several Security Rule deficiencies, with the failure to conduct an accurate and thorough Risk Analysis sitting at the top of the findings. Per the published settlement text, OCR cited Solara for failing to conduct an enterprise-wide Risk Analysis that identified the threats, vulnerabilities, likelihood, and impact to all electronic protected health information across the organization’s information systems.

What HHS required Solara to implement under the CAP is the more instructive part for SMB compliance officers. The CAP obliged Solara to conduct a comprehensive, documented, organization-wide Risk Analysis that covered every information system and asset that creates, receives, maintains, or transmits ePHI; develop and implement a documented Risk Management Plan that addresses each finding identified in the Risk Analysis with a specific corrective action and a timeline; review and revise its Security Rule policies and procedures; provide enhanced workforce training; and submit annual compliance reports to HHS for the duration of the CAP. The lesson for an SMB compliance officer reading this case file is that OCR’s expectation is not that you produce a Risk Analysis at all — it is that you produce one that is complete (covers every ePHI location), accurate (uses a defined methodology), and operationally connected to a Risk Management Plan that closes findings. (Source: hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/solara/index.html.)

Case study 2 — Oregon Health & Science University (OHSU)

OHSU has appeared twice in the OCR Resolution Agreements docket — most recently with a $200,000 Civil Money Penalty announced March 6, 2025 for failure to provide timely access to patient records under the Right of Access Initiative, and in a much earlier $2,700,000 settlement on July 18, 2016 for what OCR characterized as widespread HIPAA vulnerabilities. The 2016 OHSU settlement is one of the cleanest case studies of the Risk Analysis failure pattern in the entire OCR enforcement record, and it is still cited by HHS investigators as a reference case today. The underlying matter involved multiple breach reports filed between 2011 and 2013 affecting more than 7,000 individuals — including a stolen unencrypted laptop and a separate cloud-storage incident in which student researchers stored ePHI on a third-party platform without a Business Associate Agreement.

Per the HHS settlement text, OCR cited OHSU for failing to implement policies and procedures to prevent, detect, contain, and correct security violations; failing to implement procedures to regularly review records of information system activity; failing to obtain a satisfactory written Business Associate Agreement with a vendor that created, received, maintained, or transmitted ePHI on its behalf; and — critically — failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it created, received, maintained, or transmitted. The CAP required OHSU to conduct an enterprise-wide Risk Analysis, implement an enterprise-wide Risk Management Plan, revise its policies and procedures, and submit annual reports for three years. The pattern OHSU teaches SMB compliance officers is the scope problem — the Risk Analysis had been performed, but it had not been scoped to cover every location of ePHI, including the cloud-storage location and the unencrypted laptop. Scope is what OCR investigates first. (Source: hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ohsu/index.html.)

Case study 3 — Gulf Coast Pain Consultants ($1.19M settlement)

Gulf Coast Pain Consultants — a Florida-based pain management specialty practice — agreed to a $1,190,000 settlement and Corrective Action Plan with HHS OCR announced December 3, 2024. The size profile of this entity is particularly instructive for SMB readers: a small specialty practice with a handful of locations, the kind of organization that compliance teams across small healthcare often quietly assume is below OCR’s enforcement radar. The underlying matter involved a former contractor who accessed the practice’s electronic medical record system after the practice failed to terminate the contractor’s access following the end of the engagement, retrieved patient information, and used it to file false claims affecting roughly 34,000 individuals. The Resolution Agreement and CAP published by HHS identify three potential Security Rule violations: failure to conduct a compliant Risk Analysis to determine the risks and vulnerabilities to ePHI across the organization, failure to implement procedures to regularly review records of information system activity such as audit logs, and failure to establish policies and procedures for granting access to ePHI.

The CAP required Gulf Coast Pain Consultants to conduct an accurate and thorough organization-wide Risk Analysis covering all of its electronic systems, develop and implement a Risk Management Plan that addressed each finding from the Risk Analysis, revise its Security Rule policies and procedures, train its workforce on the revised policies, and submit annual compliance reports to HHS for two years. The Gulf Coast pattern is the clearest cautionary tale for SMB practices in the recent record — a small specialty practice was named in a seven-figure settlement because the Risk Analysis it had on file did not cover the access-management and audit-logging systems that ultimately failed. The lesson is not that the practice did not perform a Risk Analysis. The lesson is that the Risk Analysis on file did not cover the systems that were ultimately compromised. (Source: hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants/index.html.)

