HIPAA enforcement under Trump

The Trump administration continues HIPAA enforcement by settling investigations into compliance with the HIPAA Security Rule.

The most recent settlement was with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.

Defend Against HIPAA Enforcement with Risk Analysis

According to the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) started an investigation after receiving a complaint in January 2019 alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 claiming that hacker(s) had accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

OCR Acting Director Anthony Archeval noted:

“Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats.”

Under the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years.

Under the corrective action plan, GMHA has agreed to take steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules;
  • Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
  • Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
  • Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been met.

HIPAA Enforcement Priorities

So far, HHS under the Trump administration is tracking enforcement priorities established under Trump’s first term and the recent Biden administration. The Right of Access Initiative began in 2019 under then-OCR Director Roger Severino. On March 6, 2025 HHS-OCR announced its 53rd HIPAA right of access enforcement action against Oregon Health & Science University.

The settlement with GMHA is OCR’s eleventh ransomware enforcement action and seventh risk analysis enforcement action since OCR launched its Risk Analysis Initiative in 2024.

The resolution agreement with GMHA is also the 10th HIPAA enforcement action HHS OCR has announced in 2025. However, the GMHA settlement, which was signed on February 6, appears to be the first enforcement action finalized by HHS OCR since the Trump administration took office. Nine other HIPAA enforcement actions announced in 2025 were finalized during the final months of the Biden administration.

Use the Security Rule to Fight HIPAA Enforcement

The central HIPAA compliance task to maintain a strong cybersecurity defense is the HIPAA risk analysis. This fundamental requirement will strengthen compliance with HIPAA’s Privacy, Security and Breach Notification Rules.

The HIPAA risk analysis Security Rule Checklist contains all the questions required by the Security Rule. Answer these 57 questions and you will have a much better understanding of your strengths and weaknesses and you can create an action plan to cover the gaps.

Free HIPAA Checklist
What best describes you?