{"id":823,"date":"2026-05-27T11:23:50","date_gmt":"2026-05-27T15:23:50","guid":{"rendered":"https:\/\/eagleassociates.net\/news\/?p=823"},"modified":"2026-05-27T11:23:51","modified_gmt":"2026-05-27T15:23:51","slug":"risk-management-for-hipaa-security","status":"publish","type":"post","link":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/","title":{"rendered":"Risk Management for HIPAA Security"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em><strong>Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to <a href=\"https:\/\/eagleassociates.net\/member-services-online\/\">Member Services<\/a>.<\/strong><\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Risk Management for HIPAA Security<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include Risk Management (RM). RM is a requirement within HIPAA\u2019s Security Rule at paragraphs 164.306(a), and 164.308(a)(B), and is intended to ensure that actions are taken to reduce risks and vulnerabilities to a reasonable, appropriate level.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before risk management (RM) activities begin, entities should:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>identify risks and vulnerabilities<\/li>\n\n\n\n<li>consider risks and vulnerabilities to all EPHI created, received, maintained or transmitted<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">One of the best ways to identify and consider risks and vulnerabilities is to conduct an SRA on a regular basis (annually and\/or whenever significant changes are made to the network or information systems). An SRA can help inform the RM decisions, because the SRA process brings risks and vulnerabilities to light, and allows entities to document what is currently in place and see where improvement is needed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Understanding Risks<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Although the Security Rule is flexible and scalable, and no one technology or solution is required to achieve compliance, some commonly utilized approaches address known risks, and therefore should be implemented.&nbsp; No specific type of approach is required, but safeguards must be in place and evaluated to determine whether they are properly reducing risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s not enough to just do \u201csomething.\u201d The action taken must reduce risk to a reasonable, appropriate level. For example, let\u2019s say an entity implements a requirement for password length, but the requirement is weak. Does a four-character password sufficiently reduce risk?&nbsp; The answer is no.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Many known threats can be reasonably anticipated, such as power outages, natural disasters and cyberattacks. In 2025, 76% of large breaches were caused by hackers\/cyberattacks. An important part of RM is to review security measures and modify them as needed to protect against new strains of ransomware and recently discovered vulnerabilities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If an entity were investigated, OCR would send a data request asking for RM policies and procedures, and evidence that security measures were implemented.&nbsp; Policies and procedures are important but alone are not evidence of implementation.&nbsp; For example, an entity could have policies but not be following them. In addition, remediation and corrective actions are often delayed year after year.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Implementing Risk Management<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If implementation is not completed, then the entity is not in compliance with the RM standard.&nbsp; Prioritizing RM in the constraints of budget and operational capability allows entities to consider factors such as size, complexity and capability, technical infrastructure, costs of security measures and probability of potential risks. Cost is not meant to free an entity completely from obligations under the Security Rule. OCR would assess whether risks and vulnerabilities were reduced to a reasonable and appropriate level. Mitigation plans, time frames, approvals and status reports can help an entity to demonstrate that it is taking steps to implement RM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Assessments<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Security Rule does not require third parties to perform assessments, so an internal IT team or your existing IT vendor could be used to provide assessments, reports, etc.&nbsp; Third parties can help to verify and assess network and system security and can be a useful tool.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Resources<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>Note that subscribers to Eagle Associates HIPAA Compliance System (HCS) have access to polices, an implementation guide, staff training, and a Security Risk Analysis tool, along with support for questions.<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to Member Services. Risk Management for HIPAA Security In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include&#8230; <span class=\"more\"><a class=\"more-link\" href=\"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/\">Continue reading <span class=\"meta-nav\">&#8594;<\/span><\/a><\/span><\/p>\n","protected":false},"author":4,"featured_media":826,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[],"class_list":["post-823","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eagle-staff"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Risk Management for HIPAA Security | Eagle Associates News<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Risk Management for HIPAA Security | Eagle Associates News\" \/>\n<meta property=\"og:description\" content=\"Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to Member Services. Risk Management for HIPAA Security In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include... Continue reading &#8594;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Eagle Associates News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-27T15:23:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-27T15:23:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"jennifer@eagleassociates.net\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"jennifer@eagleassociates.net\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/\"},\"author\":{\"name\":\"jennifer@eagleassociates.net\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/#\\\/schema\\\/person\\\/6da6ff9a5209cf0349930d046406825d\"},\"headline\":\"Risk