Skip to main content
CoreFolioHIPAA
Enforcement

What OCR actually wants in a risk analysis

HHS's Office for Civil Rights has now settled with dozens of practices for risk analysis failures. The pattern in their investigation letters and resolution agreements tells you exactly what they are looking for.

5-minute read

If you want to know what OCR looks for in a HIPAA risk analysis, the best source is not the regulatory text. The best source is the 30-plus resolution agreements OCR has published over the past decade — the documents that come out of investigations where practices failed.

Those agreements are public. They name what was wrong, what OCR required to fix it, and what the practice paid. Reading them is the fastest way to understand what "an accurate and thorough" risk analysis actually means to the regulators who enforce it.

This article summarizes the pattern.

The rule, restated plainly

45 CFR § 164.308(a)(1)(ii)(A) requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

Two standards show up repeatedly in OCR's enforcement letters: accurate and thorough. Those are the words OCR quotes when a risk analysis fails.

What "accurate" means in enforcement

In OCR's usage, accurate means the risk analysis reflects what your practice actually does — not what you wish it did, and not a generic template.

OCR has cited practices for using boilerplate risk analyses that did not account for their specific EHR, specific network setup, specific vendor relationships, or specific locations. A five-provider dental group in Phoenix should not submit the same risk analysis as a solo mental health practice in Vermont.

The settlement documents cite language like: "the risk analysis did not adequately identify all potential threats and vulnerabilities." In practice, this usually means the practice used a vendor-provided template, a generic online questionnaire, or a risk analysis prepared by someone who never visited or interviewed the practice's staff.

What "thorough" means in enforcement

Thorough means complete scope: all systems, all locations, all workflows that touch ePHI.

The most common thoroughness failures:

Missing transmission paths. A practice whose EHR is cloud-hosted still transmits ePHI over its internet connection, over email, to lab interfaces, to billing vendors. OCR looks for each of those to be addressed.

Missing workforce endpoints. Personal devices used for work — a physician's personal iPhone, a biller's home laptop, a front-desk tablet — are often omitted. If ePHI can reach the device (via the EHR portal, a work email account, a patient text), it is in scope.

Missing third-party systems. Billing companies, clearinghouses, telehealth platforms, cloud backup vendors, EHR hosts — each is a transmission endpoint for ePHI. The risk analysis needs to address the security of those paths, even if the vendor handles its own security.

Missing physical environments. Physical ePHI — fax machines, paper charts stored for transition-of-care, printed lab results left on a desk — is technically outside the Security Rule's electronic scope, but physical workstation access is explicitly in scope under 45 CFR § 164.310. OCR uses physical access gaps as evidence that the overall security posture is inadequate.

The timing problem

In every Risk Analysis Initiative settlement, OCR has cited the age of the risk analysis. A risk analysis from 2018 does not satisfy the current requirement. The rule requires that the risk analysis reflect the covered entity's current environment — and practices' environments change every year (new EHR versions, new staff, new devices, new vendors).

The proposed 2026 rule (90 Fed. Reg. 898) would codify this as a mandatory annual requirement. The existing 2013 rule already requires periodic review when changes to the environment occur. Either way, a current dated document is what OCR expects.

"Current" in OCR's enforcement practice means dated within the past 12 months for most practices. If your practice has had significant changes — a new EHR, an acquisition, a new location — OCR may expect an update sooner.

The documentation requirement

45 CFR § 164.316(b)(1) requires covered entities to "maintain written policies and procedures" and to "implement a written explanation of the basis for not implementing" certain specifications. This documentation requirement applies to the risk analysis: you have to write it down.

A risk analysis conducted in someone's head and never documented is not a risk analysis for HIPAA purposes. OCR investigators ask to see the document. If you cannot produce it, the risk analysis did not happen.

The documentation needs to capture:

  • The scope (what systems and processes were examined)
  • The methodology (how threats and vulnerabilities were identified and assessed)
  • The findings (which risks were identified, at what likelihood and impact)
  • The planned responses (or a separate risk management plan)
  • The date it was completed and who was responsible

What investigators actually receive when they request documentation

When OCR opens an investigation, they send a data request letter — a list of documents they want to see. Risk analysis comes first. The standard language in those letters asks for:

"Policies and procedures for conducting and documenting risk analysis, along with copies of the most recent risk analysis."

"Most recent" is doing a lot of work in that sentence. If you have more than one (you should — one per year), they want the current one. If you have only one from five years ago, that is what they receive — and that is what gets cited in the resulting resolution agreement.

What a defensible analysis looks like

Based on the resolution agreements that have been made public, OCR considers a risk analysis defensible when it:

  • Is dated
  • Is signed or attributed to the responsible party
  • Names specific systems, vendors, and locations (not "our EHR" but the actual EHR product and vendor)
  • Identifies specific threats (ransomware, phishing, unauthorized access, device loss) — not generic categories
  • Rates each threat's likelihood and potential impact
  • Addresses each of the administrative, physical, and technical safeguard categories in 45 CFR §§ 164.308–164.312
  • Is accompanied by or references a risk management plan

None of that requires a consultant. It requires organization and honesty about what your practice's environment actually looks like.

Sources: 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.316(b)(1) (documentation); HHS OCR resolution agreements (2024–2025), available at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements; NPRM: 90 Fed. Reg. 898 (Jan. 6, 2025).