Select Page

From HIPAA Risk Analysis to Risk Management: A Step-by-Step Approach

Guide

What You Need to Know

Healthcare cybersecurity expectations have never been higher. Threats are sharper, regulators are more vocal, and the cost of an undefended risk analysis, or of failing to act on risks you already know about, is no longer theoretical. This guide outlines a five-step approach, which OCR has accepted in 100% of investigations in which this methodology has been submitted.

Key Insights:
    OCR is enforcing risk management, not just risk analysis.

    Finding the risks is no longer enough. Acting on them is what the agency is enforcing today.

    The NPRM is still proposed, not gone.

    Published January 2025, still under review in spring 2026. The bar OCR is enforcing already points in its direction.

    Asset-based beats system-based analysis.

    Evaluate every application, system component, cloud service, medical device, third party, location, and human role that touches ePHI.

    Five steps move you from analysis to risk reduction.

    The steps include: Frame, Analyze, Evaluate Treatment, Implement, and Reconcile. 

    Policies and procedures alone are not enough.

    If you cannot prove a control is operating, OCR treats it as not implemented.

    What OCR is enforcing in 2026 

    Knowing your risks is no longer enough. The Office for Civil Rights is enforcing what organizations do about the risks they identify. 

    In April 2026, OCR Senior Advisor for Cybersecurity Nick Heesters released guidance formally expanding the agency’s enforcement initiative beyond risk analysis to include risk management. The pattern OCR keeps finding is not organizations that fail to identify their risks. It is organizations that document risks and then do nothing. The same vulnerabilities surface in security reviews year after year, unmitigated, until they are exploited. 

    v

    “Failing to take action to mitigate risks or implementing security measures that do not sufficiently reduce risks to a reasonable and appropriate level is something OCR discovers frequently.”

    Nick Heesters, OCR Senior Advisor for Cybersecurity 

    The breach data explains the urgency. In 2024, large HIPAA breaches affected more than 286 million individuals. In 2025, 76 percent of large breaches were caused by hacking and IT incidents. OCR characterizes these as “reasonably anticipated” threats, which obligates regulated entities to act. 

    One more thing to internalize about the legal standard. Policies and written plans are not enough. OCR wants to see identified risks driving real decisions. Configurations changed. Controls validated. Measures actually in place. Organizations that fall short face a finding of willful neglect, the most serious HIPAA violation category, carrying penalties of $73,011 per day, per violation. 

    The HIPAA Security Rule

    No decisions yet with HIPAA Security Rule, but OCR’s focus is giving strong signals.

    The HIPAA Security Rule has not been materially updated since 2003. In January 2025, HHS published a Notice of Proposed Rulemaking to modernize it. The proposal drew more than 4,700 comments and a $9 billion first-year industry cost estimate, which much of the sector considered optimistic. 

    As of spring 2026, the Trump administration has not decided what to do with the proposal. A final action remains listed for May on OCR’s regulatory agenda. Federal agencies routinely extend those deadlines. 

    Whether or not the rule is finalized, five proposed changes already point to where OCR is taking the bar: 

      • Annual risk analysis review. At least every 12 months, and after any material change.
      • Written, annually revised asset inventory and network map for every system that touches ePHI.
      • End of “addressable” specifications. Encryption, MFA, vulnerability scanning, and incident response testing would become broadly mandatory.
      • Specific written documentation requirements for risk analyses, risk management plans, and policies.
      • Baseline controls. Documented patch management timelines, MFA across systems that access ePHI, network segmentation, and tested incident response.

    Updated: May, 2026

    Contents:

    What you Need to Know

    What OCR is Enforcing

    HIPAA Security Rule

    Step-by-Step Overview

    Information Risk Lifecycle

    State laws and Sector overlay

    Risk Management Principles to Bookmark

    Frequently Asked Questions

    Want more information on OCR-Quality Risk Analysis and Response?

    Talk to Our Experts

    Step-by-Step Overview

    1. Frame the Risk and Define your Threshold

    Not every risk demands the same response. Treating them as if they do is the most common failure mode in healthcare risk programs. Every risk must be documented and continuously monitored, but only a defined set must be treated in a given cycle. Those are the risks at or above your threshold. 

    Risk appetite vs. risk threshold 

    Two ideas anchor framing. 

    • Risk appetite is the amount of risk the organization is willing to accept in pursuit of its mission. Leadership and the board set it. It reflects clinical, financial, regulatory, and reputational tolerance. 
    • Risk threshold is the numerical line above which a risk must be treated this cycle. On a 1 to 25 likelihood-times-impact scale, a threshold of 12 means risks rated 12 or higher are scheduled for treatment. Lower-rated risks are monitored. 

    A clear threshold directs cybersecurity investment toward the risks that move the needle. It also gives leadership a defensible answer for why a particular risk was treated, accepted, or deferred. 

