A formal assessment. An ongoing obligation. Not a checklist.
A HIPAA risk analysis is a formal assessment that identifies threats and vulnerabilities to the protected health information an organization creates, receives, maintains, or transmits. It is required under the HIPAA Security Rule at 45 CFR 164.308(a)(1).
It is not a one-time event. It is an ongoing process that must be documented, reviewed, and updated whenever there is a material change to the organization's operations or technology environment.
OCR has consistently identified the absence of a documented risk analysis as a significant factor in enforcement actions. It is among the most frequently cited deficiencies across investigated complaints.
Source: HHS Office for Civil Rights · 2024 Annual Report to Congress
Six elements HHS considers essential.
According to HHS guidance a compliant risk analysis must address the following areas.
- The scope of the analysis — all ePHI the organization creates, receives, maintains, or transmits regardless of medium or format
- The identification of reasonably anticipated threats to that information, including both internal and external threats
- The identification of current security measures and whether they are sufficient to address identified threats
- The likelihood and potential impact of each identified threat materializing
- A risk level assigned to each identified vulnerability
- Documentation of all findings sufficient to support review and audit
Risk analyses completed before 2023 were generally not designed to address AI tools, as consumer AI adoption in professional workflows occurred after most existing documentation was prepared.
Source: HHS Security Risk Assessment Guidance · 2023
The technology moved faster than the documentation.
Before 2023 a HIPAA risk analysis at a small covered entity typically addressed a narrow set of technology risks. Email. Laptops. Cloud file storage. Remote access. AI tools were not part of the risk conversation because they were not part of the workflow.
That changed quickly. Consumer AI tools entered professional workflows at a pace compliance frameworks were not built to absorb.
In January 2025 OCR proposed the first significant update to the HIPAA Security Rule in over two decades. Among the proposed changes, organizations would be explicitly required to include AI tools that interact with PHI in their formal risk analysis. The proposed rule has not been finalized. Organizations should monitor HHS communications and consult qualified legal counsel regarding applicability.
Organizations that have adopted AI tools without updating their risk analysis documentation may have a gap under the current Security Rule framework, not only under the proposed update.
Qualified legal counsel can help assess specific exposure.
Source: HHS NPRM · January 2025
Documented reasonable effort is what moves the needle.
When OCR investigates a complaint or breach, one of the first documents it requests is the organization's most recent risk analysis.
OCR's penalty structure distinguishes between organizations based on documented evidence of reasonable effort. Organizations with current, thorough risk analysis documentation are generally better positioned in any enforcement inquiry than those without.
The standard OCR applies is not perfection. It is reasonable effort, documented.
Source: HHS OCR Enforcement Overview · 2024
Periodically and in response to operational change.
HIPAA does not specify a fixed update interval. The requirement is that the risk analysis be reviewed and updated periodically and in response to environmental or operational changes.
OCR guidance suggests organizations review their risk analysis at least annually and whenever there is a significant change such as a new technology adoption, a change in workforce, a new vendor relationship, or a regulatory update.
The introduction of AI tools into an organization's workflow represents the kind of operational change that typically warrants a risk analysis review.
Source: HHS Security Rule Guidance
Start by understanding your current posture.
MMC Signal works with organizations to assess their current AI tool usage against applicable compliance frameworks, document identified gaps, and help address them using infrastructure the organization already has.
We do not provide legal advice or compliance certification. Organizations should consult qualified HIPAA legal counsel regarding their specific risk analysis obligations.