OCR Video Emphasizes Ongoing Risk Management Under HIPAA Security Rule

April 21, 2026

OCR Video Emphasizes Ongoing Risk Management Under the HIPAA Security Rule

Madison Castle, Jean Mancheno Mintz - Health Care Viewpoints + Follow Contact LinkedIn Facebook X ;) Embed

On April 8, 2026, the Department of Health and Human Services’ Office for Civil Rights (OCR) released an educational video, Risk Management Under the HIPAA Security Rule, detailing the risk management requirements under HIPAA as well as findings and conclusions from OCR’s investigations. While framed as an educational outreach video, it sends a clear enforcement message: risk management is mandatory, ongoing, and increasingly scrutinized by OCR. Drawing on recent investigations, OCR emphasized that risk management is not a one-time compliance exercise or paperwork obligation. Rather, regulated entities must implement, maintain, and document security measures that actually reduce risks to electronic protected health information (ePHI). When entities are aware of risks but do not act on them, they are left exposed, both to cyberattacks and enforcement actions. In this blog post, we provide an overview of the HIPAA Security Rule risk management requirements and highlight key takeaways from OCR’s video.

How Should Regulated Entities Address Security Risks?

Risk management is a required implementation specification under the HIPAA Security Rule. It requires covered entities and business associates to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a “reasonable and appropriate” level, as set forth under § 164.306(a). At a foundational level, risk management under the HIPAA Security Rule requires regulated entities to identify, prioritize, and address risks to the confidentiality, integrity, and availability of all ePHI the entities create, receive, maintain, or transmit, taking into account their size, complexity, technical infrastructure, and available resources. In practice, OCR described risk management as including:

• Using the results of a risk analysis to inform decisions about administrative, physical, and technical safeguards;
• Evaluating whether existing controls adequately address reasonably anticipated threats, including cyberattacks, system failures, and environmental hazards;
• Selecting and implementing security measures, such as access controls, authentication mechanisms, audit logging, and encryption, that meaningfully reduce identified risks;
• Ensuring the workforce complies with security policies and does not circumvent safeguards; and
• Periodically reviewing and updating security measures as threats, technologies, and operations evolve. Importantly, OCR reiterated that risk analysis is only the starting point of the risk management process. The Security Rule requires follow-through: identified risks must drive real decisions, prioritization, and implementation of security controls—not merely be documented and left unaddressed. In a number of recent settlements, OCR has noted the failure of regulated entities to address identified risks.

Key Takeaways from OCR’s Risk Management Video

Risk Management Must Be Ongoing and Documented

OCR stressed that risk management is not a one-time exercise. Entities must periodically reassess risks, update controls, and modify security measures in response to evolving threats, new technologies, and organizational changes. OCR also emphasized that policies and procedures alone are insufficient evidence of compliance. In investigations, OCR looks for documentation demonstrating that security measures were actually implemented. Examples include:

• Risk remediation plans and timeframes;
• Meeting notes or internal communications showing progress;
• Management approvals;
• System screenshots and configuration settings; and
• Audit logs and monitoring records. Risk Analysis Must Drive Security Decisions

OCR reiterated that risk analysis results must inform decisions and lead to concrete security controls. OCR cited frequent exploitation of remote access vulnerabilities, particularly where single factor authentication is used, as a recurring enforcement issue. OCR cited investigations in which compromised credentials enabled cyberattacks—risks that could have been substantially reduced through multifactor authentication. OCR also underscored that minimal controls are not enough. In one investigation, a four character password requirement was cited as an example of a control that failed to meet the Security Rule’s “reasonable and appropriate” standard and contributed to a breach.

“Reasonably Anticipated” Threats Are Well Established

OCR emphasized that risk management must address reasonably anticipated threats, chief among them being cyberattacks. In 2025, approximately 76% of large, reported HIPAA breaches resulted from hacking or information technology incidents, consistent with trends from prior years. OCR also noted that regulated entities should account for:

• Natural disasters and facility specific risks based on geography and infrastructure;
• Power outages, fires, floods, and other facility emergencies; and
• Impermissible uses or disclosures stemming from weak access controls, misconfigured systems, or technologies such as online tracking tools. OCR Investigations Show Common Risk Management Deficiencies

OCR highlighted multiple investigations in which regulated entities:

• Identified vulnerabilities but failed to implement corrective actions for years;
• Experienced repeated exploitation of the same vulnerabilities; and/or
• Took meaningful steps only after a breach occurred. OCR noted that such failures frequently support findings of willful neglect, particularly where entities knew of risks and failed to act within a reasonable timeframe. Willful neglect violations not corrected within 30 days can expose entities to significant civil monetary penalties, assessed on a per-day, per-violation basis.

Conclusion

OCR’s video reinforces a consistent and increasingly explicit enforcement theme: risk management requires action, not just awareness. Regulated entities that identify risks but delay, defer, or fail to act—especially over multiple years—face significant exposure as OCR’s enforcement focuses on risk management efforts. As OCR made clear, entities that fail to timely remediate known risks, or that rely solely on plans, policies, or minimal controls, risk being characterized not only as targets of breaches, but as organizations that left ePHI vulnerable in violation of the Security Rule.

[View source.]

;) ;) Report

Related Posts

• Beyond the Clinical Setting: OCR’s Settlement with Cadia Further Demonstrates OCR’s Focus on HIPAA Compliance in the Digital World
• OCR Releases New HIPAA Security Risk Assessment Tool
• OCR Proposes Sweeping HIPAA Security Rule Amendments

Latest Posts

• OCR Video Emphasizes Ongoing Risk Management Under the HIPAA Security Rule
• FDA in Flux — April 2026 Newsletter See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Mintz - Health Care Viewpoints

Written by:

Mintz - Health Care Viewpoints Contact + Follow Madison Castle + Follow Jean Mancheno + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Covered Entities + Follow Cybersecurity + Follow Data Protection + Follow Data Security + Follow Enforcement Actions + Follow HIPAA Security Rule + Follow OCR + Follow PHI + Follow Risk Assessment + Follow Risk Management + Follow Health + Follow Privacy + Follow Science, Computers & Technology + Follow more less

Mintz - Health Care Viewpoints on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide