Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week. This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule. Indeed, the focus on risk assessments is not unique to OCR – a security risk analysis is also a CMS requirement under the Medicare/Medicaid EHR Incentive Programs. Throughout 2015, there appeared to be an increasing trend of regulators (such as OIG, OCR, and others) conducting audit and enforcement activities related to IT security. To prevent future scrutiny for violations, health care entities should commit to performing and strengthening their security risk analyses in 2016.