    2: Perform an Asset-based Risk Analysis

    A traditional risk analysis focuses on the organization at the top of the iceberg: governance, broad policy, and enterprise infrastructure. That view is necessary, but it leaves the largest part of the iceberg underwater. The risks that lead to breaches almost always lie deeper, at the asset level, where an unpatched application, a misconfigured cloud bucket, a contractor account, or an aging medical device sits within the perimeter. 

    An asset-based risk analysis aligns with NIST Risk Management Framework Tier 3 and works from the bottom of the iceberg up. It evaluates every information asset: software, system components, cloud services, third parties, medical devices, locations, and people that create, receive, maintain, or transmit ePHI. This is the methodology that powers OCR-Quality® Risk Analysis and aligns to all nine of OCR’s defined elements. 

    3: Evaluate Risk Treatment Options

    With the analysis complete and the threshold set, every risk above threshold has four possible responses: accept, avoid, transfer, or mitigate. Treatments can be combined. An organization might transfer part of cyber risk to an insurer while mitigating the underlying exposure with new controls. 

    These first two principles do the heavy lifting in NIST’s evaluation discipline, and then cost is evaluated.

    Effectiveness

    Effectiveness is how much the proposed control actually reduces the targeted risk. The aim is not to layer controls until the diagram looks impressive. It is to meaningfully change the organization’s exposure. 

    Feasibility

    Feasibility is how practical a response is given to clinical, operational, and financial reality. In healthcare, new security measures must be weighed against patient care and clinical workflow. There was a time when shared passwords on shared workstations were tolerated for speed at the bedside. That time has ended. The discipline now is to protect ePHI without breaking care delivery. 

    Cost

    Cost spans implementation, maintenance, training, and the labor required to keep the control effective. The most expensive control is often the one that is deployed, never tuned, and quietly degrades into noise. 

    How Clearwater scores it 

    Inside IRM|Analysis®, control effectiveness and feasibility are rated on a five-point scale. Teams compare alternatives apples-to-apples and document the rationale for every decision. The result is a clear-eyed view of the trade-offs leadership is being asked to make. 

    Approving treatment and projecting residual risk 

    Once feasible options are evaluated, leadership selects a treatment and projects the residual risk rating, the level of risk that will remain after controls are implemented. If a risk starts at 16 on a 25-point scale and the projection brings it to 9, the residual must sit within the organization’s appetite and below the threshold. If it does not, the treatment plan is incomplete. 

    Business owners belong in this decision. Information risk management is a business function, not an IT-only responsibility. The Director of Health Information Management owns coding and billing platform risks. The VP of Clinical Informatics owns EHR risks. The Chief Medical Officer owns the clinical workflow consequences of any control change. When ownership is shared, the decision sticks. 

    4: Implement the Risk Response Plan

    Risk management without governance is risk theater. A defensible implementation plan ties every approved treatment to five elements, the same five OCR scrutinizes when it asks for proof. 

    A working example: untrained workforce 

    Consider a common, high-rated risk. 

      • Threat source: external attacker
      • Threat event: social engineering
      • Vulnerability: untrained or untested workforce

    A serious response plan looks like this. 

    Risk owner: Chief Human Resources Officer 

    Project manager: [Named] 

    Open issues: nothing significant to report 

      • Q3, Priority 1. Enhance the security and privacy awareness program. Implementation manager: Information Security and Talent Management. Due: 09/30/2026. 
      • Q4, Priority 2. Deploy targeted phishing simulation campaigns. Implementation manager: Information Security. Due: 12/31/2026. 
      • Q1, Priority 3. Improve audit trail collection and review cadence. Implementation manager: Application Analysts. Due: 03/31/2027. 
      • Q2, Priority 4. Validate, refine, and update information disclosure procedures and sanction policy. Implementation manager: Legal, Privacy and Compliance. Due: 06/30/2027. 

    Treating each priority as a project with a measurable outcome reduces the underlying risk over the year, instead of letting it reappear in the next annual report. 

    5: Reconcile Residual Risk

    Risk reconciliation is the step most programs skip, and the step that turns a paper risk register into a living one. After implementing the chosen controls, projection meets reality. Maybe every control rolled out as planned, and the risk that was 16 is now 6, better than the 9 you projected. Maybe a control slipped, the deployment scope shrank, or a third-party dependency moved, and the actual residual is 11. 

    Reconciliation is the documented assessment of what actually happened. 

      • Confirm whether each control was implemented as designed and is operating as intended. 
      • Re-score likelihood and impact based on the post-implementation state, not the pre-implementation prediction. 
      • Update the risk register and notify the business owner of any residual that still exceeds threshold. 
      • Capture new threats or vulnerabilities that emerged during deployment. 

    This is the discipline that keeps the program honest. Without it, a risk register is a snapshot of intent. With it, the register reflects the organization’s actual security posture, which is what OCR, the board, and your cyber insurer all need to see.

    The information risk lifecycle

    The five steps above are not a project. They are a lifecycle.

