On April 15, 2026, a Houston family practice received notification that OCR had initiated a compliance review following a patient complaint. The investigation focused not on the complaint itself, but on the practice's security risk assessment documentation. After 67 days of review, OCR issued a $127,000 settlement for failure to conduct a thorough and accurate assessment of security risks to electronic protected health information. The practice had a risk assessment document, 12 pages of generic template content that did not address their specific systems, threats, or vulnerabilities.
Security risk assessments have become OCR's top enforcement priority for 2026. In the first quarter, 78% of OCR settlements involved deficiencies in risk assessment processes, with average penalties increasing to $145,000 for assessment-related violations. Texas medical practices face particular scrutiny, appearing in 23% of national risk assessment enforcement actions despite representing only 8% of covered entities.
The Houston practice's experience illustrates common risk assessment failures. Their document was a purchased template with blank fields filled in haphazardly. It listed generic threats like "hacking" and "malware" without analyzing the practice's specific EHR configuration, network architecture, or vendor relationships. It identified no actual vulnerabilities, documented no risk analysis methodology, and contained no evidence that the assessment informed security decisions. When OCR investigators asked how the practice had prioritized security investments, the answer revealed that the assessment had been a compliance checkbox exercise with no operational impact.
The HIPAA Security Rule Assessment Requirement
Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. This requirement sounds straightforward, but OCR's 2026 enforcement guidance has clarified specific expectations that many practices fail to meet:
Accuracy requires specificity. Generic assessments that could apply to any healthcare organization do not satisfy the requirement. OCR expects assessments to identify specific systems, analyze actual configurations, and evaluate real threats facing the particular organization. The Houston practice's assessment mentioned "EHR system" without naming their vendor, version, or hosting arrangement. It referenced "network security" without documenting their firewall configuration, segmentation strategy, or remote access implementation.
Thoroughness requires completeness. An assessment must address all electronic protected health information, all systems that store or transmit it, and all reasonably anticipated threats. OCR's 2026 guidance specifically expects assessments to address cloud services, mobile devices, medical devices, business associate relationships, and workforce security practices. The Houston assessment covered only their primary EHR server, ignoring their patient portal, billing system, and physician mobile device access.
Documentation requires evidence. OCR expects assessments to include methodology descriptions, data sources, analysis processes, and decision rationales. The document should demonstrate how risks were identified, how likelihood and impact were evaluated, and how risk ratings were determined. The Houston practice's assessment contained no methodology section, no evidence of data collection, and no explanation of how their "medium risk" ratings were calculated.
Common Risk Assessment Deficiencies
OCR's 2026 enforcement actions have identified consistent patterns of risk assessment deficiencies:
Template-based assessments without customization. Many practices purchase risk assessment templates or use software-generated documents that produce generic content. OCR considers these insufficient unless extensively customized with organization-specific analysis. A Dallas practice's $98,000 settlement in March 2026 involved a 47-page assessment document that was entirely template content with only the practice name changed.
Failure to address emerging threats. Risk assessments must be updated to address changing threat landscapes. OCR's 2026 guidance specifically expects assessments to address ransomware, business email compromise, and supply chain attacks. Assessments that focus only on traditional threats while ignoring current attack patterns are considered incomplete. An Austin practice's assessment, last updated in 2022, was cited for failure to address ransomware despite the organization's 2024 ransomware incident.
Missing business associate analysis. OCR expects assessments to evaluate risks from business associate relationships, including vendor security practices, data sharing arrangements, and breach notification procedures. The Houston practice's assessment contained no vendor analysis despite using seven business associates with ePHI access. OCR's investigation revealed that three of these vendors had experienced breaches in the past two years.
Lack of technical vulnerability identification. Assessments must identify actual technical vulnerabilities, not just theoretical threats. This requires vulnerability scanning, penetration testing, or other technical assessment methods. OCR expects documentation of specific vulnerabilities found and remediation timelines. The Houston assessment identified no technical vulnerabilities despite their network scan showing 23 critical vulnerabilities in their EHR server.
