HIPAA Security Risk Analysis: What OCR Actually Expects to See

The Most Cited HIPAA Violation Is Also the Most Preventable

Year after year, the Office for Civil Rights (OCR) lists the failure to conduct an adequate security risk analysis as the single most common HIPAA Security Rule violation found during investigations and audits. It is not a technicality. OCR has levied multi-million dollar penalties against hospitals, physician practices, and business associates specifically because their security risk analysis was missing, superficial, or never updated. If you are a compliance manager or executive at a healthcare organization or a federal contractor that handles protected health information, understanding what OCR actually expects to see in a HIPAA security risk analysis is not optional — it is foundational.

This post cuts through the regulatory language and gives you a practical view of what a defensible security risk analysis looks like in 2026, based on OCR guidance, enforcement patterns, and what we see during client engagements at healthcare organizations of all sizes.

What the HIPAA Security Rule Actually Requires

The requirement comes directly from 45 CFR § 164.308(a)(1)(ii)(A), the Administrative Safeguards section of the HIPAA Security Rule. It states that covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) they create, receive, maintain, or transmit.

Three words in that sentence matter more than most compliance teams realize: accurate, thorough, and all. OCR does not accept a risk analysis that covers only your primary EHR system. It expects coverage of every environment, device, and workflow where ePHI exists — including mobile devices, cloud storage, email, third-party integrations, and remote access systems.

The Eight Elements OCR Expects in Every Security Risk Analysis

OCR published formal guidance on risk analysis requirements, and that guidance identifies eight specific elements that a compliant security risk analysis must address. If any of these are missing from your documentation, you have a material gap.

1. Scope of the analysis. The risk analysis must cover all ePHI regardless of the medium in which it is created, received, maintained, or transmitted, and regardless of the source or location of that ePHI.
2. Data collection. You must document where ePHI is stored, received, maintained, or transmitted — including all systems, applications, and physical locations.
3. Identify and document potential threats and hazards. This includes both technical threats (ransomware, unauthorized access, system failures) and non-technical threats (natural disasters, workforce errors, physical theft).
4. Identify and document vulnerabilities. Vulnerabilities are flaws or weaknesses in your systems, processes, or controls that could be exploited by a threat. This step must be based on actual evidence, not assumptions.
5. Assess current security measures. Document the controls already in place and evaluate whether they adequately reduce the likelihood and impact of identified threats exploiting identified vulnerabilities.
6. Determine the likelihood of threat occurrence. OCR expects a qualitative or quantitative rating — not simply a list of threats. You must assess how probable each threat-vulnerability combination is.
7. Determine the potential impact. Assess what the consequences would be if a threat successfully exploited a vulnerability. Impact should be evaluated against the confidentiality, integrity, and availability of ePHI.
8. Determine the level of risk. Combine likelihood and impact to assign a risk level to each identified vulnerability. This forms the basis for your risk management and remediation prioritization.

What OCR Finds Wrong During Investigations

Based on OCR resolution agreements and corrective action plans made public over the past several years, the most common deficiencies fall into a predictable set of categories. Understanding them helps you avoid the same pitfalls.

• Scope limitations. The analysis covered the primary EHR but omitted workstations, laptops, portable devices, cloud repositories, or affiliated locations.
• No threat identification methodology. The organization listed generic threats without tying them to specific systems or workflows.
• Missing vulnerability assessment. Many organizations confuse a vulnerability scan with a risk analysis. A scan identifies technical weaknesses; a risk analysis requires you to evaluate those weaknesses in the context of your operational environment and threat landscape.
• No risk ratings assigned. Simply listing threats without assigning probability and impact ratings does not satisfy OCR's requirement for determining the level of risk.
• Outdated analysis. OCR expects the risk analysis to be a living document, updated whenever there are significant changes to the environment — new systems, mergers, new workflows, or identified incidents. An analysis completed five years ago and never revisited is not compliant.
• No connection to a risk management plan. The risk analysis is only the first step. OCR also expects to see a risk management plan (45 CFR § 164.308(a)(1)(ii)(B)) that documents how identified risks will be reduced to a reasonable and appropriate level. The two documents must be connected.

Scope: The Most Dangerous Blind Spot

In nearly every engagement we conduct for healthcare clients, scope limitations are the first problem we identify. Organizations routinely overlook the following ePHI environments:

• Personal mobile devices used by clinical staff to access patient records
• Cloud storage platforms such as SharePoint, Google Drive, or Dropbox used informally by administrative staff
• Medical devices that transmit data to EHR systems
• Third-party billing and scheduling platforms with ePHI access
• Fax servers and legacy communication systems
• Backup and disaster recovery environments
• Remote desktop and VPN access logs

If your risk analysis does not account for every location and system where ePHI exists, it will not hold up under OCR scrutiny. Conducting an inventory of all ePHI flows before beginning the risk analysis is not optional — it is the prerequisite.

