Community Provider x The Risk-Analysis Finding
What the Office for Civil Rights looks for first after a breach, and why the quiet months before an investigation decide the outcome.
The federal posture toward healthcare data breaches changed in late 2024, and most providers have not caught up to it. The HHS Office for Civil Rights (OCR) opened a dedicated Risk Analysis Initiative, taking a single HIPAA Security Rule provision it had long flagged as the most common area of noncompliance and elevating it into a standing enforcement priority. Since then the pattern in its settlements has been consistent to the point of monotony. In April 2026, OCR announced four settlements with healthcare organizations in a single day, totaling just over $1.16 million, and every one turned on the same finding: the organization had never conducted an accurate, enterprise-wide risk analysis (HHS Office for Civil Rights). By early 2026, OCR had resolved more than fifty HIPAA enforcement actions under its recent initiatives, a large share of them resting on that one deficiency. This is happening against a breach environment that is not receding. The HIPAA Journal recorded 66 large breaches reported in March 2026 alone, most of them hacking and IT incidents, which is the category OCR ties most directly back to an inadequate risk analysis.
The organizations feeling this most acutely are not the large systems with a chief information security officer and a standing compliance function. They are community hospitals, critical-access facilities, behavioral health and substance-use providers, and community health centers. Places where the breach has already been disclosed, the notification letters have gone out, and the immediate incident response is winding down. What remains is a quieter problem these providers tend to underestimate. A breach disclosure does not close the matter; it starts a clock. OCR reviews reported breaches, and for a hacking incident of any real scale the near-inevitable first question is whether a compliant risk analysis existed at the time of the breach. The provider that just spent three weeks on containment and credit-monitoring letters is often the same provider that has never produced the document OCR asks for first, and does not yet realize that the review it should be preparing for is the one that has not arrived.
Three things about that document are routinely misunderstood. The first is that the requirement is exact: an accurate and thorough assessment of the risks and vulnerabilities to all electronic protected health information across the entire enterprise, under 45 CFR 164.308(a)(1)(ii)(A). A vendor security questionnaire, a penetration test, or a generic controls checklist is not this, and OCR has repeatedly declined to treat them as this. The second is that the remedy is not a fine and done. OCR's resolution agreements install multi-year corrective action plans that compel an enterprise-wide risk analysis, a risk management plan, rewritten policies, workforce training, and regular reporting back to OCR, frequently under two to three years of supervision (HHS Office for Civil Rights). The third, and least understood, is that the enforcement the public sees is heavily lagged. OCR typically announces a settlement six to nine months after the corrective action plan is signed, and years after the underlying breach. By the time a provider reads that a peer was penalized, that peer resolved its exposure long ago. The window that actually decides the outcome, the months just after disclosure and before an investigation opens, is invisible in the headlines precisely because nothing has been announced yet.
This is where the reflexive responses fail. In-house IT at a small provider, often a lean team or an outsourced managed-service provider oriented toward uptime and support, is not built to produce an audit-defensible enterprise risk analysis, and generally knows it. The generalist security firm brought in after a breach tends to deliver a technical assessment, a gap scan, or a fix for the specific vulnerability that was exploited, none of which is the risk-analysis and risk-management documentation OCR actually cites. Generic compliance software can generate a report, but a report is not a defensible analysis read the way an OCR investigator reads one. The competence that closes this gap is narrow: healthcare-specific governance, risk, and compliance work, performed by people whose entire practice is HIPAA risk analysis and remediation and who understand what a corrective action plan will demand before one is ever issued. It is not a capability most providers can assemble from whoever happens to be nearest.
The exposure is also not a one-time cleanup. The Security Rule amendment OCR proposed in January 2025 would make an annual risk analysis, a complete asset inventory, and controls such as encryption and multi-factor authentication explicit and recurring obligations rather than the loosely enforced expectations they have been (Federal Register, Jan. 6, 2025). For substance-use providers, civil enforcement of the confidentiality rules under 42 CFR Part 2 took effect on February 16, 2026, layering a second regime onto the same records (HHS). A problem that recurs every year by design is not one a generalist handles well as a side capability. It is the kind of problem a dedicated specialist exists to carry.
The specialist who does only this, for exactly this kind of provider, exists. For an organization inside that window, an introduction is available at no cost to it. Reach out if this aligns.
By Your Presence is a quiet introductions practice. If this Field Note describes something you're navigating, you can write in directly: javien@byyourpresence.com.