HIPAA Security Risk Analysis in 2026: Updated Guidance and What Has Changed

What the Updated OCR Guidance Actually Changes

The Office for Civil Rights has made it unambiguous: a completed, documented, and organization-specific HIPAA security risk analysis remains the single most cited deficiency in enforcement actions and corrective action plans. That has not changed. What has changed heading into 2026 is how OCR expects that analysis to be conducted, documented, and acted upon—and the bar is meaningfully higher than it was three years ago.

In late 2024, HHS finalized significant amendments to the HIPAA Security Rule—the first substantive update in over a decade. The final rule, which took effect in 2025 with phased compliance deadlines extending into 2026, introduces specific, prescriptive requirements that replace much of the discretion previously afforded to covered entities and business associates. If your organization conducted a security risk analysis under the old interpretive framework and has not revisited it since, you are almost certainly out of alignment with current expectations.

This post outlines what has materially changed, what OCR is specifically looking for, and how compliance managers and executives at healthcare organizations should respond right now.

The Core Requirement Has Not Changed—But the Expectations Have

The HIPAA Security Rule at 45 CFR § 164.308(a)(1) has always required covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). That obligation is unchanged.

What has changed is the specificity with which OCR now expects organizations to execute that requirement. The 2024–2025 rulemaking codified several practices that were previously treated as best practices or interpretive guidance into mandatory requirements. Key changes include:

• Inventorying all ePHI assets: Organizations must now maintain and review a documented inventory of all technology assets that create, receive, maintain, or transmit ePHI. This inventory must be reviewed and updated at least annually and whenever a relevant change occurs.
• Network mapping: A current, accurate map of the network and the movement of ePHI across systems is now an explicit requirement, not merely a recommended practice.
• Threat and vulnerability identification: The analysis must identify reasonably anticipated threats to ePHI with specificity—generic threat categories are no longer sufficient.
• Risk assessment frequency: A risk analysis must be conducted at least annually and upon any significant environmental or operational change, such as the adoption of a new EHR platform, a merger, or a cloud migration.
• Workforce access reviews: The rules now explicitly require periodic review of which workforce members have access to ePHI and whether that access remains appropriate and necessary.

For a detailed look at what OCR specifically expects to see in a compliant analysis, our post on HIPAA security risk analysis: what OCR actually expects is worth reviewing alongside this update.

What a Compliant HIPAA Security Risk Analysis Must Include in 2026

Based on the updated rule and OCR's published enforcement priorities, a defensible security risk analysis in 2026 must address the following components with documented evidence for each:

1. Scope definition: A clearly articulated scope that encompasses all ePHI regardless of the medium or system on which it resides—including cloud systems, third-party applications, and mobile devices.
2. Asset inventory and network map: A current, documented inventory of all information systems touching ePHI, with a network diagram reflecting data flows.
3. Threat identification: Identification of threats specific to your organization's environment—not a generic list. This includes technical threats such as ransomware and phishing, environmental threats, and human threats including insider risk.
4. Vulnerability identification: Documentation of existing technical, administrative, and physical vulnerabilities, supported by evidence such as vulnerability scan results, gap assessments, and policy reviews.
5. Likelihood and impact assessment: A documented methodology for evaluating the likelihood that each identified threat will exploit each identified vulnerability, and the potential impact on ePHI confidentiality, integrity, and availability.
6. Risk level determination: A risk rating for each identified risk, using a documented and reproducible methodology.
7. Risk management plan: A documented plan for implementing security measures sufficient to reduce identified risks to a reasonable and appropriate level, with assigned ownership and timelines.
8. Ongoing review and update process: Documentation showing how and when the analysis will be reviewed and updated, and who is responsible for maintaining it.

Organizations that have historically relied on a one-time or sporadic analysis should understand that OCR now treats the risk analysis as a continuous programmatic activity, not a point-in-time exercise.

The Enforcement Signal You Should Not Miss

OCR's enforcement settlements over the past 24 months have clustered heavily around two failure patterns: incomplete or outdated risk analyses, and a documented failure to act on identified risks. Both are directly addressable through a structured compliance program.

The agency has also signaled increased scrutiny of business associates, not just covered entities. If your organization provides services to healthcare systems or processes ePHI on behalf of covered entities, your own security risk analysis is subject to the same standards. The 2024 rule changes apply to business associates in full.

Healthcare organizations that want to understand the broader compliance landscape should review our healthcare industry compliance resources for context on how these requirements intersect with other regulatory obligations.

Common Deficiencies OCR Investigators Find

Based on enforcement actions and corrective action plan documentation, the most frequently cited deficiencies in security risk analysis findings include:

• Risk analyses that were conducted once and never updated following system changes or new technology adoption
• Scope limited to primary EHR systems while excluding ancillary applications, cloud storage, medical devices, and third-party data processors
• Threat identification consisting only of generic categories without specificity to the organization's actual operating environment
• No documented risk ratings or prioritization methodology
• Risk management plans that list remediation actions but have no assigned owners, deadlines, or follow-up documentation
• No evidence that executive leadership reviewed or approved the risk analysis findings

Each of these deficiencies is curable with a structured program. The challenge is that many organizations do not realize they have them until they are already under OCR investigation or responding to a breach.

How the Updated Rule Affects Your Risk Management Program

The 2024 Security Rule amendments did more than add specificity to the risk analysis requirement. They also introduced or tightened requirements in areas that directly affect how risk analysis findings get implemented:

• Encryption: The updated rule removes the "addressable" designation from encryption for ePHI at rest and in transit, making it effectively mandatory for most covered entities and business associates.
• Multi-factor authentication (MFA): MFA is now required for access to ePHI, with limited exceptions documented in the risk analysis.
• Backup and recovery: Requirements for data backup, restoration, and contingency testing are now more specific, with required testing intervals.
• Audit controls: Technical audit log requirements are more prescriptive, with minimum retention standards now specified in the rule.

These changes mean that a security risk analysis conducted under the pre-2025 framework likely underidentified risks in these specific areas. A gap assessment against the updated rule requirements is a necessary first step for most organizations.

For organizations building or rebuilding a compliance program around these requirements, our compliance program development services provide a structured approach that addresses both the risk analysis itself and the broader security program changes required by the updated rule.

If Your Organization Operates Across Multiple Regulatory Frameworks

Many healthcare organizations—particularly those with federal contract relationships or research functions—are subject to overlapping frameworks. Defense contractors in the healthcare supply chain may face HIPAA and CMMC obligations simultaneously. Research institutions may be subject to HIPAA, FISMA, and export controls at the same time.

In these environments, the HIPAA security risk analysis does not exist in isolation. It must be coordinated with broader enterprise risk management activities to avoid redundant work and compliance gaps. Our team supports organizations navigating this complexity through regulatory vCISO services designed specifically for multi-framework compliance environments.

Organizations looking to build their internal knowledge base can also benefit from our HIPAA Privacy and Security Compliance guide for healthcare administrators, which has been updated to reflect the current regulatory environment.

What Compliance Managers Should Do Right Now

If you are responsible for HIPAA compliance at a covered entity or business associate, here is a practical near-term action list based on the 2026 regulatory posture:

1. Review your most recent security risk analysis against the updated rule requirements and identify gaps, particularly around asset inventory, network mapping, and threat specificity.
2. Confirm that your analysis covers all systems touching ePHI, including cloud applications, medical devices, and third-party processors.
3. Assess whether encryption, MFA, and audit log requirements are currently met, and document findings in an updated risk register.
4. Establish or verify a schedule for annual risk analysis updates, with triggers defined for off-cycle reviews.
5. Confirm executive review and sign-off on the most recent risk analysis and ensure that documentation is retained.
6. Verify that your risk management plan has assigned owners, documented timelines, and a review cadence.

For additional technical depth on the step-by-step process, our guide on how to conduct a HIPAA risk assessment for covered entities walks through the methodology in detail.

The Bottom Line

The HIPAA security risk analysis is no longer a compliance checkbox. Under the updated 2024–2025 rule, it is a living programmatic activity with specific documentation requirements, mandatory components, and annual obligations. OCR has made clear through its enforcement posture that inadequate risk analysis is grounds for significant civil monetary penalties, and that argument—"we didn't know what was expected"—is no longer available.

Organizations that invest in a properly scoped, documented, and maintained security risk analysis will be better positioned in enforcement proceedings, better prepared for breach response, and more effective at actually protecting patient data. Those that continue to treat it as a periodic formality are exposed in ways that will become increasingly difficult to defend.

If your organization needs support conducting or updating a HIPAA security risk analysis that meets current OCR expectations, Cleared Systems can help. Request a quote to speak with our compliance team about your organization's specific situation, or explore our engagement models to understand how we structure healthcare compliance engagements.