A hands-on, interactive series to help healthcare organizations meet OCR’s Security Risk Analysis requirement, reduce cyber risk, and prepare for heightened HIPAA Security Rule expectations
Begins August 12th, 2026
Time: 11am-12pm CT
Dates: Five one-hour sessions held August 12 thru September 9
Register once for all sessions. Recordings available.

Overview
Healthcare organizations and their business associates are facing a convergence of pressures: escalating ransomware and cyberattacks, growing dependence on complex and distributed technology environments, and continued Office for Civil Rights (OCR) scrutiny of whether organizations have performed an accurate and thorough Security Risk Analysis.
OCR has repeatedly emphasized that risk analysis is not a paperwork exercise. It is the foundation for identifying where ePHI resides, understanding how it could be compromised, prioritizing the most significant risks, and taking reasonable and appropriate action to reduce those risks. Recent OCR enforcement activity, ransomware investigations, and OCR cybersecurity guidance continue to reinforce a clear message: organizations must be able to demonstrate that they understand their ePHI environment and have analyzed risks and vulnerabilities across all systems that create, receive, maintain, or transmit ePHI.
At the same time, OCR’s proposed updates to the HIPAA Security Rule signal rising expectations for healthcare cybersecurity governance, documentation, and accountability. Whether your organization is preparing for an OCR investigation, responding to board-level cyber risk questions, strengthening your HIPAA Security Rule program, or trying to move beyond a check-the-box assessment, a defensible Security Risk Analysis is essential.
Clearwater’s complimentary OCR-Quality® Risk Analysis Working Lab is designed to help you build the practical knowledge and repeatable process needed to conduct a comprehensive, bona fide risk analysis aligned with OCR expectations.
Over five one-hour working sessions, Clearwater faculty experts will guide attendees through an interactive, hands-on risk analysis workflow using Clearwater’s IRM|Analysis® software. Participants will learn how to identify systems that involve ePHI, document threats and vulnerabilities, evaluate likelihood and impact, produce a detailed risk register, and connect risk analysis results to risk management decisions.
This series is especially timely for organizations that need to:
- Validate whether their current Security Risk Analysis would stand up to OCR scrutiny.
- Move from informal or spreadsheet-based assessments to a more structured, repeatable methodology.
- Account for current cyber risk drivers, including ransomware, unpatched systems, third-party dependencies, cloud platforms, medical devices, and internet-facing applications.
- Build a defensible inventory of systems that create, receive, maintain, or transmit ePHI.
- Demonstrate how identified risks are evaluated, prioritized, and managed over time.
Topics covered include:
- Building a complete information system inventory, including applications, infrastructure, cloud services, medical devices, and third-party systems that create, receive, maintain, or transmit ePHI.
- Identifying where ePHI resides and how it flows across systems, vendors, users, and connected technologies.
- Recognizing current threat and vulnerability scenarios relevant to OCR scrutiny, including ransomware, unpatched software, unauthorized access, misconfigured systems, legacy technology, and exposed internet-facing assets.
- Assessing likelihood and impact in a consistent, evidence-based way that supports defensible risk determinations.
- Producing the detailed risk register needed to support a comprehensive Security Risk Analysis.
- Connecting risk analysis findings to risk response, remediation planning, board reporting, and ongoing risk management.
- Understanding how OCR’s current enforcement posture and proposed Security Rule updates affect expectations for documentation, governance, and accountability.
Session 1 – Aug. 12, 11am–12pm CT
Risk Analysis Fundamentals: OCR Expectations, Enforcement Trends, and Introduction to IRM|Analysis
Session 2 – Aug. 19, 11am–12pm CT
IRM|Analysis Workflow Phase 1: Building a Complete ePHI Information Asset Inventory
Session 3 – Aug. 26, 11am–12pm CT
IRM|Analysis Workflow Phase 1: Identifying Current Threats, Vulnerabilities, and Component-Level Risks
Session 4 – Sept. 2, 11am–12pm CT
IRM|Analysis Workflow Phase 2: Defensible Risk Determination — Likelihood, Impact, and Risk Scoring
Session 5 – Sept. 9, 11am–12pm CT
IRM|Analysis Workflow Phase 3: Reports, Dashboards, Risk Register Outputs, and Risk Response Planning
Attendees will receive access to an IRM|Analysis sandbox environment for the duration of the series, along with course materials, supplemental resources, and session recordings. By the end of the series, participants will have a clearer understanding of what OCR expects from a Security Risk Analysis and how to apply a structured, repeatable process to identify, evaluate, document, and manage risks to ePHI.


