Your HIPAA security risk assessment is due by December. Doing it is not passing it.
Every organization fined under the government's Risk Analysis Initiative had done some kind of security risk assessment. None of it held up. This is what separates a risk analysis that passes from one that becomes evidence against you.
This April, federal regulators announced settlements with four healthcare organizations that had been hit by ransomware: a women's health network, an imaging provider, a benefits administrator, and an employer health plan. Together they paid $1.165 million, and together they had exposed the records of more than 427,000 people.
Here is the detail worth sitting with. The attacks happened in 2020 and 2021. The fines arrived in 2026.
That is how HIPAA enforcement actually works. A breach today becomes a federal investigation that resolves four or five years from now. And when the Office for Civil Rights (OCR) comes asking, the first document it requests is not your firewall config or your antivirus invoices. It is your security risk analysis, the written assessment of where your patient data lives and what threatens it. All four organizations fined in April were cited for the same failure. It was not that they had never done an assessment. It was that what they had could not pass as "accurate and thorough."
OCR's director, Paula Stannard, put the agency's logic plainly this February: organizations "cannot protect electronic protected health information if they haven't identified potential risks and vulnerabilities to that health information." You cannot defend what you never mapped.
Would your risk analysis pass? Find out in 15 minutes.
Free HIPAA SRA, 50 questions from the official HHS tool. Two reports in your inbox before you finish your coffee.
The gap between doing the security risk assessment and passing it
OCR does fine organizations after breaches. But read the resolution agreements and a sharper pattern appears. The penalty rarely turns on the breach itself. It turns on what the investigation finds underneath, and what it keeps finding is a risk analysis that exists but does not hold up: outdated, partial, or disconnected from how the organization actually operates.
That is deliberate. In late 2024 OCR launched a dedicated Risk Analysis Initiative to make exactly this point, and it has now completed 13 enforcement actions under it alongside 19 ransomware investigations overall. The targets are not only big systems. February's settlement was a small Illinois addiction treatment center that fell to a phishing email, about $103,000 plus two years of federal monitoring. March's was a dental software vendor.
The fine print, charted
Every organization below had done an assessment of some kind. None of them passed.
Federal HIPAA settlements citing risk-analysis failures, October 2024 to April 2026. Note the range, from a $10,000 fine on a small surgical group to $3 million. And note who is on it: treatment centers, imaging providers, one hospital, and several vendors.
An assessment that exists but cannot pass does not just fail to protect you. It actively works against you, because a half-done document records your gaps without a plan to close them. Regulators expect findings to flow into a remediation plan with owners, timelines, and budgets. A list of problems with no follow-through is, in an investigator's hands, evidence.
The most common way assessments fail: scope
The federal breach list itself shows where assessments fall short. The most common failure is not a missing document. It is a document that describes a smaller organization than the one that actually exists: the one without the new cloud system, the telehealth platform, the AI scribe, or the billing vendor that now holds half the patient data.
Where assessments fall short
An assessment that stops at your own walls cannot pass
Share of reported breaches where a business associate was involved: a billing company, software vendor, cloud host, or transcription service. Source: HHS OCR breach portal, 2009 to 2026.
What this means for your SRA: 42% of breaches on this year's federal investigation list involve a vendor, roughly double the share of the early 2010s. OCR expects the risk analysis to cover everywhere patient data lives, including the vendors who touch it. The proposed HIPAA Security Rule update would make vendor assessment explicit and require refreshing the analysis at least every 12 months.
Why this matters in June, specifically
First, about that December deadline. The HIPAA Security Rule itself sets no calendar date; it requires the analysis to be accurate, thorough, and current. The deadline most practices actually feel comes from Medicare: the MIPS Promoting Interoperability program requires the security risk analysis to be conducted within the calendar year, which makes December 31 the effective due date for anyone who bills Medicare. And starting with the 2026 performance year, CMS requires two attestations instead of one: that you conducted the risk analysis, and that you conducted risk management on what it found. The regulators have now written the point of this article into the rulebook. Doing the assessment is no longer enough to attest. Acting on it is part of the requirement.
Most organizations still treat all of this as year-end paperwork, something to rush in December alongside everything else that expires. The data above is the argument against that.
Not sure whether your current risk analysis would hold up?
Jason Lee, Z Cyber's Managing Director, is opening a limited number of free 30 minute HIPAA readiness reviews. Jason has spent 25+ years across cybersecurity, GRC, cloud security, and executive risk advisory.
Bring your last SRA, or bring nothing at all. You will leave knowing whether what you have would survive an investigator's first document request, and what to fix before December.
