A $4.75 Million Fine That Started With One Missing Document
In 2023, OCR settled with Lafourche Medical Group for $480,000 after a phishing attack exposed the ePHI of nearly 35,000 patients. The root cause wasn't the phishing email itself — it was the fact that Lafourche had never conducted a risk analysis at all. That single gap turned a manageable incident into an enforcement action with a corrective action plan that will shadow the organization for years.
I've reviewed hundreds of compliance programs, and the pattern is always the same. Organizations treat the HIPAA privacy risk analysis like a one-time project they can check off and file away. OCR treats it like the backbone of your entire compliance program — because it is.
If you're a covered entity or business associate handling PHI, your risk analysis is the single document OCR will ask for first during an investigation. This post breaks down what that analysis actually requires, where most organizations fail, and how to build one that holds up under scrutiny.
What Is a HIPAA Privacy Risk Analysis, Exactly?
A HIPAA privacy risk analysis is a systematic evaluation of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all PHI your organization creates, receives, maintains, or transmits. It's required under the HIPAA Security Rule at 45 CFR § 164.308(a)(1)(ii)(A), but its scope touches the Privacy Rule and Breach Notification Rule too.
Here's the part most people miss: a risk analysis isn't a vulnerability scan. It isn't a penetration test. It isn't a vendor questionnaire you download and fill in. It's a documented process that identifies every place PHI lives, every threat to that PHI, every existing safeguard, and the likelihood and impact of each threat exploiting a vulnerability.
The Six Components OCR Actually Looks For
- Scope: Every system, device, and location where PHI exists — including paper records, mobile devices, cloud platforms, and third-party vendors.
- Threat identification: Internal and external threats, from disgruntled employees to ransomware to natural disasters.
- Vulnerability identification: Gaps in administrative, physical, and technical safeguards.
- Current controls: What you already have in place — encryption, access controls, workforce training, policies.
- Likelihood and impact ratings: A realistic assessment of how probable each risk is and how severe the consequences would be.
- Risk level determination: Combining likelihood and impact to prioritize what gets fixed first.
HHS published detailed guidance on risk analysis requirements that maps directly to these elements. If you haven't read it recently, stop what you're doing and review it today.
The $1.5 Million Mistake: Treating Risk Analysis as a One-Time Event
Banner Health paid $1.25 million in 2023 after a breach affecting nearly 3 million people. Among the findings? Insufficient risk analysis. Not absent — insufficient. They had documentation, but it didn't adequately address the scope of their environment.
I see this constantly. An organization hires a consultant, produces a thorough risk analysis in year one, then lets it gather dust. Three years later, they've migrated to a new EHR, added telehealth services, onboarded 40 new employees, and started using a patient portal — none of which appear in their risk analysis.
Your HIPAA privacy risk analysis must be a living process. OCR doesn't specify a frequency, but the expectation is clear: you update it whenever your environment changes and review it at least annually. Period.
Environmental Changes That Trigger an Update
- New technology deployments (EHR migration, cloud storage, patient portals)
- Organizational changes (mergers, acquisitions, new office locations)
- New or modified workflows involving PHI
- Security incidents or near-misses
- Changes to regulations or HHS guidance
- Workforce changes, especially in IT or compliance roles
Where Privacy and Security Risk Analysis Overlap — and Where They Don't
Here's a distinction that trips up even experienced compliance officers. The Security Rule explicitly mandates a risk analysis for ePHI. The Privacy Rule doesn't use the words "risk analysis," but it requires you to have administrative safeguards that protect all forms of PHI — electronic, paper, and oral.
In practice, OCR evaluates them together. If you're only analyzing risks to ePHI and ignoring the stack of paper intake forms sitting in an unlocked cabinet at your front desk, your analysis has a hole in it. A thorough HIPAA privacy risk analysis covers every format of PHI across every workflow.
This is especially critical in behavioral health settings, where psychotherapy notes carry extra protections and clinical conversations happen in shared spaces. If your team works in mental health, I strongly recommend specialized HIPAA training for mental and behavioral health to fill the gaps that generic training doesn't touch.
