OCR Settles HIPAA Risk Analysis Case with Substance Use Disorder Treatment Center

On February 19, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Top of the World Ranch Treatment Center (“Treatment Center”), a substance use disorder treatment provider based in Milan, Illinois. The $103,000 settlement addresses alleged noncompliance with the HIPAA Security Rule’s risk analysis requirement.

This case serves as a timely reminder for covered entities and business associates that the failure to perform and document a comprehensive risk analysis can result in significant financial and operational consequences, even in the absence of willful neglect or widespread harm. In an era of escalating cybersecurity threats, particularly phishing attacks targeting healthcare email systems, proactive identification of vulnerabilities is crucial.

HIPAA Risk Analysis Imperative

The HIPAA Security Rule, codified at 45 C.F.R. Part 164, Subpart C, requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (“ePHI”).

Central to these requirements is the risk analysis provision under 45 C.F.R. § 164.308(a)(1)(ii)(A). This obligates organizations to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”

OCR Director Paula M. Stannard emphasized the urgency of compliance:

Main Facts of Investigation

OCR initiated its investigation following the Treatment Center’s breach notification it submitted in March 2023. The Treatment Center reported that a successful phishing attack had compromised a workforce member’s email account, resulting in unauthorized access to ePHI belonging to 1,980 patients.

Although the Treatment Center promptly reported the incident, OCR’s subsequent review revealed it had not performed an accurate and thorough risk analysis to identify and address potential risks to its ePHI. Notably, the OCR didn't allege that the Treatment Center lacked any risk analysis whatsoever. Rather, it determined that the analysis performed was insufficient to meet HIPAA's regulatory standard. This distinction is important because it emphasizes that outdated assessments will not meet HIPAA's rules.

Settlement Terms and Corrective Action Plan

Under the resolution agreement, the Treatment Center agreed to pay $103,000 and to implement a corrective action plan subject to OCR monitoring for two years.

The plan requires the Treatment Center to:

• Conduct and complete an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; 

• Develop and implement a risk management plan to address and mitigate the security risks and vulnerabilities identified; 

• Develop, maintain, and revise as necessary written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and 

• Provide annual training to workforce members with access to ePHI on the organization’s HIPAA policies and procedures.

Key Takeaways

The Treatment Center settlement reinforces several critical compliance lessons.

First, your risk analysis must be ongoing and organization-specific. A one-time checklist or generic template will not suffice. The analysis must map how ePHI enters, flows through, and exits the organization’s systems and must account for current threat intelligence, including phishing vectors.

Second, the Risk Analysis Initiative demonstrates OCR’s commitment to targeted enforcement. With eleven resolved matters to date, the agency has signaled that it will continue to prioritize this foundational requirement, particularly among smaller and mid-sized providers that may lack dedicated compliance resources.

Third, the underlying phishing attack highlights a persistent industry vulnerability. Even organizations that respond promptly to incidents remain exposed if they failed to previously identify email systems as high-risk assets.

The OCR outlined several safeguards that all covered entities and business associates should remember to incorporate into their risk management programs:

• Identify the location of ePHI and map its flow within the organization’s information systems; 

• Conduct periodic risk analyses and implement corresponding risk management measures; 

• Maintain audit controls and perform regular reviews of information system activity; 

• Deploy user authentication mechanisms; 

• Encrypt ePHI both in transit and at rest where appropriate; 

• Incorporate lessons learned from security incidents into the organization’s security management process; and 

• Deliver role-specific, organization-tailored HIPAA training on a regular basis.

Closing Remarks

Covered entities and business associates should view the Treatment Center settlement as a catalyst for self-assessment. If you have not recently validated the adequacy of your HIPAA risk analysis, you should do so immediately to mitigate the potential risk of security vulnerabilities and data breaches.

If you would like to explore how Venus Caruso can assist you with your HIPAA compliance needs, reach out to schedule a complimentary consultation using the contact form or by emailing venus@carusolawoffice.com.

This post provides general information only and is not, and should not be, construed as legal advice or opinion for any individual matter or circumstance. Laws and regulations can change, and specific situations may require different approaches. Always consult a qualified attorney for advice tailored to your specific circumstances.