Rule Update
OCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now
TL;DR
In early 2026 OCR Director Paula Stannard confirmed that the agency's Risk Analysis enforcement initiative has been expanded to include risk management — the documented steps organizations take to address identified risks. This means having conducted a risk analysis is no longer sufficient. Organizations must also demonstrate active, ongoing risk management with documented evidence of remediation actions taken.
OCR has formally expanded its enforcement initiative beyond risk analysis to include risk management. Here is exactly what changed, what OCR is now looking for, and the specific steps every covered entity and business associate must take.
For years compliance professionals understood that OCR's Risk Analysis Initiative meant one thing: if you experienced a breach or faced an investigation, OCR would check whether you had conducted a HIPAA Security Rule risk analysis. If you had not, penalties would follow.
That framework changed in 2026. Risk analysis is now just the beginning.
What OCR announced
In early 2026, OCR Director Paula Stannard confirmed that the enforcement initiative will be expanded in 2026 to also include risk management. When OCR investigates data breaches, in addition to providing evidence to demonstrate that comprehensive and accurate risk analyses have been conducted, regulated entities will also need to demonstrate that action has been taken to reduce the identified risks to a low and acceptable level.
This is a significant shift. The requirement to conduct risk management has always existed in the Security Rule. What changed is that OCR is now actively enforcing it — looking not just for the risk analysis document but for evidence of what the organization did with it.
45 CFR §164.308(a)(1)(ii)(B)The new enforcement standard in plain terms
The bar OCR is now applying is whether your organization has a functioning, continuous risk management program — not a point-in-time assessment, not a binder of policies, but a living program.
What does a living risk management program look like in OCR's view? Based on the April 2026 guidance video and recent enforcement actions, it requires:
A current, complete risk analysis. A risk analysis from 2019 does not satisfy the requirement in 2026. HIPAA requires ongoing evaluation. This violation appears in nearly every major enforcement action. The analysis must cover every system, application, device, and data flow touching ePHI — including recently added vendors and cloud services.
A documented risk management plan. For every risk identified in the analysis, there must be a corresponding management entry showing: what the risk is, what action is being taken to address it, who is responsible, the target completion date, and the outcome once resolved.
Evidence of implementation. Documentation alone is not sufficient. OCR is looking for evidence that the plan was actually executed — system configuration changes, access control updates, vendor remediation, workforce training completions.
Ongoing reassessment. When new systems are added, vendors change, or the threat environment evolves, the risk analysis and management plan must be updated to reflect those changes.
Why OCR expanded the initiative now
The data behind this expansion is stark.
In 2024, large HIPAA breaches affected more than 286 million individuals. In 2025, 76% of large breaches were caused by hacking and IT incidents.
To address the current cybersecurity problem in healthcare and record numbers of data breaches — 747 large data breaches in 2023 and more than 168 million breached records — OCR chose to expand its enforcement framework.
The pattern OCR sees in its investigations is consistent: organizations conduct a risk analysis, identify vulnerabilities, and then fail to act on them. The risk analysis becomes a compliance document rather than a living operational tool. The vulnerabilities remain. The breach occurs.
Note
OCR published a guidance video in April 2026 titled 'Risk Management Under the HIPAA Security Rule' in which Senior Advisor for Cybersecurity Nick Heesters explains exactly what OCR now expects. Every compliance officer and IT leader at a healthcare organization should watch it.
The penalty exposure for inadequate risk management
Organizations that fall short face a finding of willful neglect — the most serious HIPAA violation category — carrying penalties of $73,011 per day, per violation.
Willful neglect applies when an organization knew of risks — through a completed risk analysis — and failed to take action to address them. Having conducted a risk analysis that identified vulnerabilities you then ignored is, in OCR's view, worse than not having conducted one at all. It demonstrates knowledge of the risk combined with failure to act.
What recognized security practices can do for you
One important development that works in organizations' favor: HIPAA-regulated entities that demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied.
Recognized security practices include frameworks such as NIST Cybersecurity Framework, NIST SP 800-66, and the HHS 405(d) practices. Organizations that can demonstrate active adoption of these frameworks — not just awareness of them — receive more favorable treatment in OCR investigations.
The immediate action checklist
Given OCR's expanded enforcement scope, every covered entity and business associate should take the following steps immediately:
Step 1 — Audit your risk analysis currency. When was your last risk analysis conducted? Does it cover all current systems, vendors, and data flows? If it is more than 12 months old or does not reflect recent technology changes, update it now.
Step 2 — Review your risk register. For every risk identified in your analysis, is there a corresponding management entry? Are all entries current? Are completed remediations documented with evidence?
Step 3 — Identify your highest-priority unaddressed risks. Focus immediate remediation effort on the vulnerabilities most likely to be exploited — unencrypted data, weak access controls, missing MFA, unpatched systems.
Step 4 — Document everything. OCR cannot verify what is not documented. Every risk management action — every patch applied, every access control updated, every vendor audited — should be documented with dates and responsible parties.
Step 5 — Establish a review cadence. Build risk analysis and risk management review into your compliance calendar. At minimum annually. After significant system changes. After any security incident.
Warning
The Security Rule NPRM proposed in 2025 would make many of these practices required specifications rather than addressable. Whether or not the NPRM is finalized, OCR is enforcing these expectations today under existing rules.
OCR's message in 2026 is direct: knowing your risks and doing nothing about them is the worst position you can be in. A documented risk analysis combined with documented risk management actions is your primary defense in any OCR investigation.
Sources & citations
- OCR Risk Management Guidance Video — April 2026Open
- 45 CFR §164.308(a)(1)(ii)(B) — Risk ManagementOpen
- Clearwater Security — HIPAA Security Rule Enforcement 2026Open
All content verified against official HHS guidance and the Code of Federal Regulations.
Frequently asked questions
What is the difference between risk analysis and risk management under HIPAA?▾
What does OCR now require organizations to demonstrate?▾
How often must risk management activities be updated?▾
What penalties apply if risk management is inadequate?▾
What is OCR's guidance video on risk management and where can I find it?▾
Related intelligence
Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.