If you have ever been through an OCR investigation — I have sat with clients through several — you learn quickly that there is a rhythm to it. There are documents they want almost immediately, before they want anything else. The first is your risk analysis. The second is proof that you trained your workforce. This year’s enforcement actions are practically a textbook on what happens when you cannot produce either.

In April, OCR announced four settlements at once, all stemming from ransomware attacks, totaling more than $1.1 million and the exposed records of 427,000 people. The detail that stops my students cold is from Assured Imaging, a medical imaging provider: OCR found they were unable to provide evidence that a risk analysis had ever been completed. Ever. Two hundred forty-four thousand patients’ records exposed, and there was no evidence the foundational document of the entire Security Rule had been done a single time. That alone drew a $375,000 penalty.

Why I bring up risk analysis in a training discussion

You might wonder why a guy who builds HIPAA training programs spends so much time on risk analysis. It is because the two are joined at the hip, and OCR treats them that way. A risk analysis identifies where your ePHI lives and how it could be exposed. HIPAA workforce training is one of the primary ways you then reduce the human risks the analysis surfaces. Skip the analysis and you are blind. Skip the training and you have diagnosed the disease but refused the treatment.

Look at how OCR worded the Assured Imaging cohort. In settlement after settlement they cited the risk analysis failure and, in the same breath, required the organization to implement workforce training as part of the corrective action plan. Training is not an afterthought in these resolutions. It is a named, required remedy.

The Consociate detail nobody should ignore

One of those four April settlements was a third-party administrator, Consociate Health, hit with a $225,000 penalty. The forensic timeline is the part I make people sit with: the ransomware was discovered in January 2021, but the investigation found the network had first been compromised six months earlier, through a phishing attack.

Six months. An attacker walked in through a phishing email, sat inside the network for half a year, and the ransomware was just the noisy finale. That entire chain started at the human layer — one person, one email, one moment of not recognizing a threat. No risk analysis on a shelf would have stopped that click. A trained, alert workforce is the control that has a chance to.

The second document trips up more people than the first

Here is my thirty-years-in observation. Most organizations can eventually produce something they call a risk analysis, even if it is thin. Where I see more of them fall apart is the second request — proof of training. They will swear up and down that everyone was trained, and then they cannot produce a clean, complete, dated record showing the employee HIPAA training actually happened. The burden of proof is on them, and they fail to meet it.

This failure is almost always structural, not a discipline problem. When training is expensive per seat, organizations train inconsistently, document it haphazardly, and end up with records full of holes. The fix starts with making training cheap enough to do completely and routinely.

Bulk training that lets you cover your entire team for as little as $20 is what turns “we trained most people, I think” into “here is the complete roster, fully documented.” When there is no per-seat cost pressure, you deliver HIPAA training for multiple employees at once, you document everyone, and the second OCR request stops being something to fear.

A practical way I keep both documents audit-ready

  1. Do the risk analysis, genuinely, and let it tell you where your human risks are — then aim training at exactly those points
  2. Provide HIPAA training for healthcare employees across the entire workforce, not just the clinical staff, because the lateral-movement attacks like Consociate’s start anywhere
  3. Get new hires a baseline immediately through the free HIPAA training at HIPAA Training US before they touch a system
  4. Use live beginner sessions for people new to healthcare and courier-specific training for staff moving PHI between locations
  5. Keep a dated completion record for every single person, every year, so the second OCR request is a five-minute answer

Documentation is the proof, so treat it like evidence

I tell clients to think of their training records the way a litigator thinks about evidence: it has to be complete, dated, and credible. A pile of “trust me” does not survive scrutiny. I keep verifiable completion records for everyone, and for staff who reach a milestone I will give them a framed certificate — recognition for them, and one more tangible piece of the story that this organization actually does what it says.

The pattern is not subtle

Read the 2026 settlements end to end and the pattern writes itself. Risk analysis failures, phishing footholds, lateral movement, ransomware, and corrective action plans that mandate the workforce training that should have been there all along. OCR Director Stannard said it directly: implementing the Security Rule before a breach is your best opportunity to prevent or mitigate the damage. Training is the part of that you can stand up this week, affordably, for everyone.

The first thing they ask for is your risk analysis. The second is proof you trained your people. After thirty years, my advice is to make both answers boring — already done, fully documented, nothing to scramble for. Boring is what safe looks like in this business.