OCR's Risk Analysis Initiative: What Small Practices Need to Know
TLDR
OCR's Risk Analysis Initiative, launched in 2022, specifically targets practices that have never completed a documented security risk analysis. This deficiency appears in over 75% of 2025 enforcement actions. The security risk analysis is a documented assessment of every location where PHI exists and every threat to it — and it must be updated annually. Three specific small practices have paid $25,000–$90,000 partly or entirely for this failure.
The security risk analysis (SRA) was always a HIPAA requirement. Since 2022, it has been the primary enforcement target. OCR’s Risk Analysis Initiative changed the enforcement calculus for small practices: a missing risk analysis is now the most direct path to a formal enforcement action.
What Is OCR’s Risk Analysis Initiative?
OCR launched the Risk Analysis Initiative in 2022 with an explicit rationale: the security risk analysis is the foundational HIPAA Security Rule requirement, and OCR data showed widespread non-compliance among small practices. Rather than treating the missing SRA as a secondary finding in investigations triggered by other violations, the initiative made it a primary enforcement target.
The initiative runs parallel to OCR’s standard complaint-driven enforcement. Practices can come into scope through:
- A breach report that triggers an OCR investigation
- A patient complaint that leads to a broader compliance review
- An OCR audit (the agency runs periodic audit programs)
- A complaint or tip about a specific violation
Under the initiative’s framing, any investigation that finds no documented SRA results in enforcement. The investigation does not need to be specifically about the SRA — finding the gap during any inquiry is sufficient.
Why Risk Analysis Is Now the #1 Enforcement Target
The SRA sits at the center of HIPAA Security Rule compliance because every other security decision flows from it.
Without a risk analysis, a practice cannot demonstrate that it identified its PHI locations, assessed threats, or made deliberate decisions about security safeguards. Every security control — encryption, access management, audit logging, backup procedures — can be defended as reasonable if it’s documented in a risk analysis showing the practice assessed the risk and chose the safeguard. Without the SRA, none of those controls can be contextualized.
OCR’s position is that a practice without a documented SRA cannot claim to be making reasonable security decisions. If a breach or violation occurs, the absence of an SRA moves the case toward Tier 3 or Tier 4 — willful neglect — rather than Tier 1 or Tier 2. That difference is the gap between a $25,000 penalty and a $500,000+ one.
What a Compliant Risk Analysis Requires
The HIPAA Security Rule specifies the required elements of a risk analysis at 45 CFR § 164.308(a)(1). A compliant SRA must cover:
Scope. The analysis must cover all electronic PHI that the covered entity creates, receives, maintains, or transmits. This includes every system, device, application, and physical location where ePHI could exist — not just the EHR.
Threat identification. Document the potential threats to ePHI confidentiality, integrity, and availability. HHS categorizes threats as natural (floods, fires), human (unauthorized access, employee error, theft), and environmental (power failures, hardware failures). The analysis must be specific to the practice’s environment — not a generic list.
Vulnerability assessment. Identify weaknesses in your current safeguards that could be exploited by identified threats. A vulnerability could be an unlocked workstation, absence of multi-factor authentication, staff sharing login credentials, or unencrypted backup drives.
Current safeguard documentation. For each PHI location, document what security measures currently exist. This creates the baseline for identifying gaps.
Likelihood and impact assessment. For each threat-vulnerability pair, assess how likely the threat is to exploit the vulnerability and what harm would result. OCR expects documented ratings — typically High/Medium/Low or a numerical scale.
Risk rating and remediation decisions. Assign a final risk rating and document what the practice decided to do: implement a control, accept the residual risk, transfer it (insurance), or avoid it (stop the activity). Every decision must be documented.
Updates and retention. The SRA must be reviewed and updated at least annually and retained for 6 years. OCR reviews the history of updates, not just the most recent version.
Four Practices Penalized for Skipping It
Bryan County Ambulance Authority — $90,000
Bryan County was the first formal enforcement action under OCR’s Risk Analysis Initiative. A ransomware attack triggered the investigation. OCR found that the organization had never — in its entire operating history — completed a security risk analysis. The $90,000 penalty reflected the severity of this gap. The case established that OCR would pursue formal enforcement specifically for the missing SRA, even when the primary incident was an external ransomware attack.
Comprehensive Neurology — $25,000
A solo neurologist with 5 staff experienced a ransomware attack that encrypted patient records. OCR investigated and found no security risk analysis on file. The $25,000 penalty was reduced from what it could have been because of the practice’s small size and cooperation during the investigation. The case shows that OCR enforces this requirement even for single-provider practices. Cooperation and practice size were the mitigating factors — not the absence of a prior SRA.
The broader pattern. Beyond these two named cases, OCR’s enforcement record from 2022–2025 shows the SRA deficiency appearing in the majority of formal enforcement actions. The pattern is consistent: an external event (ransomware, breach, complaint) triggers an investigation; OCR finds no documented SRA; the missing SRA becomes a primary enforcement basis alongside the triggering violation.
What Happens Without One
A practice that lacks a current, documented SRA has three specific exposure risks beyond the immediate enforcement risk.
Any security incident is treated as willful neglect. If a ransomware attack or breach occurs and no SRA exists, OCR cannot characterize the practice as having made reasonable security decisions. The breach becomes evidence of a security program that didn’t exist — not a failure of an existing program.
The CAP requirement is guaranteed. Every enforcement action related to the SRA includes a CAP that begins with the requirement to complete an SRA. The practice does the SRA anyway — under 2–3 years of federal monitoring, with legal fees and consulting costs attached.
