When the HHS Office for Civil Rights launched its Risk Analysis Initiative at the end of 2024, it made a deliberate bet: that the single most common, most consequential, and most provable HIPAA Security Rule failure was the one written into the very first requirement โ€” the failure to conduct an accurate and thorough risk analysis of the risks to electronic protected health information. Eighteen months later, that bet has produced one of the most consistent enforcement campaigns in OCRโ€™s history, and in 2026 the agency is signaling that the campaign is about to get harder to satisfy.

A dozen actions and counting

OCR has now announced its 11th and 12th enforcement actions under the Risk Analysis Initiative, following a run of sixteen resolution agreements between January and August 2025 and a roughly six-month pause before the latest settlements. The 2026 actions illustrate the breadth of who is exposed:

  • Top of the World Ranch Treatment Center (announced February 19, 2026) โ€” an Illinois substance-use-disorder provider, cited after a 2023 phishing breach for failing to conduct an adequate risk analysis.
  • MMG Fusion, LLC โ€” a dental software vendor that impermissibly disclosed the PHI of approximately 15 million individuals, failed to conduct an accurate and thorough risk analysis, and failed to notify affected covered entities of the breach.

The pattern across nearly every action is identical and instructive: the breach itself โ€” phishing, ransomware, a misconfiguration โ€” is the event that draws OCRโ€™s attention, but the finding is the missing or inadequate risk analysis underneath it. OCR has effectively told the regulated community that it will treat the absence of a compliant ยง164.308(a)(1)(ii)(A) risk analysis as the root governance failure, almost regardless of the specific technical vector of the breach.

The settlements have ranged widely in dollar terms โ€” from the $10,000 paid by MMG Fusion to larger six-figure amounts in the ransomware cases โ€” but the financial penalty has never been the point. Every settlement carries a corrective action plan, frequently monitored for two to three years, and that ongoing oversight is the real cost. OCR Director Paula M. Stannard has put the message plainly: compliance with the HIPAA risk-analysis provision is โ€œmore essential than ever,โ€ and timely breach notification sits right alongside it.

The shift that matters: from analysis to management

Here is the development healthcare compliance teams need to internalize for 2026. OCR has signaled that the initiative will evolve from risk analysis to risk management. That distinction is not semantic โ€” it is the difference between two separate, sequential requirements in the Security Rule:

  • Risk analysis โ€” ยง164.308(a)(1)(ii)(A) โ€” requires you to identify the risks and vulnerabilities to your ePHI. This is the requirement the initiative has enforced to date.
  • Risk management โ€” ยง164.308(a)(1)(ii)(B) โ€” requires you to implement security measures sufficient to reduce those risks to a reasonable and appropriate level.

For eighteen months, the enforcement question has been โ€œdid you find your vulnerabilities?โ€ The expansion means the next question is โ€œand what did you do about them?โ€ An organization that conducts a beautiful risk analysis, documents every vulnerability, and then leaves those vulnerabilities unremediated has satisfied (a)(ii)(A) and failed (a)(ii)(B) โ€” and under the evolving initiative, that gap is now squarely in scope.

This is, in a sense, the harder requirement to fake. A risk analysis can be a document. Risk management is a track record โ€” evidence that identified risks led to prioritized, dated, completed remediation. OCR is moving from auditing whether you looked, to auditing whether you acted.

The looming Security Rule overhaul

This evolution does not happen in a vacuum. It runs in parallel with the proposed HIPAA Security Rule overhaul โ€” the most significant rewrite of the rule since 2013 โ€” which would, among other things, remove the longstanding โ€œaddressableโ€ versus โ€œrequiredโ€ distinction that has let entities treat controls like encryption and multifactor authentication as optional after a documented risk decision. The proposal would make many of those controls effectively mandatory, require more rigorous and more frequent risk analyses, and demand documented technology asset inventories and network maps.

Read together, the direction is unmistakable. The risk-management expansion of the enforcement initiative and the proposed Security Rule revisions point the same way: OCR wants demonstrable, implemented, continuously maintained security โ€” not paperwork that documents good intentions. Entities that have leaned on the โ€œaddressableโ€ loophole to defer encryption or MFA are the ones most exposed when both the rule and the enforcement posture tighten.

What this means for covered entities and business associates

The MMG Fusion case carries a second lesson worth underscoring for the business-associate community. A software vendor was held directly accountable not only for the impermissible disclosure but for failing to notify the covered entities whose data it held. Business associates are not downstream bystanders in this enforcement wave โ€” they are named respondents, and the 15-million-record figure shows how a single vendorโ€™s risk-analysis failure cascades across every healthcare client it serves. This is the same third-party-risk theme running through the broader 2026 enforcement landscape.

The action plan

If your organization touches ePHI, the evolving initiative reframes what โ€œcompliantโ€ requires. Concrete steps:

  1. Make your risk analysis genuinely accurate and thorough. It must cover all ePHI across all systems โ€” every application, device, cloud service, and business-associate flow. The most common OCR finding is a risk analysis that was scoped too narrowly. An inventory-driven, enterprise-wide analysis is the baseline.
  2. Build the risk-management bridge. For every vulnerability your analysis identifies, maintain a documented, dated remediation record โ€” what was found, what was decided, what was implemented, and when. This is the evidence the expanded initiative will demand. A risk register without a remediation trail is now a liability.
  3. Close the โ€œaddressableโ€ gaps now. Treat encryption of ePHI at rest and in transit, and multifactor authentication on systems accessing ePHI, as required rather than optional. The proposed rule and the enforcement trend are converging on this point; getting ahead of it is cheaper than catching up under a corrective action plan.
  4. Re-run the analysis on a real cadence. โ€œPeriodicโ€ is being interpreted as ongoing, not one-and-done. Tie reassessment to material changes โ€” new systems, new vendors, post-incident โ€” and to a fixed annual minimum.
  5. Hold business associates to the same standard. If you are a covered entity, your BA agreements and vendor assessments need to confirm your vendors conduct compliant risk analyses and remediate. If you are a business associate, understand that you are a direct enforcement target and that breach-notification timeliness is part of what OCR examines.
  6. Document breach notification timelines. OCR has paired risk analysis with timely notification in its 2026 messaging. Late notification compounds the underlying finding.

The Risk Analysis Initiative began as a focused campaign against a single, provable failure. In 2026 it is maturing into something broader and more demanding โ€” a campaign about whether healthcare organizations not only understand their risks but have done the unglamorous, continuous work of reducing them. The entities that have treated risk analysis as an annual document to be filed will find the new bar uncomfortable. The ones that have treated it as the start of a remediation program will find they were already building what OCR is about to require.

This article is provided for informational purposes only and does not constitute legal advice.