It’s the most-cited deficiency in OCR enforcement — and in 2026 the question moved from “did you do one” to “what did you do about it.” What a defensible risk analysis contains, and how it’s tested.
The HIPAA Security Rule requires an "accurate and thorough" risk analysis (§164.308(a)(1)(ii)(A)) covering all ePHI your organization creates, receives, maintains, or transmits — and it's the single most-cited deficiency in OCR enforcement. As of 2026, OCR has formally expanded its enforcement initiative beyond whether you did a risk analysis to whether you acted on it: documented risk management, remediated findings, and proof. A checklist or gap analysis does not qualify, and willful-neglect findings carry penalties of $73,011 per day, per violation.
If OCR investigates your organization — after a breach, a complaint, or increasingly as part of its proactive enforcement initiative — the first document request is predictable: your current risk analysis. More than half of recent Security Rule enforcement actions resolved alleged violations of this one requirement. It is the diagnosis behind almost every penalty; the breach is just the symptom.
OCR's expectations, drawn from its guidance and the pattern of its enforcement actions, come down to six properties:
OCR is explicit on this distinction, and organizations fail on it constantly. A gap analysis compares you to a checklist of controls. A risk analysis identifies threats and vulnerabilities to your ePHI and assesses likelihood and impact. Submitting a framework gap assessment in response to an OCR request for your risk analysis is itself a finding — and it's one of the most common ways covered entities discover the difference.
OCR launched its risk analysis enforcement initiative in 2023 after finding that missing or inadequate risk analyses were the common thread in breach investigations. The initiative has produced a steady stream of settlements and civil monetary penalties since — 2024 closed 22 enforcement actions, 2025 accelerated, and the initiative continues through 2026, now formally expanded to include risk management: what you did about the findings. Penalties scale with culpability, and the pattern is consistent — they escalate sharply when entities identified a risk and let it persist across years, or couldn't produce an analysis at all. Organization size is no shield; OCR has penalized solo practices alongside health systems.
Meanwhile, the proposed Security Rule overhaul — which would convert "addressable" specifications to required, mandate asset inventories, encryption, and MFA — remains in rulemaking, contested and subject to timeline slips. The practical guidance doesn't depend on its outcome: the proposal largely codifies what OCR already enforces through penalties. Build to the enforcement record and the rulemaking becomes a formality.
| Component | What OCR looks for |
|---|---|
| Scope statement | All ePHI locations and flows, including cloud, mobile, devices, and business associates |
| Asset inventory | Current, maintained, and reconciled against the scope statement |
| Threat & vulnerability register | Specific, environment-grounded, updated as the environment changes |
| Risk determinations | Likelihood × impact with documented rationale, producing a prioritized register |
| Risk management plan | Findings mapped to remediation decisions, owners, and dates — the 2026 focus |
| Evidence of implementation | Proof the plan executed: configurations, validations, closed items |
| Review cadence | Periodic re-assessment, and re-assessment triggered by environmental change |
The pattern in that table is the pattern of the whole requirement: documentation that connects. Analysis to findings, findings to decisions, decisions to evidence. PRISM is built around exactly that chain for the full HIPAA technical safeguard catalog — AI document analysis maps your existing policies and artifacts to each safeguard, flags what's missing, and maintains the evidence-to-requirement links an OCR request would test. And for healthcare specifically, one architectural fact matters more than any feature: Iris, the AI engine, runs on self-hosted GPU infrastructure. Your PHI never touches a third-party API — which means the tool you use to prove HIPAA compliance isn't itself a business associate headache.
PRISM maps your evidence to the full HIPAA safeguard catalog with AI analysis that runs on self-hosted infrastructure—your PHI never touches a third-party API.