OCR Video Emphasizes Ongoing Risk Management Under The HIPAA Security Rule

On April 8, 2026, the Department of Health and Human Services’ Office for Civil Rights (OCR) released an educational video, Risk Management Under the HIPAA Security Rule, detailing the risk management requirements under HIPAA as well as findings and conclusions from OCR’s investigations. While framed as an educational outreach video, it sends a clear enforcement message: risk management is mandatory, ongoing, and increasingly scrutinized by OCR. Drawing on recent investigations, OCR emphasized that risk management is not a one-time compliance exercise or paperwork obligation. Rather, regulated entities must implement, maintain, and document security measures that actually reduce risks to electronic protected health information (ePHI). When entities are aware of risks but do not act on them, they are left exposed, both to cyberattacks and enforcement actions. In this blog post, we provide an overview of the HIPAA Security Rule risk management requirements and highlight key takeaways from OCR’s video. 

How Should Regulated Entities Address Security Risks? 

Risk management is a required implementation specification under the HIPAA Security Rule. It requires covered entities and business associates to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a “reasonable and appropriate” level, as set forth under § 164.306(a). At a foundational level, risk management under the HIPAA Security Rule requires regulated entities to identify, prioritize, and address risks to the confidentiality, integrity, and availability of all ePHI the entities create, receive, maintain, or transmit, taking into account their size, complexity, technical infrastructure, and available resources. In practice, OCR described risk management as including: 

• Using the results of a risk analysis to inform decisions about administrative, physical, and technical safeguards;
• Evaluating whether existing controls adequately address reasonably anticipated threats, including cyberattacks, system failures, and environmental hazards;
• Selecting and implementing security measures, such as access controls, authentication mechanisms, audit logging, and encryption, that meaningfully reduce identified risks;
• Ensuring the workforce complies with security policies and does not circumvent safeguards; and
• Periodically reviewing and updating security measures as threats, technologies, and operations evolve. 

Importantly, OCR reiterated that risk analysis is only the starting point of the risk management process. The Security Rule requires follow-through: identified risks must drive real decisions, prioritization, and implementation of security controls—not merely be documented and left unaddressed. In a number of recent settlements, OCR has noted the failure of regulated entities to address identified risks. 

Key Takeaways from OCR’s Risk Management Video 

Risk Management Must Be Ongoing and Documented 

OCR stressed that risk management is not a one-time exercise. Entities must periodically reassess risks, update controls, and modify security measures in response to evolving threats, new technologies, and organizational changes. OCR also emphasized that policies and procedures alone are insufficient evidence of compliance. In investigations, OCR looks for documentation demonstrating that security measures were actually implemented. Examples include: 

• Risk remediation plans and timeframes;
• Meeting notes or internal communications showing progress;
• Management approvals;
• System screenshots and configuration settings; and
• Audit logs and monitoring records. 

Risk Analysis Must Drive Security Decisions 

OCR reiterated that risk analysis results must inform decisions and lead to concrete security controls. OCR cited frequent exploitation of remote access vulnerabilities, particularly where single factor authentication is used, as a recurring enforcement issue. OCR cited investigations in which compromised credentials enabled cyberattacks—risks that could have been substantially reduced through multifactor authentication. OCR also underscored that minimal controls are not enough. In one investigation, a four character password requirement was cited as an example of a control that failed to meet the Security Rule’s “reasonable and appropriate” standard and contributed to a breach. 

“Reasonably Anticipated” Threats Are Well Established 

OCR emphasized that risk management must address reasonably anticipated threats, chief among them being cyberattacks. In 2025, approximately 76% of large, reported HIPAA breaches resulted from hacking or information technology incidents, consistent with trends from prior years. OCR also noted that regulated entities should account for: 

• Natural disasters and facility specific risks based on geography and infrastructure;
• Power outages, fires, floods, and other facility emergencies; and
• Impermissible uses or disclosures stemming from weak access controls, misconfigured systems, or technologies such as online tracking tools. 

OCR Investigations Show Common Risk Management Deficiencies 

OCR highlighted multiple investigations in which regulated entities: 

• Identified vulnerabilities but failed to implement corrective actions for years;
• Experienced repeated exploitation of the same vulnerabilities; and/or
• Took meaningful steps only after a breach occurred. 

OCR noted that such failures frequently support findings of willful neglect, particularly where entities knew of risks and failed to act within a reasonable timeframe. Willful neglect violations not corrected within 30 days can expose entities to significant civil monetary penalties, assessed on a per-day, per-violation basis.

Conclusion 

OCR’s video reinforces a consistent and increasingly explicit enforcement theme: risk management requires action, not just awareness. Regulated entities that identify risks but delay, defer, or fail to act—especially over multiple years—face significant exposure as OCR’s enforcement focuses on risk management efforts. As OCR made clear, entities that fail to timely remediate known risks, or that rely solely on plans, policies, or minimal controls, risk being characterized not only as targets of breaches, but as organizations that left ePHI vulnerable in violation of the Security Rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.