OCR Releases Video on HIPAA Security Rule Risk Management Requirements
Earlier this year, Paula M. Stannard, Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), provided an update on OCR’s enforcement priorities in 2026 and confirmed that OCR’s risk analysis enforcement initiative will continue, and that it will evolve to also target noncompliance with the risk management requirement of the HIPAA Security Rule.
The risk analysis provision – § 164.308(a)(1)(ii)(A) – requires HIPAA-regulated entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.” OCR has previously issued guidance on the risk analysis requirement, and has issued a risk assessment tool for small- and medium-sized entities to guide them through the process of comprehensively assessing risks to ePHI.
A risk analysis is one of four required implementation specifications under the security management process of the administrative safeguards, the others being risk management, sanction policy, and information system activity review. The risk management implementation specification requires HIPAA-regulated entities to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Standards: General Rules] § 164.306(a).”
Risk management is an essential component of HIPAA Security Rule compliance and cybersecurity preparedness in general. Risk management – § 164.308(a)(1)(ii)(B) – is a critical step toward defending against cyberattacks, which is why OCR has expanded its enforcement initiative to cover risk management. When OCR investigates a data breach or complaint, the regulated entity will need to demonstrate that it has conducted a comprehensive and accurate risk analysis and has acted on the findings of that analysis to reduce risks and vulnerabilities to a reasonable and appropriate level.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches. In December 2025, OCR requested questions from HIPAA-regulated entities on risk management, and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.
