Indeed. This is likely a semantic issue and those who are stating there is no annual requirement are, while completely accurate, are also, in my opinion, misleading. But Frank and I have had this discussion before. :)
If you participate in CMS p4p programs, you are required to attest, on an annual basis, that you have done a security risk analysis. Those SRAs include measuring your program against HIPAA Security Rule standards.
You are also required to so an assessment whenever you have a material change to your system but most folks don't do it every time IT or one of your vendors change something but instead do so on an annual basis.So, yeah, there is no requirement under HIPAA to do an annual assessment but you are likely required to assess against HIPAA on an annual basis.