The risk analysis required by 45 CFR 164.308(a)(1)(ii)(A) is the first document OCR requests when opening an investigation. Most small practices produce a compliance platform checklist or a vendor template and believe they are covered. They are not. OCR's Final Guidance defines what an accurate and thorough risk analysis must address, and a software-generated output rarely meets the standard. OCR's Risk Analysis Initiative, active since October 2024, has produced enforcement actions against small practices across the country, including practices in Texas serving fewer than 15,000 patients.
When OCR opens an investigation under its Risk Analysis Initiative, the first document they request is a written risk analysis. Most small practices hand over something that does not meet the standard. Here is what the document actually needs to include, and why the gap matters more now than it did two years ago.
The HIPAA Security Rule has required a risk analysis since 2005. The specific requirement is at 45 CFR 164.308(a)(1)(ii)(A): covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit.
That phrase, accurate and thorough, carries significant weight in enforcement. It means the document has to reflect your actual practice, not a generic template. It has to cover every system, device, workflow, and vendor that touches patient data, not just the EHR. For a small medical practice in Houston or anywhere in the Houston metro, that means the practice management software, the billing system or clearinghouse, the email platform, the scheduling tool, the cloud storage service, the IT provider, and every mobile device a staff member uses to access patient information.
A 2016-2017 OCR audit found that only 14% of covered entities were substantially meeting this requirement. OCR launched its dedicated Risk Analysis Initiative in October 2024 specifically because nothing had improved enough in the years since that audit.
The gap between what practices produce and what OCR requires is not subtle.
The most common version looks like this: a compliance platform generated a questionnaire, someone clicked through it, and the output was saved as a PDF. Or an IT company ran a vulnerability scan and called it a risk assessment. Or the EHR vendor provided a template and the practice filled it in without customizing it to the actual environment.
None of these is the document OCR is looking for.
OCR enforcement actions in 2024 and 2025 settled cases where practices had something they believed was a risk analysis. One case involved a ransomware attack affecting 14,273 patients and resulted in a $90,000 settlement after investigators found the entity had not conducted a proper risk analysis despite years of believing they were compliant. The pattern across settlements is consistent: the practice had something. It did not have the document OCR required.
OCR has published Final Guidance on risk analysis requirements at hhs.gov. That guidance specifies what an accurate and thorough risk analysis must address.
The analysis has to identify the scope of all ePHI the organization creates, receives, maintains, or transmits, including where it lives across every device, system, and application. It has to document potential threats to that ePHI. It has to assess current vulnerabilities. It has to determine the likelihood that each identified threat could exploit each identified vulnerability. It has to evaluate the potential impact if that were to happen. And it has to produce a written record that documents the analysis and ties the findings directly to risk management decisions.
A vendor questionnaire does not produce this. A vulnerability scan produces part of the technical picture but misses the administrative and physical dimensions entirely. A compliance platform checklist may organize the work but cannot substitute for the written document itself.
What OCR wants to read is a narrative document, written to your specific practice, that shows you understand exactly where your patient data goes, what the realistic threats are, and what you are doing about them.
The Risk Analysis Initiative that OCR launched in October 2024 has already produced enforcement actions against small healthcare entities, not just hospitals or large health systems. Small practices are not outside this initiative's scope. OCR has been direct that the initiative targets covered entities of all sizes.
In April 2026, OCR's Senior Advisor for Cybersecurity Nick Heesters released guidance expanding the initiative's focus beyond the risk analysis itself to include risk management, specifically what organizations actually do about the risks they identify. A risk analysis that documents problems but shows no evidence of follow-through is no longer sufficient to satisfy an OCR inquiry.
The proposed Security Rule update that OCR has been working toward would codify an annual risk analysis requirement. That final rule has not yet been published, but OCR has been enforcing as if the expectation of regularity were already in place. Enforcement actions have consistently cited analyses that were outdated, incomplete, or never updated after significant changes to the practice.
For a practice with five to fifty employees, a compliant risk analysis is not a hundred-page document. It is a thorough one. Length is not the standard. Coverage is.
It needs to account for your EHR and practice management software. Your billing system and any clearinghouse you use. Your appointment scheduling platform. Your email system. Every device that connects to your network, including mobile phones staff use for work purposes. Your physical office space, including paper records, fax machines, and shared workstations. Your IT provider and every other vendor that has access to patient data.
For each of those systems, it needs to document what could go wrong, how likely that is, and how bad it would be. Then it needs to connect those findings to specific actions your practice has taken or is taking to reduce the risk.
The document also needs to reflect the current state of your practice. A risk analysis written in 2022 that has not been updated since is not a current risk analysis. If you have added new software, hired new staff, changed workflows, or taken on new vendor relationships, the analysis has to reflect those changes.
Most small practices I work with in Texas do not have this document. They have pieces of it, spread across emails from their IT company, checklists from their EHR vendor, and maybe a completed questionnaire from a compliance platform. None of that is the written risk analysis OCR will ask to see.
The enforcement actions from the Risk Analysis Initiative are not hypothetical. They are settlements with small practices, for amounts ranging from tens of thousands to millions of dollars, consistently citing the same failure. OCR has said directly that the goal of the initiative is to drive behavior change, not just penalize outliers.
If your practice does not have a current written risk analysis that reflects your actual environment, that is the gap to close before anything else.
A Privacy Exposure Review identifies your top compliance gaps, including your risk analysis status, in 48 hours. Flat fee. No retainer required.
Book a ConsultationLast Updated: May 13, 2026