When OCR settled with Banner Health for $1.25 million in 2023, the core finding was painfully familiar: the organization had failed to conduct an adequate enterprise-wide risk analysis. This wasn't an outlier. Since 2016, an insufficient or absent risk analysis HIPAA requirement has appeared as a cited deficiency in the overwhelming majority of OCR enforcement actions and Resolution Agreements. If your organization hasn't completed a thorough, documented risk analysis — or hasn't updated one recently — you're carrying more regulatory exposure than almost any other single gap.
Why Risk Analysis HIPAA Compliance Is the #1 Cited Deficiency
The Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires every covered entity and business associate to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." OCR has called this requirement the foundation of the entire Security Rule.
Yet healthcare organizations consistently struggle with it. In my work with covered entities, I've seen the same pattern: organizations confuse a risk analysis with a simple vulnerability scan or a checklist exercise. OCR has explicitly rejected this approach. A network scan identifies technical weaknesses; a risk analysis identifies threats, estimates their likelihood and impact, and maps them to every system that creates, receives, maintains, or transmits ePHI.
Between 2008 and 2024, OCR collected over $140 million in HIPAA enforcement penalties. Deficient risk analysis appeared as a contributing factor in the majority of those settlements, including high-profile actions against Anthem ($16 million, 2018), Premera Blue Cross ($6.85 million, 2020), and multiple smaller covered entities through the Right of Access enforcement initiative.
What OCR Actually Expects in a Compliant Risk Analysis
OCR published its Guidance on Risk Analysis Requirements to clarify expectations. Here's what a defensible risk analysis must include:
- Scope: Every system, application, and data repository containing ePHI — not just your EHR. Think email, fax servers, mobile devices, cloud platforms, billing systems, and backup media.
- Threat identification: Document realistic threat sources: malicious actors, insider threats, ransomware, natural disasters, and human error.
- Vulnerability identification: Go beyond automated scanning. Include administrative and physical vulnerabilities — missing policies, unsecured workstations, lack of workforce training.
- Likelihood and impact assessment: Assign qualitative or quantitative ratings. OCR doesn't mandate a specific methodology, but you must show a rational, repeatable process.
- Risk level determination: Combine likelihood and impact to produce a risk rating for each identified risk.
- Documentation: This is non-negotiable. If your risk analysis isn't written down and retained for at least six years, it functionally doesn't exist from OCR's perspective.
Many organizations I advise find that conducting a proper risk analysis also reveals gaps in their HIPAA training and certification programs — particularly around how workforce members handle PHI on mobile devices and in remote work environments.
The Most Common Risk Analysis Mistakes That Lead to HIPAA Violations
Three mistakes appear repeatedly in enforcement actions:
1. Treating it as a one-time event. The Security Rule requires ongoing risk management. OCR expects you to update your risk analysis when your environment changes — new technology, new vendors, new locations, workforce changes, or after a security incident. Annual review is a reasonable minimum, but significant operational changes should trigger an immediate reassessment.
2. Limiting scope to the EHR system. In the Cardionet settlement ($2.5 million, 2017), OCR specifically cited the organization's failure to assess risks across all ePHI-containing systems. Your risk analysis must be enterprise-wide. That includes every business associate relationship where ePHI is shared.
3. Failing to connect risk analysis to risk management. Identifying risks without implementing corresponding safeguards violates 45 CFR § 164.308(a)(1)(ii)(B) — the risk management implementation specification. A risk analysis that sits on a shelf unaddressed actually creates evidence against your organization in an investigation.
How to Build a Risk Analysis Process That Withstands OCR Scrutiny
Start by assigning clear ownership. Your HIPAA Security Officer should lead the process, but input must come from IT, clinical operations, HR, and any department that touches protected health information. Risk analysis is an organizational exercise, not solely a technical one.
Use a recognized framework. OCR's guidance references NIST SP 800-30, which provides a structured methodology for risk assessment. The HHS Office of the National Coordinator also offers a free Security Risk Assessment Tool, though larger organizations will likely need a more robust approach.
Map your ePHI inventory first. You cannot assess risks to data you haven't identified. Document where ePHI is created, received, stored, transmitted, and disposed of. Include cloud environments, third-party applications, and portable devices.
Prioritize remediation by risk level. Apply the minimum necessary standard when evaluating access controls, and ensure your risk management plan includes realistic timelines and assigned responsibility for each corrective action.
Finally, train your workforce. Every risk analysis I've participated in has revealed gaps in staff awareness — people who don't recognize phishing attempts, share credentials, or store ePHI on personal devices. Comprehensive workforce HIPAA compliance training directly reduces the human-factor vulnerabilities that risk analyses consistently surface.
Risk Analysis and Business Associate Obligations
The Omnibus Rule of 2013 made business associates directly liable for Security Rule compliance, including the risk analysis requirement. If your organization relies on vendors who access, store, or transmit ePHI — cloud hosting providers, billing companies, IT managed service providers — each of those business associates must conduct their own risk analysis.
Your organization should verify this. Request evidence of a current risk analysis from every business associate during contract negotiations and at regular intervals thereafter. Include this verification in your own risk management documentation. OCR has demonstrated through enforcement that covered entities cannot hide behind their BAAs when a business associate's security failures cause a breach.
Take Action Before OCR Comes Knocking
OCR investigations are triggered by breach reports, complaints, and compliance reviews. In every scenario, one of the first documents OCR requests is your current risk analysis. If you can't produce one — or if the document you produce is a superficial checklist from three years ago — your organization faces a dramatically higher chance of a findings letter, corrective action plan, or civil monetary penalty.
The risk analysis HIPAA requirement isn't just a regulatory checkbox. It's the single most effective tool your organization has for identifying where protected health information is genuinely at risk and directing resources to close those gaps. Start or update yours today, document every step, and make it the foundation of a security program that holds up under scrutiny.