The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is creating a video presentation to discuss the needs of the HIPAA Security Rule risk management process and has asked HIPAA-regulated entities to submit risk management questions.
The risk analysis is a basic component of the HIPAA Security Rule that identifies the risks and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI). OCR regularly determines risk analysis problems in its data breach investigations and HIPAA compliance audit program, which include unfinished and nonexistent risk analyses. Failure in risk analysis is the most frequently identified violation of the HIPAA Security Rule, and a repeated reason for issuing a financial penalty.
OCR has published guidance to assist HIPAA-covered entities in conducting a risk analysis, and provided a risk assessment tool for regulated small- and medium-sized entities to help them complete the process. After performing a risk analysis, all known risks and vulnerabilities to ePHI should undergo a risk management process, specified in § 164.308(a)(1)(ii)(B) of the HIPAA Security Rule administrative safeguards. Risk management is the implementation of safety procedures enough to minimize risks and vulnerabilities to a realistic and proper level in compliance with § 164.306(a) [Security Standards: General Rules].
This 2025, OCR announced two enforcement actions with the issuance of penalties for risk management failures. Solara Medical Supplies paid $3,000,000 as a HIPAA violation penalty, while Warby Parker, Inc. paid $1,500,000 penalty. To resolve any potential misunderstandings concerning the risk management process, OCR is creating the video presentation entitled HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.
Different facets of the risk management provision of the HIPAA Security Rule will be addressed by Nick Heesters, OCR’s Senior Advisor for Cybersecurity, in the video presentation. Heesters will explain what is needed when it comes to risk management and the usage of cybersecurity tools. Heesters will give information about OCR’s investigations into likely risk management HIPAA violations.
Considering that this is a pre-recorded video presentation instead of a live webinar, OCR wants to know the questions HIPAA-covered entities have regarding the risk management requirement. Some questions will be addressed in the presentation. For any question associated with risk management, submit them to OCR on or before December 8, 2025, through email at [email protected]