    Framing informs analysis.
    Analysis informs response.
    Response generates evidence.
    Evidence drives reporting.
    Monitoring feeds the next round of framing.

    The cycle accelerates as the organization matures. 

    State law and sector overlays

    HIPAA is the floor, not the ceiling. A defensible risk analysis also accounts for state laws and sector frameworks that overlay, or in some cases exceed, federal requirements. 

    State privacy and breach laws 

    • Texas Medical Records Privacy Act (HB 300) broadens the definition of a covered entity beyond HIPAA and requires biennial workforce training. Any Texas footprint should be mapped into the HIPAA risk analysis. 
    • New York SHIELD Act requires reasonable administrative, technical, and physical safeguards for private information about New York residents. The standard parallels the Security Rule’s flexible scaling and is increasingly cited in state AG enforcement. 
    • California CMIA and CCPA/CPRA add disclosure, consent, and resident-rights obligations on top of HIPAA. 

    Sector frameworks 

    HHS 405(d) Health Industry Cybersecurity Practices (HICP) are the voluntary, sector-developed practices published under Section 405(d) of the Cybersecurity Act of 2015. HICP is a Recognized Security Practice under the HITECH Act amendment of 2021. Organizations that demonstrate at least 12 months of HICP adoption may receive favorable treatment in OCR enforcement and audit decisions. 

    NIST CSF 2.0 is the lingua franca of cyber maturity. Aligning to Govern, Identify, Protect, Detect, Respond, and Recover makes board reporting and cross-framework mapping dramatically easier. 

    HITRUST CSF is the prescriptive control framework most healthcare counterparties accept as evidence of program maturity. 

    Risk Management Principles to Bookmark

    • Respond to every risk above threshold. Acceptance is a valid response, but it is a documented, intentional choice. Never a default. 
    • Diversify treatment strategies. Avoidance, transfer, and mitigation often combine. Avoiding a risk is sometimes the most effective response. 
    • Choose analysis over checklists. Checklists capture what the controls are. Analysis explains why those controls match your threats and assets. 
    • Lead the decision. Don’t outsource it. Effectiveness, feasibility, and cost are leadership decisions. Your team’s job is to make the trade-offs visible. 
    • Treat documentation as the deliverable. A risk analysis that is not written down does not exist in OCR’s view. 

    A disciplined risk management process is complex work, and the regulatory bar is moving up. Clearwater can provide a program with the structure and evidence trail to turn risk analysis into a competitive advantage, not just a compliance obligation. 

    Build a risk program that holds up under scrutiny

    If your risk program would not withstand an OCR inquiry tomorrow, that is the conversation to have today. A Clearwater advisor will walk through your current methodology, map the gaps against OCR’s 2026 enforcement reality, and recommend a path forward. 

     

    Get Help with an Action Plan

    Frequently Asked Questions

    How often does the HIPAA Security Rule require a risk analysis? 

    The current Security Rule requires risk analysis to be conducted regularly and whenever environmental or operational changes affect ePHI. The still-pending 2025 NPRM would make that explicit: at least every 12 months and after any material change. 

    What is an asset-based risk analysis? 

    An asset-based risk analysis evaluates risk at the level of individual information assets: applications, system components, cloud services, medical devices, third parties, locations, and people that touch ePHI. It aligns with NIST Risk Management Framework Tier 3. 

    What is the difference between risk appetite, risk threshold, and residual risk? 

    Risk appetite is the level of risk leadership is willing to accept. Risk threshold is the numerical line above which a risk must be treated this cycle. Residual risk is the projected level of risk that remains after controls are implemented and validated. 

    What does OCR look for when investigating risk management compliance? 

    OCR looks for documented evidence that the organization identified threats and vulnerabilities to ePHI across all assets, implemented reasonable and appropriate safeguards, and per Heesters’ April 2026 guidance, actually managed those risks over time. Policies and procedures alone are not sufficient evidence of implementation. OCR wants to see configurations changed, controls validated, and measures actually in place. 

    How does Clearwater’s IRM|Analysis software support risk reduction? 

    IRM|Analysis is purpose-built for healthcare. It aligns to all nine OCR-defined elements, supports asset-based scoping, scores control effectiveness and feasibility on a five-point scale, projects residual risk, and generates the documentation trail OCR expects. 

    Will the NPRM be finalized? 

    As of spring 2026, the Trump administration has not decided. A final action remains listed for May on OCR’s regulatory agenda, but federal agencies routinely extend those deadlines. Industry groups including CHIME have called for rescission. Regardless of what happens with the rule itself, OCR’s active enforcement posture means the proposed requirements already function as a forward-looking baseline. 

    What are the penalties for failing to manage identified risks? 

    Failing to act on documented risks can result in a finding of willful neglect, the most serious HIPAA violation category, carrying penalties of $73,011 per day, per violation. Reputational damage, ransom payments, remediation, and civil liability typically dwarf the regulatory fine.