The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has renewed its focus on two critical areas of HIPAA compliance: risk analysis and individual right of access. These enforcement priorities, known respectively as the Risk Analysis Initiative and the Right of Access Initiative, have already led to significant financial penalties and corrective action plans for organizations that fail to comply. Companies subject to HIPAA must take immediate steps to review their compliance posture.
Risk Analysis Initiative: A Foundational Requirement
Under the HIPAA Security Rule, covered entities and business associates are required to conduct an accurate, thorough and regular risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). Despite this longstanding requirement, OCR continues to find organizations failing to perform or update their risk assessments.
OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement. It is designed to hold organizations accountable for failing to meet this fundamental standard. Recent enforcement actions have included settlements with health care providers and business associates who either did not conduct a risk analysis or did so inadequately.
Action Steps for Companies:
- Conduct a comprehensive risk analysis tailored to the size, complexity and capabilities of your organization.
- If you have not done so recently, update the risk analysis, especially when there are changes to operations, technologies or threats. Current settlement agreements with OCR require an annual risk assessment.
- Implement and document risk management plans to address identified vulnerabilities.
Right of Access Initiative: Ensuring Patients Get Their Records
Launched in 2019, OCR’s Right of Access Initiative aims to enforce patients' rights to timely and affordable access to their medical records. OCR has taken action against dozens of organizations for failing to provide individuals with access to their records within the required timeframe, often resulting in financial settlements and mandated compliance improvements.
Under HIPAA, individuals have the right to inspect or obtain a copy of their protected health information (PHI) within 30 days of their request, and organizations may only charge a reasonable, cost-based fee.
Action Steps for Companies:
- Review and update policies for processing patient record requests.
- Ensure staff are trained to handle access requests promptly and in compliance with HIPAA timelines.
- Track and document all patient access requests and responses.
Why It Matters
OCR is making clear that failure to meet core HIPAA requirements will not be overlooked. Noncompliance can result in investigations, fines, reputational damage and increased scrutiny.
Companies should proactively evaluate their HIPAA compliance programs, focusing particularly on risk analysis and access to records. OCR has released guidance and tools to assist organizations in these efforts — making “I didn’t know” an increasingly unconvincing defense.
Final Thoughts
With enforcement efforts escalating, the message is clear: OCR expects HIPAA-covered entities and business associates to treat privacy and security obligations seriously. Investing in compliance now could prevent costly consequences later.
