You don't think much about your annual risk assessment. You probably don't have one. Most independent practices don't. When the auditor asks, the answer is some version of "I'm pretty sure that's somewhere on the EHR vendor's compliance page." OCR knows this. And in the past two weeks, OCR wrote six-figure checks against five practices for the same operational gap.
What happened
On May 4, the federal Office for Civil Rights — the agency inside HHS that enforces the federal patient-privacy rules — announced a $245,000 settlement with a self-funded group health plan over a 2021 ransomware attack that exposed names, Social Security numbers, dates of birth, insurance information, and claims details. The plan paid the fine and accepted a two-year corrective action plan that includes ongoing federal monitoring. Nine days later, on May 13, OCR settled four more cases involving four different practices for a combined $1.165 million. Same enforcement framework. Same root cause.
The root cause OCR cited in every one of these settlements: the practice could not produce an adequate risk analysis.
Not "the practice made the wrong decision about a particular control." Not "the practice failed to detect an intrusion." The thing OCR is fining people over is the document that comes before any of those decisions get made. The document that says: here are the systems we use, here is the patient information that lives in them, here are the things that could go wrong, here are the safeguards we have, here are the gaps we know about, and here is what we're doing about the gaps.
If you don't have that document, the federal regulator's view is that you didn't actually think about it.
What the regulation actually says
The relevant federal regulation is the HIPAA Security Rule's first administrative safeguard. It requires a "thorough and accurate" assessment of "potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information."
That's the legal language. In operational terms, what it asks is:
- Where does patient information actually live? Your EHR is obvious. What about the email account where new patient inquiries land? The scheduling tool? The billing service that has access to your clinical notes? The telehealth platform you white-label from a vendor whose name your patients have never heard? The intake forms you keep in a filing cabinet?
- For each of those places, what could go wrong? Lost laptop. Phishing email. Unencrypted backup. Vendor breach. Disgruntled former employee. The list is short for most independent practices, but the practice owner has to actually write it down.
- What protects against each thing? Multi-factor login. Encrypted backups. A list of who has access to what. A written incident response plan you've actually read.
- What still doesn't have a protection? Most practices have at least a few. The federal expectation is that you know which ones, and that you're working on them.
Each of these questions sounds like the kind of thing you'd answer in an hour with a notepad. And that's exactly what OCR expects. It doesn't have to be a 60-page document. It has to be honest, dated, and updated.
Why solo and small-group practices don't have one
Hospital systems produce these every year because they have compliance teams whose job description literally includes producing these every year. Independent practices don't have compliance teams. The owner is the practitioner. The practitioner is also the office manager, the IT department, the HR department, and the marketing department.
What happens in practice is that risk assessment becomes the thing nobody owns. The EHR vendor handles "EHR compliance" — but their compliance posture covers their software, not your operational use of email, scheduling, billing, telehealth, and paper files. The cyber-liability carrier asks about it at renewal — and the practice owner says "we follow industry best practices" because nobody knows the exact words to put in the box. The state medical board's compliance webinar mentioned it three years ago — and the notes from that webinar are in a folder somewhere.
The federal expectation, written plainly, is that the practice owner can produce a document that answers the operational questions above. If the document doesn't exist, the practice cannot demonstrate that it thought about the risks. "I didn't know" stops being a defense.
What OCR is signaling
Five settlements in 10 days, all centered on the same form. This isn't random case selection. OCR has publicly named a "Risk Analysis Initiative" — a targeted enforcement effort focused on entities that cannot produce adequate risk analysis documentation when audited.
The dollar amounts in these settlements — $245K, then four more averaging roughly $291K each — are not catastrophic for a hospital system but are existence-threatening for a solo or small-group practice. The corrective action plans attached to each settlement include two years of ongoing federal monitoring. That's an operational tax that disrupts every quarter for two years.
The strategic read: OCR is making it easy to comply by being explicit about what they're looking for. The document is the thing. Have the document.
What to do this week
Three steps, in order:
One. Find whatever you have. Most practices have something — a checklist from a webinar, an outline from a previous attorney, a template from the state medical board, a security questionnaire your cyber-liability carrier asked you to fill out. Pull it together in one place. If it's older than 18 months, treat it as a starting point, not a finished product.
Two. If you have nothing: do the basic version this week. List every system that touches patient information — EHR, email, scheduling, billing service, telehealth platform, intake forms, anything. For each one, write down two or three things that could go wrong. For each of those, write down what protects you. Date it. Sign it. Put it in a folder labeled "Annual Risk Assessment 2026." This is not the polished version. It is the document that demonstrates you thought about it.
Three. Schedule the actual annual review. Put a calendar entry for one year from today. The federal expectation is that this is an ongoing operational practice, not a one-time exercise. Sixty minutes a year is enough for most independent practices. It just needs to happen.
The medical groups that paid the federal government a combined $1.41 million in the past two weeks aren't in trouble because they didn't think about risk. They're in trouble because they couldn't show that they thought about it. The document is the proof.
|
The form OCR is now fining people over.
The Vault includes the annual risk assessment template — calibrated for independent practice, structured to satisfy the HIPAA Security Rule's risk analysis documentation requirements without the 60-page hospital-compliance overhead. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
|
| With security, |
| Brad |
| Brad Lieberman, JD (retired), MSN, PMHNP-BC |
| Founder, The Encrypted Chart |
| www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder |
| Brad@encryptedchart.com |
- HHS Office for Civil Rights, $245,000 HIPAA settlement with self-funded group health plan over 2021 ransomware breach and risk analysis failure (announced May 4, 2026). Source coverage: National Law Review / LegalTech Digest, May 4, 2026.
- HHS Office for Civil Rights, settlement of four HIPAA ransomware investigations totaling $1.165 million across four covered entities (announced May 13, 2026). Source coverage: Caruso Law Office summary, May 13, 2026.
- 45 CFR § 164.308(a)(1)(ii)(A) — HIPAA Security Rule, Administrative Safeguards, Risk Analysis. ecfr.gov/current/title-45/section-164.308
