In addition, to being a regulatory requirement, conducting regular risk analyses is a furisk_business_cover_th.gifndamental business practice, yet organizations largely have been found lacking in this area.

Despite the many warnings from the Office for Civil Rights ("OCR") of the weaknesses uncovered during the 2013 HIPAA compliance audits, many  organizations have continue to ignore the HIPAA Security Rule requirement to conduct periodic risk assessments.