The Five Most Common Risk Analysis Failures I've Seen
1. Confusing a Checklist With an Analysis
A yes/no compliance checklist is not a risk analysis. OCR has explicitly stated this. A checklist tells you whether you have a policy. A risk analysis tells you whether that policy actually mitigates a real threat in your specific environment.
2. Ignoring Business Associates
Your risk analysis must account for PHI handled by business associates. If your billing company, cloud vendor, or shredding service has access to PHI, the risks they introduce belong in your analysis. Check your BAAs, then verify what's actually happening on the ground.
3. No Documentation Trail
If it isn't written down, it didn't happen. OCR wants to see the methodology, the findings, the risk ratings, and the remediation plan. I've worked with organizations that did solid analytical work but kept it all in someone's head. That's worth exactly nothing in an investigation.
4. Leaving Out Mobile Devices and Remote Work
Post-pandemic, a huge percentage of the workforce accesses ePHI from home networks, personal laptops, and mobile phones. If your risk analysis was last updated in 2019, it almost certainly doesn't account for the risk profile of a nurse charting from her kitchen table. Speaking of which, HIPAA training built specifically for nurses and clinical workflows addresses exactly these scenarios.
5. No Remediation Plan
Identifying risks is only half the requirement. You must also implement security measures to reduce those risks to a reasonable and appropriate level. OCR looks for a documented remediation plan with timelines and responsible parties. Finding a risk and doing nothing about it is worse than not finding it — because now you have evidence of willful neglect.
How to Build a Risk Analysis That Actually Protects You
Here's my recommended approach, stripped of consulting jargon:
Step 1: Map your PHI. Every system, every workflow, every device, every vendor. Interview department heads. Walk the floors. Check the copier hard drive. If PHI touches it, document it.
Step 2: Identify threats and vulnerabilities. Use a framework. NIST SP 800-30 is the gold standard and it's what HHS recommends. Pair each asset with realistic threats and the vulnerabilities that could be exploited.
Step 3: Assess current controls. What safeguards are already in place? Are they working? When were they last tested? Encryption at rest means nothing if the decryption key is taped to a monitor.
Step 4: Determine likelihood and impact. Use a consistent rating scale — qualitative or quantitative, but be consistent. A 3x3 or 5x5 matrix works. The point is to prioritize, not to achieve false precision.
Step 5: Calculate risk levels and prioritize. High-likelihood, high-impact risks get addressed first. Document your rationale for every prioritization decision.
Step 6: Create a remediation plan. Assign owners. Set deadlines. Track progress. Review quarterly at minimum.
Step 7: Repeat. Build risk analysis into your annual compliance calendar. Train new hires on their role in protecting PHI from day one — our new hire onboarding course covering HIPAA and security awareness was designed specifically for this purpose.
What Happens When OCR Comes Knocking
OCR investigates every breach affecting 500 or more individuals. They also investigate complaints. In both cases, the first document request is almost always the same: produce your most recent risk analysis.
If you can hand them a comprehensive, current, well-documented HIPAA privacy risk analysis with a corresponding remediation plan showing active progress, you've just dramatically changed the trajectory of that investigation. Not eliminated the risk — but demonstrated the "reasonable diligence" that separates a technical assistance letter from a six-figure settlement.
If you can't produce that document? You're now in the same category as Lafourche Medical Group, Banner Health, and dozens of other organizations listed on the OCR resolution agreements page.
Your Risk Analysis Is Your Compliance Foundation
Every policy you write, every training you deliver, every technical safeguard you implement should trace back to a finding in your risk analysis. It's the document that justifies your budget, prioritizes your projects, and proves to OCR that you're not guessing.
I've seen organizations spend six figures on security tools while ignoring the $0 fix of locking a server closet door. The risk analysis is what prevents that kind of mismatch. It forces you to look at your actual environment — not the one you wish you had.
If your last risk analysis is more than 12 months old, if it doesn't cover paper PHI, if it doesn't account for remote work, or if it lives in a single person's memory rather than a documented file — you have work to do. Start this week. Your organization's next OCR interaction depends on it.