OCR’s Enhanced Focus on the Security Rule

Bottom Line Up Front

90% of Enforcement Actions in 2025 to Date Relate to Cyber Incidents

The HHS Office for Civil Rights’ (OCR) enforcement actions are on the rise in 2025, and its focus on both enforcing and enhancing the cyber security components of the Security Rule appears to be here to stay — especially given upward trends in related threats. Deloitte’s Annual Cyberthreat Trends Report for 2024[1] cited ransomware as the top threat vector for the year, noting a 17% increase in attack claims over 2023. To date in 2025, OCR has issued a total of seventeen enforcement actions (fifteen of which relate to cyber incidents) compared with a total of fifteen actions in all of 2014 (nine relating to cyber incidents).

In a statement summarizing the totality of its enforcement results through October 31, 2024[2], OCR reported the receipt of a total of 347,321 HIPAA complaints; the resolution of 31,191 of those complaints (9%) by requiring changes in privacy practices and corrective actions, or providing technical guidance; and the imposition of civil monetary penalties in 152 of those complaints (.04%), resulting in a total dollar amount of $145 million. Without a doubt, the conduct of a good faith effort by covered entities to conduct “accurate and thorough” security risk assessments (SRAs) and otherwise implement the Security Rule for the protection of electronic protected health information (ePHI) significantly decreases the chances of becoming a cautionary tale highlighted in a press release on OCR’s “Resolution Agreements” webpage[3].

More importantly, however, enhanced cyber hygiene standards and practices can prevent cyber incidents from occurring in the first place, or at least minimize their impact, and should therefore be embraced. In the healthcare sector in particular, cyber breaches can have profound impacts on medical operations, administrative functions, and reputation, and frequently lead to exposure of PHI. Most significantly, cyber attacks can have devastating impacts on the delivery of patient care, and all appropriate safeguards should be taken in this seemingly ever-increasing threat environment.

Overview

In October 2024, OCR announced a Risk Analysis Initiative to focus its investigative and enforcement efforts on cyber breaches and their risk of exposing ePHI, specifically citing an uptick in ransomware attacks. Further showcasing its intent for enhanced scrutiny of cyber security, OCR issued a Notice of Proposed Rulemaking (NPRM) in January 2025 to enhance administrative, physical, and – most  notably – cyber standards in the Security Rule for protection of ePHI.

OCR’s explicit emphasis on strengthening cyber security for the protection of ePHI is apparent in a review of its enforcement actions thus far in 2025 (link to summary table included below). Fifteen of seventeen – roughly 90% – OCR resolution agreements reached since the beginning of the year have related to cyber security issues (seven were for ransomware attacks), with its findings in all of those cases citing covered entities’ and/or business associates’ “failure to conduct accurate and thorough” SRAs. Total monetary penalties, which ranged from $10,000 to $3 million, were $7.4 million, and most [4] entities also stipulated to corrective action plans (CAPs).

Though OCR does not publish the results of investigations which did not result in monetary penalties or CAPs, it is worth considering whether those entities which reported cyber breaches but had previously made good faith efforts to conduct SRAs were given non-punitive Technical Guidance or Corrective Actions as opposed to punitive fines. It is also worth noting that OCR is on pace to issue more than thirty enforcement actions by the end of 2025.

By contrast, OCR issued a total of only fifteen enforcement actions in all of 2024. Nine of those actions (56%) related to cyber security issues (five were for ransomware attacks.)

OCR Risk Analysis Initiative

The first enforcement action under OCR’s Risk Analysis Initiative, launched in October 2024, involved a $90,000 monetary penalty and corrective action plan with Bryan County Ambulance Authority (BCAA) over a ransomware attack. According to an accompanying press release, “OCR’s investigation determined that BCAA had failed to conduct a compliant risk analysis (i.e., SRA) to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.”

The press release was straightforward in highlighting OCR’s focus on cyber hygiene for the protection of ePHI and compliance with HIPAA. The press release stated, “Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks. This (Risk Analysis) enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).” Then OCR Director Melanie Fontes Ranier was quoted as saying, “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”

Former Director Rainer was further quoted in a separate OCR press release [5] in October 2024, stating, “Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information. Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to break downs in our health care system.”

HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information

On January 6, 2025, OCR published a NPRM[6] to modify the Security Standards for the Protection of Electronic Protected Health Information (i.e., the Security Rule). According to the NPRM, “The proposed modifications would revise existing standards to better protect the confidentiality, integrity, and availability of ePHI. The proposals in this NPRM would increase the cybersecurity for ePHI by revising the Security Rule to address: changes in the environment in which health care is provided; significant increases in breaches and cyberattacks; common deficiencies the Office for Civil Rights has observed in investigations into Security Rule compliance by covered entities and their business associates (collectively, “regulated entities”); other cybersecurity guidelines, best practices, methodologies, procedures, and processes; and court decisions that affect enforcement of the Security Rule.”

Several of the key proposals, all of which are detailed in the link at the below Footnote 6,  include the following:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions
• Require written documentation of all Security Rule policies, procedures, plans, and analyses
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI
• Require greater specificity for conducting a risk analysis
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements
• Require encryption of ePHI at rest and in transit, with limited exceptions
• Require the use of multi-factor authentication, with limited exceptions
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months
• Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures

The Security Rule, SRAs, and Further Guidance

Links to the Security Rule, which is encoded in Title 45 of the Code of Federal Regulations Parts 160 and 164, a HIPAA Security Risk Assessment Tool, and further guidance for compliance by covered entities and business associates can be found at the following link: The Security Rule | HHS.gov.

Click here for a downloadable PDF of the 2025 Enforcement Actions. Learn more about the assistance SunHawk can provide in conducting SRAs here.

[1] us-annual-cyber-threat-trends-report-2025.pdf

[2] Enforcement Highlights – Current | HHS.gov

[3] Resolution Agreements | HHS.gov

[4] The existence and details of CAPs were not detailed in all OCR press releases announcing individual Resolution Agreements.

[5] “HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000: Settlement marks OCR’s 6th ransomware enforcement action amid increase in ransomware breaches in health care,” October 31, 2024

[6] Federal Register : HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information