In October 2024, OCR launched what it called its “Risk Analysis Initiative” — a targeted enforcement campaign aimed squarely at one of the most commonly botched rules in HIPAA. Within six months, they’d already collected settlements from eight healthcare groups, pulling in nearly $900,000 in penalties.
The amounts ranged from $25,000 to $350,000. The groups ranged from Bryan County Ambulance Authority in Oklahoma to Northeast Radiology in the Northeast. What they all had in common: OCR investigators found they had failed “to conduct an accurate and thorough review of the possible risks and weak spots to the data privacy, accuracy, and access of all digital PHI.”
That’s the exact language from 45 CFR 164.308(a)(1)(ii)(A). It’s also the exact language OCR used in every single enforcement action.
By mid-2025, the effort had expanded to 10 enforcement actions totaling over $5.6 million in combined settlements and CMPs. Then in January 2026, OCR announced the effort is growing again. Risk analysis alone isn’t enough anymore. Now they’re adding risk management to the scope — which means they want to see not just that you identified risks, but that you actually did something about them.
If your last risk review was a PDF you got from the internet three years ago, you have a problem.
Why Most HIPAA Risk reviews Fail OCR Review
Here’s the thing: HIPAA has required risk analysis since 2003. It’s not a new rule. Yet it remains the most common finding in OCR reviews and audits — year after year, for over two decades.
The reasons are predictable:
It was done once and forgotten. Someone ran through the HHS Security Risk review tool, saved the PDF, and filed it away. That was 2018. Nothing has changed since then — or if things did change (new EHR, remote work policy, cloud storage), the risk review wasn’t updated to reflect it.
It was too vague to be useful. “We might get hacked” is not a risk review. OCR wants to see specific threats, specific weak spots, specific likelihood ratings, and a specific plan to address them.
There’s no fixes plan attached. This is the gap OCR is namely targeting in 2026. You can identify every risk perfectly and still get fined if you can’t show that you took action to reduce those risks to an acceptable level.
It didn’t cover all ePHI. The rule says “all digital health data.” That means your EHR system, yes — but also the billing software, the patient portal, the shared Google Drive folder someone set up during COVID, the old laptop in the back office, and the tablets used at the front desk.
What OCR Investigators Actually Look For in a Security Risk Analysis
When an OCR investigator shows up (or requests written records), they’re looking for a few specific things:
- A written down, current risk analysis that covers your entire group
- Evidence of a risk management plan with specific controls and timelines
- written records that the plan was actually implemented — not just written
- A process for reviewing and updating the analysis on a set schedule
“Periodic” is intentionally vague in the rule, but as a practical matter, you should revisit your risk review any time there’s a major change — new software, new location, new staff policies, a merger, a security incident — and at minimum once a year.
The 7-Step HIPAA Risk review Process
Here’s how to do a risk review that will hold up to OCR scrutiny.
Step 1: Define Your Scope — Map Every Place ePHI Lives
Before you can assess risk, you need to know what you’re protecting. Map out every place ePHI lives:
- EHR/EMR systems
- Practice management and billing software
- Email systems (including personal email if staff use it for patient communication)
- Cloud storage (Google Drive, Dropbox, OneDrive)
- Mobile devices — phones, tablets, laptops
- Physical servers or workstations
- Third-party portals (labs, imaging, pharmacy)
- Backup systems
- Business associate systems — your vendors’ settings that hold your patient data
Document every system. This is your asset list, and it’s the foundation everything else builds on. According to OCR’s January 2026 guidance, failure to list all systems storing ePHI is one of the most common risk analysis gaps.
Step 2: Identify Threats to Your ePHI
A threat is anything that could cause harm to your ePHI. Think in categories:
Technical threats: Ransomware, phishing attacks, unapproved access, malware, software weak spots, failed backups. The UMMC ransomware attack that shut down 35 clinics started with a single phishing email.
Human threats: Employees accidentally emailing PHI to the wrong person, stolen devices, a disgruntled employee misusing access, a vendor employee snooping.
Environmental threats: Power outages, natural disasters, hardware failure, a burst pipe in the server room.
You don’t need to list every conceivable scenario. You need to list the ones that are realistically possible given your setting, your location, and your operations.
Step 3: Identify weak spots in Your Current Security
A weak spot is a weakness that a threat could exploit. For each threat you’ve identified, ask: what makes us susceptible to this?
Examples: - Employees reuse passwords (weak spot to credential-based attacks) - No MFA on remote access (weak spot to unapproved login — this is exactly how Change Healthcare was breached) - No team security training in 18 months (weak spot to phishing) - Outdated Windows systems that no longer receive patches (weak spot to malware) - No written down process for revoking access when staff leave (weak spot to insider threat)
Be specific. “Poor security” is not a weak spot. “No multi-factor login checks on the EHR portal” is.
