A recent HHS OCR resolution agreement further emphasizes the importance of conducting risk analyses and addressing them appropriately. Covered entities and business associates that failed to conduct risk analyses when HIPAA first required them could find themselves subject to penalties years down the road if they are audited or subjected to a complaint or breach investigation.

On April 12, 2017, OCR announced a resolution agreement requiring a federally-qualified health center (FQHC) to pay a $400,000 settlement for potential noncompliance with the HIPAA Privacy and Security Rules. In 2012, the FQHC submitted a breach report to OCR indicating that a hacker accessed the PHI of 3,200 individuals through a phishing incident.

Even though OCR determined that the entity took necessary corrective action, the FQHC was subjected to penalties due to failure to conduct a risk analysis until 2012 and failure to implement corresponding risk management plans. This resolution agreement also emphasizes the need to include phishing risks in the risk analysis.