The Department of Health and Human Services Office for Civil Rights has expanded its HIPAA enforcement initiative to include compliance with the risk management requirement of the HIPAA Security Rule and released a video explaining related obligations and violations.
OCR Enforcement Focus On Risk Management
Earlier in 2026, Director Paula M. Stannard of the Department of Health and Human Services Office for Civil Rights confirmed that the existing enforcement initiative focused on risk analysis will continue and will be expanded to address noncompliance with risk management requirements under the HIPAA Security Rule.
The enforcement initiative previously focused on the risk analysis provision at § 164.308(a)(1)(ii)(A), which requires HIPAA-regulated entities to conduct an accurate and thorough assessment of risks and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Risk Analysis and Risk Management Requirements
The risk analysis provision requires organizations to evaluate potential risks and vulnerabilities to ePHI held by covered entities or business associates.
Risk analysis is a required implementation standard under the security management process within the administrative safeguards. The other requirements include risk management, sanction policy, and information system activity review.
The risk management implementation specification (§ 164.308(a)(1)(ii)(B)) requires HIPAA-covered entities to enforce safety measures that minimize risks and vulnerabilities to an appropriate level in alignment with § 164.306(a).
Enforcement Expectations During Investigations
When the Office for Civil Rights investigates a data breach or complaint, regulated entities need to demonstrate that a comprehensive and accurate risk analysis has been conducted.
Entities must also demonstrate that actions were taken based on the findings of the risk analysis to reduce identified risks and vulnerabilities to a reasonable and appropriate level.
The change in the HIPAA enforcement initiative reflects the role of risk management as a required step following risk analysis.
OCR Guidance and Educational Video
To support compliance efforts, the Office for Civil Rights has produced a video focused on risk management requirements under the HIPAA Security Rule.
The video features Nicholas Heesters, Senior Advisor for Cybersecurity at the Office for Civil Rights, who explains the requirements for risk management and provides examples of violations identified during investigations of data breaches.
In December 2025, the Office for Civil Rights collected questions from HIPAA-regulated entities regarding risk management. The video includes responses to selected questions submitted during that process.
The video also includes resources intended to assist regulated entities in meeting the requirements of the HIPAA Security Rule related to risk management.
Compliance Implications
Risk management is identified as a required component of compliance with the HIPAA Security Rule and is linked to broader cybersecurity preparedness.
The Office for Civil Rights has extended the HIPAA enforcement initiative including risk management due to its role in reducing vulnerabilities and defending against cyberattacks.
Regulated entities are expected not only to identify risks through risk analysis but also implement measures to address those risks in accordance with regulatory requirements.