The common thread — what these settlements teach SMB compliance officers

Reading these three case files alongside the broader Risk Analysis Initiative docket, four recurring sub-patterns emerge that explain why so many SMB compliance officers find themselves with a Risk Analysis on file and still inside a Security Rule investigation.

Pattern one — incomplete scope. The most common deficiency is that the Risk Analysis on file covers the EMR or the practice management system but does not cover every location of ePHI. OHSU’s missing cloud-storage location, Gulf Coast Pain’s missing access-management and audit systems, and Solara’s missing enterprise-wide coverage are all variants of the same scope problem. The HHS expectation, stated repeatedly across the CAP language, is that the Risk Analysis covers every information system, every endpoint, every cloud and SaaS application, every remote-work asset, and every Business Associate’s data flow that touches ePHI.

Pattern two — no documented methodology. Several CAP files cite the absence of a defined Risk Analysis methodology — that is, the Risk Analysis was performed, but the document does not specify how threats and vulnerabilities were identified, how likelihood and impact were rated, how risk levels were determined, or how the assessment was scoped. Without a methodology, the document cannot be defended as “accurate and thorough” in the statutory language of 45 CFR 164.308(a)(1)(ii)(A). The published National Institute of Standards and Technology guidance — NIST SP 800-66 Revision 2, the HIPAA Security Rule implementation guide finalized in February 2024 — explicitly describes the structure HHS investigators look for: a defined scope, identified threats and vulnerabilities, a likelihood and impact rating, and a determination of the level of risk. Aligning a Risk Analysis to NIST SP 800-66r2’s methodology is the cleanest available defense.

Pattern three — annual cadence not maintained. Multiple CAP files require the regulated entity to update the Risk Analysis at least annually and whenever there is a material change in operations, technology, or threat environment. The recurring deficiency is a Risk Analysis dated two, three, or four years prior to the incident — even where the document itself was reasonable when written. HHS treats the Risk Analysis as a living document, not a one-time deliverable.

Pattern four — findings not tied to a Risk Management Plan. A Risk Analysis identifies risks. A Risk Management Plan implements controls that reduce those risks to a reasonable and appropriate level. The two are different documents with different requirements under 45 CFR 164.308(a)(1)(ii)(A) and (B), and the recurring CAP language requires both to be in place and operationally connected — every finding in the Risk Analysis must be addressed by a specific corrective action in the Risk Management Plan, with a timeline and an accountable owner. Many SMB practices have the first document and not the second, or have both documents but no traceable link between findings and remediations. That gap is what most often turns a closed-without-action matter into a CMP.

Commercial healthcare-specialized Risk Analysis platforms exist in part because these methodology and documentation requirements are stubborn to maintain in spreadsheets. Medcurity is one such platform, and the value proposition we hear most often from compliance officers is the operational forcing function — the platform makes you produce the documented methodology and the linked Risk Management Plan that these settlements found missing.

A practical Risk Analysis self-check for 2026

The most useful artifact a small-practice compliance officer can produce in 2026 is a ten-item internal check, derived from the settlement patterns above, that takes about an hour to walk through. The check is vendor-neutral and applies whether you use a commercial platform, a spreadsheet, or the ONC Security Risk Assessment Tool. Score each item yes or no.

  1. Does our most recent Risk Analysis cover every location of electronic protected health information in our organization — including endpoints, mobile devices, cloud and SaaS applications, remote-work assets, and Business Associate data flows?
  2. Does our Risk Analysis document a defined methodology — how threats, vulnerabilities, likelihood, impact, and overall risk level were identified and rated?
  3. Is our Risk Analysis dated within the past twelve months, or within twelve months of the most recent material change in our operations, technology, or threat environment?
  4. Do we maintain a separately documented Risk Management Plan that addresses each finding identified in the Risk Analysis with a specific corrective action, a timeline, and an accountable owner?
  5. Can we produce evidence of corrective actions completed, including the date of completion, for each finding from the prior period’s Risk Analysis?
  6. Do we maintain a current Business Associate Agreement inventory that ties each vendor to the ePHI data flow they support, and does our Risk Analysis address each of those data flows?
  7. Do we maintain audit log records of information system activity, and does our Risk Analysis address how those logs are reviewed and how frequently?
  8. Does our Risk Analysis methodology align with NIST SP 800-66 Revision 2, the HHS-published HIPAA Security Rule implementation guide finalized in February 2024?
  9. Do we have documentation of workforce security awareness training tied to the findings of our Risk Analysis?
  10. If HHS OCR opened a Security Rule investigation tomorrow, could we produce the Risk Analysis, the Risk Management Plan, the BAA inventory, the audit logs, the training records, and the policy and procedure set within seven business days?

