OCR Revisits Risk Management Under HIPAA

In late 2025, OCR publicly solicited questions from healthcare entities related to the risk‑management requirement under the HIPAA Security Rule.

The outreach accompanied a planned pre‑recorded video reviewing the regulatory requirements for risk management — including Risk Analysis and Risk Management processes — and how they tie into cybersecurity, compliance obligations, and recent investigations.

This is more than a gentle nudge. It reflects a broader enforcement posture: OCR’s risk‑analysis / risk‑management compliance initiative — launched in 2024 — has already resulted in multiple settlements and corrective actions for entities failing to conduct accurate, thorough risk assessments or to implement adequate risk mitigation.

Why This Matters: Risk Management Is the Foundation, and It’s Under Scrutiny

• The Security Rule (45 C.F.R. § 164.308) requires covered entities and business associates to conduct an accurate and thorough risk analysis of ePHI, then implement and maintain appropriate risk‑management safeguards.

  
  

• Yet OCR continues to find that many organizations treat risk analysis as a one‑time or perfunctory exercise — failing to update assessments, act on identified risks, or document risk‑management decisions.

  
  

• Among the most common violations leading to financial penalties and corrective‑action plans in 2024–2025 have been failures related to risk analysis and risk management.

  
  

Put plainly: risk management is not optional — and the stakes are escalating.

What Compliance Programs Should Be Doing

Given OCR’s renewed focus, here are critical actions compliance/security leaders should ensure are part of your program now:

1. Conduct (or update) a comprehensive, documented security risk analysis.

   • Cover all environments, systems, data flows, and ePHI use.

   • Include threats, vulnerabilities, likelihood, and potential impact.

     
     

2. Translate risks into a formal risk‑management plan, with prioritized remediation, timelines, responsible parties, and status tracking. Document your decisions.

   
   

3. Regularly review and update — especially after changes in technology, workforce, business processes, or third‑party relationships. Risk management is ongoing, not a one‑time checkbox.

   
   

4. Use OCR’s resources — including the new Security Risk Assessment (SRA) Tool — which remains a free, useful starting point for small and mid-size entities.

   
   

5. Document everything — risk analyses, mitigation efforts, decisions made, and residual risk. In enforcement reviews, OCR expects to see a clear “paper trail” showing that risks were identified, evaluated, and addressed.

What This Attention from OCR Signals

• Risk management is rapidly becoming a top enforcement priority. Where years past might have emphasized breach investigations, OCR is now going “upstream” — penalizing inadequate risk frameworks before any breach occurs.

  
  

• Small and medium‑sized practices are not exempt. OCR’s Risk Analysis Initiative has targeted a range of organizations, including smaller entities and non-traditional providers.

  
  

• Good faith is no longer enough. Even absent a breach, failure to conduct a compliant risk analysis and to implement basic risk management can trigger enforcement.

  
  

• Proactivity wins. By revisiting risk management now — before OCR audits or breach events — organizations can reduce regulatory, financial, and reputational risk.

Final Thought

OCR’s call for input on risk-management questions should be read not as a courtesy, but as a strategic signal: HIPAA compliance is evolving — and risk analysis/remediation are no longer windows of compliance, but doorways to accountability.

If your risk‑analysis program hasn’t been updated lately — or lacks documented follow‑through on mitigation — now is the time to act.