Key Takeaways

  • OCR is expanding its Risk Analysis Initiative to include demonstration of compliance with the HIPAA Security Rule’s risk management requirement.
  • Framework assessments, maturity reviews, and third-party certifications may be useful inputs, but are not a substitute for compliance with the Security Rule itself.
  • OCR’s scrutiny will continue to focus on whether an organization documents and implements security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level.

Risk Analysis vs. Risk Management: OCR’s Core Points

In April 2026, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released “Risk Management Under the HIPAA Security Rule,” a YouTube presentation addressing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule’s risk management requirement. Although framed as educational outreach rather than regulatory guidance, the presentation nonetheless delivers insight into OCR’s Security Rule enforcement agenda.

The practical message is straightforward: OCR expects covered entities and business associates (i.e., regulated entities) to act on the results of the risk analysis and to demonstrate that those risks were/are being addressed through implemented safeguards.

Risk Identification Is Only the Beginning

The Security Rule treats the security risk analysis and risk management plan as separate but interdependent requirements. The risk analysis requirement obligates a covered entity or business associate to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” (ePHI) held by a covered entity. Risk management, in turn, requires the entity to “[i]mplement security measures sufficient to reduce [identified] risks and vulnerabilities to a reasonable and appropriate level.”

Together, the security risk analysis and risk management plan (“SRA/RMP”) help make an entity “compromise ready.” A security controls assessment, standing alone, says little about risk if it is divorced from the systems, data flows, and operational dependencies that matter to the organization, whether it is a hospital with a vast ePHI footprint or a startup business associate. An interdependent SRA/RMP is more effective because the security risk analysis captures (1) how ePHI moves through an organization’s environment; (2) which processes are mission critical; (3) what threats are reasonably anticipated in that setting; and (4) whether existing safeguards sufficiently reduce those risks in practice. The corresponding risk management plan is a road map for the entity to systematically address the identified risks and plan the short-term and long-term resources needed for its implementation.

An integrated SRA/RMP is especially important for organizations managing complex ePHI asset inventories, legacy systems, acquired operations and/or multiyear enhancement road maps. As noted in the YouTube presentation, OCR views risk management not as the immediate elimination of every identified risk, but rather as evidence that the organization has prioritized risks in a reasoned way, documented those decisions, and tied planned security initiatives to the probability and potential impact of the risks to ePHI. In this way, the Security Rule’s flexible framework permits the consideration of factors such as the organization’s size, technical infrastructure, and budget – provided that flexibility is not used as a basis for avoiding the necessary expenditures on safeguards altogether.

NIST Alignment, Gap Assessments and Certifications

A related issue is the extent to which some regulated entities rely on cybersecurity framework assessments or certifications as proof of HIPAA compliance. OCR’s recent messaging underscores that such reliance can be a mistake. A National Institute of Standards and Technology (NIST) mapping exercise, International Organization for Standardization (ISO) review, or consultant-issued statement that an entity is “HIPAA compliant” may inform broader compliance efforts, but none of those outputs independently establishes Security Rule compliance. We have seen clients taken by surprise when an OCR investigation identifies security deficiencies after the client has paid for a NIST mapping exercise or obtained HITRUST certification, thinking it was not only sufficient for HIPAA compliance, but actually superior to it.

To be clear, OCR’s video message is not anti-framework; in fact, OCR permits entities to demonstrate the implementation of recognized security practices aligned with NIST or the 405(d) Health Industry Cybersecurity Practices as a way to mitigate penalties during an investigation. Rather, OCR is clarifying that these exercises, like conducting penetration testing, are useful inputs only to the extent they are integrated into an organization-specific process for identifying risks. As outlined in the YouTube presentation, and as reflected by our own experience with OCR, this process should include:

  • Documented, reasoned remediation decisions
  • The implementation of related safeguards
  • A review of the effectiveness of those safeguards over time

Practical Takeaways – the SRA/RMP

Covered entities and business associates should treat the security risk analysis and risk management process as a continuing governance function rather than a one-time deliverable. That is the shift reflected in OCR’s recent messaging, and it is the point HIPAA regulated entities should take seriously.

For organizations seeking to bolster their own SRA/RMP process, they should:

  • Ensure the security risk analysis is based on a comprehensive ePHI asset inventory.
  • Confirm there is a documented process for prioritizing and remediating identified risks.
  • Ensure remediation decisions are tied to likelihood/impact and implementation status.
  • Review and update the risk management plan as technologies, threats, and operations change.

The BakerHostetler Healthcare Privacy and Compliance (HPC) team has guided thousands of HIPAA regulated entities through OCR investigations and provides practical, effective support in helping entities conduct and document their SRA/RMP. Please reach out to Kimi Gordy, HPC lead Lynn Sessions or your BakerHostetler attorney for more information.