Book a Readiness ReviewA risk analysis finished on December 20th proves one thing: that on December 20th, you wrote down your problems. It gives you no time to fix any of them before the next renewal, audit, or incident. Done in June, the same document becomes something else entirely. It becomes a finding list with six months of runway to close the gaps, so that what an auditor, insurer, or investigator eventually sees is not a confession but a record of problems found and fixed.
There is a second reason. OCR's guidance is clear that a risk analysis is not a once-a-year ritual in the first place. It must be refreshed when your environment materially changes. Switched EHRs? Moved systems to the cloud? Added telehealth? Signed an AI scribe or a new billing vendor? Each of those changes where your patient data lives, which means the analysis you did last year may no longer describe the organization you are now. If any of those happened since your last assessment, the clock has already restarted, whether or not December feels far away. Our guide to the HIPAA Security Rule covers what a complete analysis must include, and the pending Security Rule update would make the 12-month refresh explicit.
See where you stand, in 15 minutes
50 questions from the official HHS tool. Two reports in your inbox, every gap mapped to the rule it touches.
What a defensible HIPAA risk analysis looks like
The difference between doing the SRA and passing it comes down to what the document can prove. A defensible risk analysis covers every system that touches patient data, including vendors. It cites the specific rule each finding maps to. It ranks findings by risk, names an owner for each fix, and shows the dates work started and finished. That is the standard OCR holds organizations to in every settlement above, and it is the standard your cyber insurance carrier and enterprise customers increasingly apply too.
We built our free HIPAA Security Risk Assessment for exactly this. Answer 50 questions drawn from the official HHS assessment tool, about 15 minutes, and two reports land in your inbox the moment you finish: an executive summary with a letter grade your leadership can read, and a detailed findings report where every gap is mapped to the specific HIPAA citation it touches, ranked by risk, with a recommended fix. Not a score for the sake of a score. A finding list with enough runway left in the year to act on it.
Sources: HHS OCR Breach Portal (full archive and under-investigation list, exported June 9, 2026); HHS press release, April 23, 2026; McDonald Hopkins, March 2026; OCR Risk Analysis Initiative resolution agreements, 2024 to 2026. Per-capita rates use 2024 U.S. Census population estimates.
Frequently Asked Questions
Is the HIPAA security risk analysis due by December 31?
The HIPAA Security Rule itself sets no calendar deadline; it requires the risk analysis to be accurate, thorough, and kept current. The December 31 deadline most practices experience comes from Medicare's MIPS Promoting Interoperability program, which requires the security risk analysis to be conducted within the calendar year of the performance period. Starting with the 2026 performance year, CMS also requires a second attestation confirming that risk management activities were conducted on the findings, so completing the assessment alone is no longer sufficient to attest.
What does OCR ask for first after a healthcare data breach?
When the HHS Office for Civil Rights investigates a reported breach, the first document it typically requests is the organization's security risk analysis, required by 45 CFR 164.308(a)(1)(ii)(A). In the four ransomware settlements OCR announced in April 2026, every organization was cited for failing to conduct an accurate and thorough risk analysis. The penalty rarely turns on the breach itself. It turns on whether the organization can produce a current, complete assessment of where its patient data lives and what threatens it.
How often does a HIPAA risk analysis need to be updated?
OCR guidance treats the risk analysis as an ongoing process, not a one-time document. It should be refreshed at least annually and whenever the environment materially changes, for example after switching EHR systems, moving to cloud hosting, adding telehealth, or signing a significant new vendor such as an AI scribe or billing service. The proposed HIPAA Security Rule update would make the 12-month refresh an explicit requirement and would add vendor risk assessment to the required scope.
Do small practices really get fined for HIPAA risk analysis failures?
Yes. Settlements citing risk-analysis failures between October 2024 and April 2026 ranged from $10,000 against a small Michigan surgical group to $3 million against a medical supplier. The list includes an ambulance service, an addiction treatment center, imaging providers, an employer health plan, and several business associates. Two thirds of all breaches ever reported to HHS affected fewer than 10,000 people, and the median breach affected 3,787, so federal scrutiny is not reserved for large health systems.
What share of healthcare breaches involve a business associate or vendor?
Based on Z Cyber's analysis of the HHS OCR breach portal, 42% of breaches on the 2026 federal investigation list involve a business associate, roughly double the share of the early 2010s. That includes billing companies, software vendors, cloud hosts, and transcription services. A HIPAA risk analysis that does not cover vendor relationships misses almost half of the actual breach risk.
Why do HIPAA fines arrive years after the breach?
OCR investigations routinely take four to six years to resolve. The four ransomware settlements announced in April 2026 covered attacks that happened in 2020 and 2021. This lag means a breach today becomes a document request years from now, and the document that decides the outcome is the risk analysis on file at the time of the incident and the remediation record that followed it.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.
