The HIPAA Risk Analysis HHS OCR Actually Wants

If you read HHS OCR enforcement summaries over the past decade, one pattern is impossible to miss. Practice after practice gets penalised — six figures, sometimes seven — and the resolution agreement names the same deficiency first: failure to conduct an accurate and thorough risk analysis.

The reason is mechanical. HIPAA §164.308(a)(1)(ii)(A) requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity". It's short. It's unambiguous. And in OCR's view, almost no small practice does it well.

Most small practices that havea risk analysis have something they downloaded from a HIPAA-template website, filled in for an afternoon three or four years ago, and haven't looked at since. OCR's position on that: it doesn't count.

What "Accurate and Thorough" Means in Practice

OCR has been clear, in guidance and in enforcement, about what an acceptable risk analysis includes. Eight criteria:

Step One: Inventory Every ePHI Location

The single biggest reason risk analyses fail OCR review is incomplete scope. Practices forget where ePHI lives. In a typical small practice, ePHI is in all of the following, often without anyone explicitly mapping them:

• The EHR (eClinicalWorks, Athena, NextGen, Epic Connected Care, Dentrix, Eaglesoft, Open Dental, etc.)
• Practice management / billing systems
• Clearinghouses and revenue-cycle vendors
• Patient portals and patient-engagement platforms
• Email — every PHI-containing message in the mailbox is ePHI
• Faxes received electronically (eFax services)
• Lab and imaging integrations
• Telehealth platforms
• Cloud document storage (Microsoft 365, Google Workspace, Dropbox, etc.)
• Local file servers, NAS, and shared drives
• Workstations, laptops, tablets, mobile phones
• Removable media (USB drives, backup drives)
• Backup systems (on-prem and cloud)
• Voicemail systems containing PHI (yes — really)

If your "risk analysis" covers the EHR but not the clearinghouse, the personal phone the front-desk lead uses to forward voicemails, or the email tenant the practice manager uses for insurer correspondence, it's incomplete by definition. OCR is going to ask whether you considered each of those locations. If you didn't, the analysis isn't thorough.

Step Two: Identify Reasonably Anticipated Threats

A short list, customised to your practice:

• Ransomware — the most active threat for healthcare in the past three years
• Phishing & credential theft — the entry point for most ransomware and ePHI exfiltration
• Lost or stolen device — still the largest single category in the OCR breach portal
• Insider snooping — staff looking up family, neighbours, VIP patients
• Misdirected fax / email — under-appreciated, very common, breach-reportable
• Vendor / business associate breach — the Change Healthcare attack reminded the whole industry that BAA breaches roll up to the practice
• Improper disposal — old laptops, copiers with hard drives, paper records
• Natural disaster / power loss — affects availability of ePHI, which is a Security Rule concern just as much as confidentiality
• Web / portal misconfiguration — patient portals, telehealth platforms, marketing sites with embedded forms

Step Three: Map Threats to Specific Vulnerabilities

This is where a generic template breaks. A real risk analysis pairs each threat with the specific vulnerabilities in your environment that could be exploited:

• Ransomware → workstations without EDR, missing MFA on EHR, unmaintained backups
• Phishing → no inbound email security, no MFA, no training programme
• Lost device → laptops without full-disk encryption, no documented loss procedure
• Insider snooping → no audit logging on EHR access, no periodic review of logs
• BAA breach → missing BAAs, incomplete BAA inventory, no vendor diligence beyond signing the BAA

A vulnerability list specific to your environment is what makes the analysis "accurate" — generic templates lose points here.

Step Four: Assess Likelihood and Impact, Then Assign Risk

For each threat-vulnerability pair, document your view of likelihood (high / medium / low based on observed industry activity and your specific exposure) and impact (effect on ePHI confidentiality, integrity, and availability if exploited, including patient harm and practice continuity). Combine into an overall risk rating that drives prioritisation of mitigation.

Step Five: Document, Don't Just Discuss

Conversations don't satisfy HIPAA. Documentation does. A risk analysis OCR will accept needs to exist as a written artefact — methodology, scope, threats, vulnerabilities, likelihood, impact, risk levels, mitigation decisions, and the date of the analysis with reviewer name. If you can't hand it to an investigator on request, OCR's position is you don't have one.

Step Six: Refresh It

Risk analysis is not annual paperwork. It's a programme. Trigger a refresh whenever:

• You add a new system that handles ePHI
• You add a new business associate
• You move locations or add a location
• You experience a significant staffing change
• A new threat category emerges (the Change Healthcare attack is a good example — every practice that used a Change-affected clearinghouse should have re-analysed)
• You have a security incident, even a minor one
• At minimum, annually as a baseline review

The 9-Step Self-Audit

If you can't honestly answer "yes" to every one of these, your risk analysis is the gap OCR will find:

What OCR Settlements Tell Us

Look at the resolution agreements OCR has published. The language is remarkably consistent:

• "Failure to conduct an accurate and thorough risk analysis..."
• "Did not adequately consider the risks to all ePHI..."
• "Risk analysis did not address [specific system / location]..."
• "No documentation of risk analysis methodology..."
• "Risk analysis not updated to reflect material changes in the environment..."

In nearly every published OCR settlement involving a small or mid-sized practice, the risk-analysis finding appears first. It's also usually the deficiency that converts an otherwise-routine breach into a multi-year corrective-action plan with reporting obligations.

Where the Risk Analysis Pays Off Beyond OCR

A real risk analysis isn't bureaucratic. It's the document that drives your security investment. Done well, it:

• Tells you which gaps actually deserve budget this year
• Satisfies your cyber insurance renewal questionnaire honestly
• Gives your malpractice carrier confidence at renewal
• Shows acquirers (if you ever sell the practice) that the cyber posture is intentional, not accidental
• Sets the agenda for the next year's training, vendor reviews, and incident response tabletops

What to Do This Week

• List every system, location, and device that handles ePHI — including the ones nobody's thought about
• Identify any BAA gaps in that list
• Pull whatever current "risk analysis" document you have and read it critically against the eight OCR criteria above
• Note where it's thin or out of date — likelihood-impact analysis is usually the weakest part
• Calendar a quarterly review going forward; pick a named owner
• If the document needs to be redone, set a 60-day target and resource it

The Bottom Line

HIPAA enforcement isn't random. OCR keeps citing the same deficiency because the same deficiency keeps existing. A proper risk analysis is the most reliably under-resourced requirement in healthcare cybersecurity, and the most reliably-cited deficiency in OCR enforcement. Closing that gap moves your practice out of the typical OCR-finding pattern and into the smaller group of practices that take the requirement seriously.

This article is general information, not legal advice. Confirm specific obligations with qualified counsel and HHS OCR guidance for your specific circumstances.

Related reading: the HIPAA cybersecurity requirements primer, vendor and third-party risk management, and backup strategies that survive ransomware.