A score below seven yes-answers is consistent with the deficiency profile in the settlements analyzed above. A score of nine or ten is consistent with the documentation profile that OCR closes without monetary penalty.

Methodology and source data

All resolution agreement findings, penalty amounts, and Corrective Action Plan requirements cited in this report are drawn from the HHS Office for Civil Rights public Resolution Agreements index at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements (page last reviewed March 5, 2026) and from the individual Resolution Agreement and Corrective Action Plan documents HHS publishes for each settlement. NIST SP 800-66 Revision 2 references are drawn from the NIST publication of February 2024. Data is current as of June 5, 2026; the next quarterly update to this analysis will pull post-October 2026 to capture the next OCR posting cycle.

Frequently asked questions

What is the most common HIPAA violation cited in recent OCR settlements? Across the most recent twenty HHS OCR Security Rule resolution agreements (2023 through March 2026), failure to conduct an accurate and thorough Risk Analysis covering all electronic protected health information is the single most repeated root-cause finding. The pattern appears in the 2025 Solara Medical Supplies and Warby Parker matters, the 2024 Gulf Coast Pain Consultants and Children’s Hospital Colorado matters, the 2023 Green Ridge Behavioral Health and L.A. Care Health Plan matters, and across OCR’s serialized Risk Analysis Initiative through the period.

How frequently should a Risk Analysis be updated under the 2026 Security Rule? The HHS-published guidance and the recurring Corrective Action Plan language in recent settlements both treat the Risk Analysis as a living document. Resolution Agreements typically require the Risk Analysis to be reviewed and updated at least annually and whenever a material change occurs in operations, technology, the threat environment, or the regulated entity’s ePHI inventory. The proposed 2026 Security Rule updates would further codify the annual minimum cadence.

What does HHS OCR look for in a Risk Analysis during an investigation? Investigators typically look for four elements: a documented scope that covers every location of ePHI, a defined methodology aligned with recognized frameworks such as NIST SP 800-66 Revision 2, a current date with a maintained annual or material-change cadence, and a Risk Management Plan that links each finding to a specific corrective action with a timeline and an accountable owner. Recent Corrective Action Plans reinforce that these four elements are the operative standard.

Does the ONC SRA Tool meet the Risk Analysis requirements that OCR settlements name? The Office of the National Coordinator’s Security Risk Assessment Tool can support a compliant Risk Analysis when used in alignment with NIST SP 800-66 Revision 2 methodology and when its outputs are connected to a documented Risk Management Plan. The recurring CAP language does not require any particular software; it requires that the resulting Risk Analysis be accurate, thorough, scoped to every ePHI location, and operationally connected to remediation. Commercial healthcare-specialized platforms exist in part because they enforce that operational connection automatically.

What’s the typical penalty for inadequate Risk Analysis under HIPAA? Penalties vary by case severity, scope, the number of individuals affected, and whether the matter resolves as a voluntary settlement or as a Civil Money Penalty after administrative adjudication. The most recent twenty Security Rule settlements citing Risk Analysis deficiencies range from approximately $100,000 to $16,000,000 in stated monetary penalty. Notable recent examples include Solara Medical Supplies at $3,000,000 (2025), Warby Parker at $1,500,000 (2025), and Gulf Coast Pain Consultants at $1,190,000 (2024). Settlement matters also typically carry a multi-year Corrective Action Plan with HHS monitoring obligations.

Ready to start a compliant 2026 HIPAA Risk Analysis? Schedule a conversation with the Medcurity team to walk through your organization’s scope, methodology, and Risk Management Plan against the patterns documented above.

This analysis is published by Medcurity, a healthcare-specialized HIPAA risk analysis and compliance platform. All resolution agreement data is drawn from public HHS OCR sources and is free to cite with attribution to “Medcurity Quarterly HIPAA Enforcement Analysis, June 2026.”