HHS’s privacy regulator is preparing guidance to help covered entities better understand their responsibilities under the HIPAA Security Rule.
According to a notice published by the HHS Office for Civil Rights, the agency is preparing a recorded video presentation focused on the risk management requirement within the HIPAA Security Rule and is inviting regulated entities to submit questions for inclusion. OCR noted that risk analysis and risk management failures continue to appear frequently in breach investigations and enforcement actions. The upcoming presentation will outline what the rule expects, how organizations can approach the process, and the common issues that lead to findings during OCR reviews.
A risk analysis identifies vulnerabilities that could affect the confidentiality, integrity, or availability of electronic protected health information. Once those risks are known, the risk management process requires organizations to apply measures that bring them to a reasonable and appropriate level. OCR has repeatedly stressed that these steps must be documented, regularly updated, and tied to actual operational practices rather than one-time assessments. Small and medium-sized entities can use OCR’s published tools to structure their work, but the expectation remains that regulated organizations tailor controls to their environment, technology, and data flows.
Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will lead the recorded presentation and discuss what regulated entities must do to meet the requirements of the risk management provision. The agency stated that it hopes to address practical questions about implementing safeguards, using available cybersecurity resources, and understanding how OCR assesses potential violations.
OCR’s request for questions comes at a moment when risk management failures continue to surface in investigations. Recent enforcement actions, including the $3,000,000 penalty issued to Solara Medical Supplies and the $1,500,000 HIPAA penalty involving Warby Parker, Inc., show how often organizations fall short on documenting risks and following through on mitigation steps. OCR is developing “HHS’ OCR Presents: The HIPAA Security Rule: Risk Management” to address those gaps more directly, and the agency has said it wants to ensure the presentation reflects the practical challenges entities raise. The effort points to a broader push to clarify expectations and help organizations build risk management processes that are repeatable, defensible, and aligned with the Security Rule.
Many organizations complete an initial assessment but do not document follow-up steps or apply controls that directly address identified risks.
A risk analysis identifies vulnerabilities and threats, while risk management applies measures to reduce those risks to a reasonable and appropriate level.
No. It will supplement existing written guidance and offer additional explanations based on questions submitted by regulated entities.
OCR’s announcement invites HIPAA-regulated entities, which typically include covered entities and business associates.
OCR indicated it expects to discuss implementation steps, use of cybersecurity resources, and observations from recent investigations involving risk management shortcomings.