Management for HIPAA Security\",\"datePublished\":\"2026-05-27T15:23:50+00:00\",\"dateModified\":\"2026-05-27T15:23:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/\"},\"wordCount\":593,\"image\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/AdobeStock_1558694215-scaled.jpeg\",\"articleSection\":[\"eagle associates staff\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/\",\"url\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/\",\"name\":\"Risk Management for HIPAA Security | Eagle Associates News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/AdobeStock_1558694215-scaled.jpeg\",\"datePublished\":\"2026-05-27T15:23:50+00:00\",\"dateModified\":\"2026-05-27T15:23:51+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/#\\\/schema\\\/person\\\/6da6ff9a5209cf0349930d046406825d\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/AdobeStock_1558694215-scaled.jpeg\",\"contentUrl\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/AdobeStock_1558694215-scaled.jpeg\",\"width\":2560,\"height\":1707,\"caption\":\"Business meeting account managers crew working search page on computer with new startup project. Idea presentation, analyze plans.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/2026\\\/05\\\/risk-management-for-hipaa-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Risk Management for HIPAA Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/#website\",\"url\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/\",\"name\":\"Eagle Associates News\",\"description\":\"News and More from Eagle Associates, Inc.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/eagleassociates.net\\\/news\\\/#\\\/schema\\\/person\\\/6da6ff9a5209cf0349930d046406825d\",\"name\":\"jennifer@eagleassociates.net\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g\",\"caption\":\"jennifer@eagleassociates.net\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Risk Management for HIPAA Security | Eagle Associates News","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/","og_locale":"en_US","og_type":"article","og_title":"Risk Management for HIPAA Security | Eagle Associates News","og_description":"Note: This is an abridged version of the article. For more details regarding risk management, technical assessments, and additional resources, please sign in to Member Services. Risk Management for HIPAA Security In a recent video, the Office for Civil Rights (OCR) announced that it is expanding its Security Risk Analysis (SRA) enforcement initiative to include... Continue reading &#8594;","og_url":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/","og_site_name":"Eagle Associates News","article_published_time":"2026-05-27T15:23:50+00:00","article_modified_time":"2026-05-27T15:23:51+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg","type":"image\/jpeg"}],"author":"jennifer@eagleassociates.net","twitter_card":"summary_large_image","twitter_misc":{"Written by":"jennifer@eagleassociates.net","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#article","isPartOf":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/"},"author":{"name":"jennifer@eagleassociates.net","@id":"https:\/\/eagleassociates.net\/news\/#\/schema\/person\/6da6ff9a5209cf0349930d046406825d"},"headline":"Risk Management for HIPAA Security","datePublished":"2026-05-27T15:23:50+00:00","dateModified":"2026-05-27T15:23:51+00:00","mainEntityOfPage":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/"},"wordCount":593,"image":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#primaryimage"},"thumbnailUrl":"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg","articleSection":["eagle associates staff"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/","url":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/","name":"Risk Management for HIPAA Security | Eagle Associates News","isPartOf":{"@id":"https:\/\/eagleassociates.net\/news\/#website"},"primaryImageOfPage":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#primaryimage"},"image":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#primaryimage"},"thumbnailUrl":"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg","datePublished":"2026-05-27T15:23:50+00:00","dateModified":"2026-05-27T15:23:51+00:00","author":{"@id":"https:\/\/eagleassociates.net\/news\/#\/schema\/person\/6da6ff9a5209cf0349930d046406825d"},"breadcrumb":{"@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#primaryimage","url":"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg","contentUrl":"https:\/\/eagleassociates.net\/news\/wp-content\/uploads\/2026\/05\/AdobeStock_1558694215-scaled.jpeg","width":2560,"height":1707,"caption":"Business meeting account managers crew working search page on computer with new startup project. Idea presentation, analyze plans."},{"@type":"BreadcrumbList","@id":"https:\/\/eagleassociates.net\/news\/2026\/05\/risk-management-for-hipaa-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/eagleassociates.net\/news\/"},{"@type":"ListItem","position":2,"name":"Risk Management for HIPAA Security"}]},{"@type":"WebSite","@id":"https:\/\/eagleassociates.net\/news\/#website","url":"https:\/\/eagleassociates.net\/news\/","name":"Eagle Associates News","description":"News and More from Eagle Associates, Inc.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/eagleassociates.net\/news\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/eagleassociates.net\/news\/#\/schema\/person\/6da6ff9a5209cf0349930d046406825d","name":"jennifer@eagleassociates.net","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c6939a8aee6cb39ce286feabd945c1f791069839e62b53d9605db4cbb3cb7da1?s=96&d=mm&r=g","caption":"jennifer@eagleassociates.net"}}]}},"_links":{"self":[{"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/posts\/823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/comments?post=823"}],"version-history":[{"count":2,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/posts\/823\/revisions"}],"predecessor-version":[{"id":825,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/posts\/823\/revisions\/825"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/media\/826"}],"wp:attachment":[{"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/media?parent=823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/categories?post=823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eagleassociates.net\/news\/wp-json\/wp\/v2\/tags?post=823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}