OCR Releases Video Presentation on HIPAA Risk Management

The Department of Health and Human Services’ Office for Civil Rights (OCR) has expanded its HIPAA risk analysis enforcement initiative to include risk management. A risk analysis is essential for identifying risks and vulnerabilities to electronic protected health information (ePHI). If a risk analysis is not conducted, or if it is incomplete, risks are likely to remain that can be exploited by threat actors to access networks and computer systems containing ePHI.

After identifying risks and vulnerabilities to ePHI, the HIPAA Security Rule requires regulated entities to manage the risks identified by the risk analysis and reduce them to a reasonable and appropriate level. Risk management is essential for HIPAA Security Rule compliance and vital for cybersecurity. If risks are properly managed and reduced, it will be much harder for unauthorized individuals to access ePHI. The risk analysis and risk management implementation specifications of the security management process can be found in § 164.308(a)(1)(ii)(A) and § 164.308(a)(1)(ii)(B).

OCR has previously issued guidance on the risk analysis, including a video presentation explaining the risk analysis requirements of the HIPAA Security Rule. OCR, in conjunction with ONC, has also produced a risk assessment tool that guides regulated entities through the process of assessing risks and vulnerabilities to ePHI. On April 8, 2026, OCR released a new video presentation on risk management, which clearly explains the requirements for risk management under HIPAA. In the video, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR, provides examples of risk management failures identified by OCR during its data breach investigations – common areas where risks have not been effectively managed, resulting in an intrusion and data breach.

When OCR initiates an investigation of a data breach, which it does for all reports of data breaches impacting 500 or more individuals, a regulated entity will be asked to produce evidence demonstrating that a comprehensive, accurate, organization-wide risk analysis has been conducted. OCR will look at the findings of the risk analysis and will need to be provided with documentation demonstrating that the risks and vulnerabilities to ePHI identified by the risk analysis have been addressed and reduced to a reasonable and appropriate level. As we have seen with risk analysis failures under this enforcement initiative, OCR will impose a financial penalty if noncompliance is identified.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/