Your Completed Risk Assessment Just Became a Liability

From Analysis to Action: What the Shift Means

The Security Risk Analysis requirement has lived at 45 CFR 164.308(a)(1)(ii)(A) since 2003. For most of the past decade, it was the centerpiece of OCR’s enforcement activity. Covered entities that experienced breaches were investigated, and investigators found the same deficiency over and over: no documented SRA, or an SRA that was superficial, outdated, or didn’t reflect the organization’s actual ePHI environment.

The enforcement pattern trained the market. Practices and compliance consultants scrambled to complete SRAs. Vendors built SRA modules into their platforms. The implicit goal was to have something to show OCR if the question ever came up.

That goal was always incomplete. The SRA was never meant to be a destination. It is the first step in a continuous process defined in the Security Rule’s risk management standard at 45 CFR 164.308(a)(1)(ii)(B), which requires covered entities to implement security measures sufficient to reduce identified risks and vulnerabilities to a reasonable and appropriate level. That standard has been in place as long as the SRA requirement has. The difference is that OCR is now treating it as an enforcement priority rather than just a background obligation.

What that means in operational terms is straightforward: OCR investigators reviewing a breach will now request documentation demonstrating that identified risks were managed and reduced in a timely manner, not just identified. An SRA that surfaces a list of vulnerabilities, sits in a file, and is never referenced again does not satisfy that standard. It may make your situation considerably worse because it establishes awareness without action, and awareness without action is a harder position to defend than having no documentation at all.

The Three Things OCR Is Now Looking For

When an OCR investigator opens a breach investigation under the expanded enforcement initiative, there are three documentation questions you should expect them to bring.

First: Does your SRA identify specific, credible risks to your ePHI environment, or is it a generic checklist someone filled out in twenty minutes? The adequacy of the underlying analysis matters. An SRA that identifies “password policies may be insufficient” as its entire finding on access control does not give you a defensible starting point for risk management, because it doesn’t establish what the actual exposure was.

Second: Are the risks your SRA identified connected to a documented remediation plan? This is the gap where most practices fall short. SRA output, by itself, is a list of problems. Risk management means assigning priority levels, owners, and timelines to those problems. Under 45 CFR 164.308(a)(1)(ii)(B), you are required to reduce identified risks to a reasonable and appropriate level. “Reasonable and appropriate” is a standard you have to be able to demonstrate, not simply assert.

Third: Is there evidence of progress? A risk register created when the SRA was completed and never revisited is not evidence of active risk management. Investigators are looking for documentation showing that items were worked through over time, that completed remediations are recorded, and that decisions to accept residual risk rather than remediate were made deliberately and documented with rationale.

None of these requirements are new. What’s new is that OCR is now treating them as things it will examine and penalize, not as things it will note and move past.

Why This Is Happening Now

The expansion of OCR’s enforcement doesn’t exist in a vacuum. The agency has been building toward a more aggressive posture on Security Rule compliance for several years, and the breach data from 2026 makes it clear the pressure isn’t going to ease.

In February 2026 alone, 63 large healthcare data breaches were reported to OCR, exposing the protected health information of more than 8 million individuals. That figure represents a 436 percent increase from January. Through the first two months of 2026, nearly 9.7 million individuals had their health information compromised in reported incidents.

OCR Director Paula Stannard has publicly confirmed that the risk analysis enforcement initiative will continue and expand to encompass risk management throughout 2026 and beyond. Nicholas Heesters’ April guidance video wasn’t a preview of enforcement activity contingent on a new rule taking effect. It described what investigators are already doing in open breach investigations today.

That context matters because some covered entities will be tempted to treat the proposed HIPAA Security Rule overhaul, with a final rule expected around May 2026, as the event that triggers the need to shore up their compliance programs. That is the wrong frame. The overhaul will formalize and expand certain requirements. But OCR’s current enforcement posture doesn’t require a new rule. It requires compliance with the existing rule.

What a Defensible Program Looks Like

The gap between having an SRA and having a defensible compliance posture is largely a documentation and process gap. Your clinical operations don’t need to change. What needs to change is the organized record that connects your identified risks to your ongoing response activities.

A practice that can satisfy OCR’s expanded enforcement inquiry has a few specific things in place. It has an SRA that was completed within the past twelve months or updated when material operational changes occurred, such as new systems, new vendors, or significant staffing changes. It has a risk register that translates SRA findings into discrete, tracked items with assigned owners and remediation timelines. It has documentation showing that items on that register have been worked through, including closure dates and, for risks that were accepted rather than remediated, a recorded rationale for that decision. And it has a recurring review process, not just a one-time deliverable.

The specific controls you implement will vary based on your organization’s size, complexity, and risk profile. The Security Rule doesn’t prescribe a single approach. What it prescribes is a documented, ongoing process for identifying and managing risks. That process needs to produce a paper trail that can hold up to scrutiny, because in an investigation, the paper trail is the compliance program.

Practices that fare worst in OCR investigations are not always the ones with the weakest technical controls. They are frequently the ones with the thinnest documentation. An investigator who finds a completed SRA but no evidence of what happened afterward will read that gap as a compliance failure, because under 45 CFR 164.308(a)(1)(ii)(B), it is one.