Documentation Standards OCR Expects

A HIPAA security risk analysis is not a checklist you fill out and file away. OCR expects documentation that demonstrates a deliberate, evidence-based process. Specifically, your risk analysis documentation should include:

• A written methodology explaining how threats, vulnerabilities, likelihood, and impact were identified and rated
• A complete ePHI inventory or data flow map
• Evidence of workforce involvement and subject matter input (not just an IT deliverable)
• Dated records showing when the analysis was completed and by whom
• References to the specific systems, applications, and physical locations evaluated
• A risk register or risk matrix documenting each identified risk with its likelihood, impact, and assigned risk level
• A signed acknowledgment or approval by senior leadership or a designated security official

If you are looking for a structured starting point, our HIPAA Privacy & Security Compliance resource for healthcare administrators covers the documentation framework in practical detail. We also offer a HIPAA Compliance Documentation Toolkit that provides ready-to-use templates aligned to OCR's expectations.

How Often Must You Conduct a Security Risk Analysis?

The HIPAA Security Rule does not specify a mandatory frequency for repeating the risk analysis. However, OCR's guidance and enforcement record make the expectation clear: the risk analysis must be reviewed and updated periodically and whenever significant operational or environmental changes occur. Triggers that require a review or update include:

• Implementation of a new EHR or clinical information system
• Merger, acquisition, or affiliation with another organization
• Expansion to new physical locations
• Adoption of new mobile or remote work technologies
• A security incident or breach
• Changes in workforce structure or third-party vendor relationships

A reasonable best practice, and one OCR has consistently rewarded during corrective action reviews, is to conduct a formal annual review and update the risk analysis whenever one of the above triggers occurs.

The Relationship Between Risk Analysis and Risk Management

One of the most consequential misunderstandings we see is treating the security risk analysis as the end of the process. It is the beginning. OCR requires a corresponding risk management plan that documents how your organization will implement security measures sufficient to reduce identified risks to a reasonable and appropriate level. The risk management plan must be tied directly to the risk analysis findings — risks identified must map to specific remediation actions, owners, timelines, and acceptable residual risk determinations.

This is why organizations that engage our risk assessment services receive not just an analysis deliverable but a prioritized remediation roadmap. The analysis without the management plan is a compliance liability, not a compliance asset.

Business Associates Are Not Exempt

The HIPAA Security Rule applies to business associates as fully as it applies to covered entities. If your organization provides services to hospitals, health plans, or other covered entities and handles ePHI in the process, you are required to conduct and maintain your own security risk analysis. OCR has pursued enforcement actions directly against business associates, and the penalties are the same. This is an area where federal contractors, managed service providers, and software vendors who support healthcare clients frequently underestimate their exposure.

Our IT compliance services help business associates build security programs that satisfy both HIPAA and any additional framework obligations they carry — including CMMC, DFARS, or FedRAMP requirements if they also serve federal clients.

Building a Defensible Risk Analysis Program

A defensible HIPAA security risk analysis is not a one-time project. It is a program component with defined methodology, scheduled reviews, documented outcomes, and a direct line to your organization's risk management decisions. Organizations that treat it as a compliance checkbox consistently struggle during OCR investigations. Organizations that treat it as a genuine security management tool consistently demonstrate the kind of good faith compliance posture that OCR rewards — even when incidents occur.

If your organization needs help building or strengthening its HIPAA security risk analysis program, our compliance program development services are designed specifically for organizations operating in regulated environments. Whether you are starting from scratch or rebuilding after an OCR finding, we bring the methodology, the documentation standards, and the leadership experience to get your program to a defensible state.

Consider pairing your risk analysis program with regulatory vCISO services to ensure ongoing oversight, annual review cycles, and executive-level accountability for your HIPAA security posture — without the cost of a full-time hire.

The Bottom Line

OCR does not expect perfection. It expects evidence of a genuine, documented, and sustained effort to identify and manage risk to ePHI. The organizations that get into trouble are almost never the ones with sophisticated security programs that experienced an unavoidable breach. They are the ones that could not produce a current, comprehensive risk analysis when OCR came knocking. Do not let that be your organization.

Ready to assess where your HIPAA security risk analysis program stands? Request a quote from Cleared Systems and speak directly with our compliance team about what a defensible risk analysis engagement looks like for your organization. You can also review our engagement models to find the right level of ongoing support for your compliance program.