Ongoing audit risk. A practice known to OCR through a complaint or breach investigation will face additional scrutiny in any future interaction. The SRA is the first document OCR requests. Not having it restarts the enforcement clock.
How to Complete a Risk Analysis for a Small Practice
The most common barrier is not understanding that the task is more manageable than it sounds.
Use the HHS Security Risk Assessment Tool. HHS provides a free, downloadable tool at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool. It walks through the required elements, generates structured documentation, and produces output in a format OCR has accepted. Most small practices can complete the initial SRA in 8–20 hours using this tool.
Scope it correctly. The biggest mistake is scoping the SRA to just the EHR. A compliant SRA covers email, task management tools, phones, paper records, fax machines, cloud storage, billing systems, and any other system or process that touches PHI. Every item in your tool stack needs to be in the inventory.
Document your decisions. OCR does not require perfect security — it requires documented, reasonable decisions. If you have assessed a risk and decided to accept it, document why. If you’ve implemented a control, document what it is and when it was implemented.
Assign ownership. In a small practice, one person needs to own the SRA process — typically the office manager or practice administrator who serves as the Privacy/Security Officer. That person is responsible for the annual update and for maintaining the documentation.
Maintaining Your Risk Analysis Over Time
The annual update is less time-consuming than the initial SRA, but it must happen. The update should revisit:
- Any new technology systems added since the last SRA (new EHR module, new task tool, new communication platform)
- Any new staff roles or significant staff changes
- Any new physical locations or significant facility changes
- Any vendor changes that affect PHI handling
- Any incidents or near-misses that occurred in the past year
Document the update date, who conducted it, and what changed. Retain all previous versions. A 6-year history of dated SRA updates is one of the most effective documents a practice can produce during an OCR investigation — it demonstrates systematic, ongoing compliance rather than reactive scrambling.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Security Risk Analysis (SRA)
- A required HIPAA Security Rule activity that identifies threats and vulnerabilities to electronic PHI. The SRA must be documented, updated annually, and retained for 6 years. It is the most commonly cited deficiency in OCR enforcement actions and the primary target of OCR's Risk Analysis Initiative.
DEFINITION
- Risk Analysis Initiative
- An OCR enforcement program launched in 2022 that specifically targets covered entities that have not completed a security risk analysis. Bryan County Ambulance Authority was the first formal enforcement action under this initiative.
DEFINITION
- Addressable Implementation Specification
- A HIPAA Security Rule requirement that a covered entity must either implement or document why an equivalent alternative is in place. Unlike required specifications, addressable specifications allow flexibility — but they cannot be ignored. A practice that hasn't addressed an addressable specification is non-compliant regardless of the reason.
DEFINITION
Q&A
What is OCR's Risk Analysis Initiative and why does it matter for small practices?
OCR's Risk Analysis Initiative, launched in 2022, is an enforcement program specifically targeting practices that have not completed a security risk analysis. It matters for small practices because only 35% have completed an SRA (Paubox, 2025), and the initiative has resulted in penalties of $25,000–$90,000. A documented, current SRA is the single most effective step a practice can take to reduce enforcement exposure.
Q&A
What does a compliant HIPAA security risk analysis require?
A compliant SRA must: (1) inventory all PHI locations across all systems and processes; (2) identify threats and vulnerabilities to each location; (3) assess current safeguards; (4) assign risk ratings based on likelihood and impact; (5) document remediation decisions; and (6) be updated annually and whenever significant changes occur. The HHS Security Risk Assessment Tool provides a free structured format that produces OCR-reviewable documentation.
Q&A
Which small practices were penalized under OCR's Risk Analysis Initiative?
Bryan County Ambulance Authority paid $90,000 — the first formal Risk Analysis Initiative enforcement action. OCR found the organization had never completed a risk analysis in its history. Comprehensive Neurology (solo neurologist, 5 staff) paid $25,000 after a ransomware attack exposed the absence of a risk analysis. Both cases involved ransomware as the triggering event, with the risk analysis failure as the underlying violation.
Want to learn more?
What is OCR's Risk Analysis Initiative?
How often does a practice need to update its security risk analysis?
What is the difference between a security risk analysis and a HIPAA audit?
Can a small practice do a security risk analysis without a consultant?
What happens if OCR finds we've never done a risk analysis?
Does completing a risk analysis guarantee we won't face enforcement?
Keep reading
HIPAA Enforcement Against Small Medical Practices: 2022–2025 Data and Trends
OCR enforcement data from 2022–2025 shows small practices represent the majority of HIPAA penalties. This guide covers annual enforcement trends, the top violation types, 5 named case studies with penalty amounts, and what each practice could have done differently.
How to Do a HIPAA Risk Assessment for Small Medical Practices
A HIPAA risk assessment is the most commonly cited deficiency in OCR audits. Here's how to complete one for a small practice in under a week.
What Is a HIPAA Corrective Action Plan? The Hidden Cost Beyond the Fine
When OCR imposes a Corrective Action Plan, the oversight period — 2–3 years of federal monitoring — often costs more in staff time and legal fees than the financial penalty itself. This guide explains what CAPs require and how to avoid triggering one.
98% of Practice Managers Believe They're HIPAA-Compliant. The Data Says Otherwise.
A 2025 Paubox survey found 98% of small practice managers believe they are fully HIPAA-compliant. But only 35% have completed a risk analysis, only 24% have evaluated their BAAs, and only 55% have any compliance plan at all. This guide explains the gap.
HIPAA Compliance Checklist for Small Medical Practices
A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation: the practical version.
asana alternative hipaa clinics