Step 4: Rate the Risks by Likelihood and Impact
For each threat/weak spot combination, assign two scores:
Likelihood: How probable is it that this threat will actually occur? Rate it Low / Medium / High. Factor in your setting, your industry’s current threat space, and any past incidents.
Impact: If this threat did occur, how bad would it be? Rate Low / Medium / High based on the number of patients affected, the sensitivity of the data, and the day-to-day impact.
Combine these into an overall risk rating:
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
This gives you a ranked list — the key and high risks need to be handled first.
Step 5: Document Your Current Security Controls
For each risk, note what controls you already have in place. data scrambling? Access controls? Audit logs? team training? Document what exists and assess whether it’s actually enough.
This step matters because it shapes your fixes plan. If you already have strong controls for a particular risk, your residual risk (after controls) may be acceptable. If your controls are weak or absent, that’s where you need to invest.
Don’t confuse having a tool with having a control. Owning antivirus software that hasn’t been updated in six months isn’t a control — it’s a liability. OCR looks at whether protections are implemented and kept, not just purchased.
Step 6: Build a Risk Management Plan (The Part OCR Now Requires)
This is the step OCR is now explicitly adding to their enforcement scope as of 2026. Every risk rated Medium or above needs a written down plan:
- What control will you implement to reduce this risk?
- Who is responsible for implementing it?
- What is the deadline?
- What is the target risk level once the control is in place?
Your fixes plan doesn’t have to fix everything at once. It has to be realistic and actually followed. An aggressive plan you don’t execute is worse than a modest plan you do — because it shows OCR you knew about the risks and did nothing.
Remember: “addressable” doesn’t mean “optional” under HIPAA. If a safeguard is addressable, you must implement it, implement an equivalent alternative, or record why it’s not fair and right. You can’t just skip it.
Step 7: Document, Review, Repeat
Save everything. The risk review record, the asset list, the risk ratings, the fixes plan, and — in key ways — evidence that you implemented the controls you committed to.
Set a calendar reminder to review annually, and any time something major changes. Keep prior versions — OCR wants to see that your risk review is a living process, not a one-time event.
The Risk review Mistakes That Lead to Six-Figure HIPAA Fines
Bryan County Ambulance Authority paid $90,000 after a ransomware attack encrypted patient records for 14,273 people. OCR found they hadn’t done a proper risk analysis — meaning they had weak spots they didn’t know about and therefore hadn’t fixed.
Rio Hondo Community Mental Health Center in California paid $100,000. Same finding.
Northeast Radiology paid $350,000 after a breach went undetected for 10 months and affected 298,532 patients. Same finding.
BayCare Health System paid $800,000 for Security Rule failures tied to insider threats — another case where a missing risk analysis was the root cause.
In each case, a proper risk review wouldn’t just have satisfied OCR — it would likely have identified and handled the specific weak spots that led to the breach in the first place. The fine was the cost of not doing the work upfront.
The pattern is clear: OCR isn’t just penalizing breaches. They’re penalizing the failure to look. If you never ran a proper risk analysis and a vendor gets hacked, you’re not landing in Tier 1 of the penalty structure — you’re looking at Tier 2 or worse.
Free Tools That Help With HIPAA Risk Analysis
HHS offers a free Security Risk review (SRA) tool at healthit.gov. Version 3.6 was released in 2025 with updated guidance. It’s designed for small to medium habits and walks you through the process step-by-step.
It’s not perfect — OCR has noted that using template forms or generic tools without customizing them to your specific operations is itself a common gap. But it’s free, it covers the required elements, and it generates written records you can show OCR.
For larger groups or anyone who’s had a security incident, a formal third-party risk review from a qualified firm is worth the investment. The cost is almost always less than even a small OCR settlement.
Related Reading
- HIPAA Fines Just Went Up — New Penalty Amounts for 2026 — What you’ll pay if OCR finds risk analysis gaps
- $6.6 Million in HIPAA Fines in 2025 — Most of these fines traced back to missing risk reviews
- Your Vendor Got Hacked — Now What? — The response plan that depends on having done this risk review first
- Why “Addressable” Doesn’t Mean “Optional” — The rule-keeping myth that undermines risk management plans
- The affordable HIPAA Compliance Starter Kit — Everything a small practice needs, including a guided risk review
Need help getting your risk review done right — the first time? One Guy Consulting offers HIPAA rule-keeping packages starting at affordable, including a guided risk review process, policy written records, and a risk management plan that satisfies OCR’s 2026 rules. Explore HIPAA rule-keeping services Run a guided risk assessment