OCR's 2026 Risk Assessment Expectations
Based on settlement patterns and OCR guidance documents, Texas medical practices should ensure their risk assessments address these specific elements:
Scope definition and asset inventory. The assessment must define its scope and include a complete inventory of systems, applications, and devices that create, receive, maintain, or transmit ePHI. This inventory should include EHR systems, practice management software, patient portals, billing systems, imaging systems, medical devices, mobile devices, and cloud services. Each asset should be documented with its function, data classification, and security responsibilities.
Threat identification and analysis. The assessment must identify specific threats facing the organization, including natural threats, human threats, and environmental threats. OCR expects analysis of threat likelihood based on the organization's specific circumstances, not generic probability estimates. A practice in a hurricane zone should address storm-related business continuity risks. A practice with remote workers should address home network security threats.
Vulnerability assessment and evaluation. The assessment must identify actual vulnerabilities through technical testing, configuration review, or other assessment methods. Vulnerabilities should be evaluated for exploitability and potential impact on ePHI confidentiality, integrity, and availability. Documentation should include vulnerability severity ratings, affected systems, and remediation priorities.
Risk determination and prioritization. The assessment must evaluate risks by considering threat likelihood and potential impact. OCR expects a documented methodology for risk scoring and a prioritized list of risks requiring mitigation. High-risk items should have defined remediation timelines and responsible parties. The assessment should demonstrate how risk levels informed security investment decisions.
Documentation and Evidence Requirements
OCR's enforcement actions demonstrate specific documentation expectations:
Assessment Methodology Documentation
The assessment must document the methodology used to identify risks, evaluate threats, and determine risk levels. This includes data sources, analysis techniques, scoring criteria, and decision frameworks. OCR investigators look for evidence that the assessment followed a systematic process rather than producing arbitrary results.
Technical Assessment Evidence
Documentation should include evidence of technical vulnerability assessment, such as vulnerability scan reports, penetration test results, or configuration audit findings. These technical assessments should be current, with OCR expecting annual vulnerability scanning at minimum for practices with internet-facing systems.
Risk Mitigation Documentation
The assessment should document how identified risks are being addressed, including specific controls implemented, remediation timelines, and residual risk acceptance decisions. OCR expects to see that high-risk items have active mitigation efforts with defined completion dates.
Review and Update Evidence
Risk assessments must be reviewed and updated regularly. OCR expects documentation of review dates, triggering events for updates, and evidence that the assessment is maintained as a living document. A risk assessment that has not been updated since implementation is considered stale regardless of its initial quality.
Texas-Specific Risk Considerations
Texas medical practices face specific risk factors that should be addressed in their assessments:
State law compliance requirements. Texas HB 300 and the Texas Medical Privacy Act impose requirements beyond HIPAA, including specific breach notification timelines and patient rights. Risk assessments should address compliance with state requirements and document how Texas-specific obligations are being met.
Texas Medical Board oversight. The TMB's 2026 cybersecurity directive creates licensure-related compliance requirements. Risk assessments should address the specific controls required by TMB guidance and document how practice security measures satisfy professional licensing obligations.
Regional threat patterns. Texas medical practices face specific threat patterns based on regional criminal activity and healthcare system targeting. Risk assessments should address ransomware trends affecting Texas healthcare organizations, business email compromise patterns targeting Texas practices, and supply chain risks from vendors commonly used in the region.
Immediate Action Items
Given OCR's enforcement priority on risk assessments and the significant penalties for deficiencies, immediate action is essential:
This Week: Review your current risk assessment for the deficiencies described in this article. Verify that it addresses your specific systems, identifies actual vulnerabilities, and documents a clear methodology. If your assessment is template-based without customization, begin planning for a comprehensive update.
This Month: Conduct technical vulnerability assessment if not performed within the past year. Update the risk assessment to address current threats including ransomware, business email compromise, and supply chain attacks. Ensure business associate risks are thoroughly documented.
This Quarter: Establish a schedule for regular risk assessment review and update. Implement processes to ensure the assessment informs security decisions and investment priorities. Consider engaging qualified security professionals to validate assessment quality and identify gaps.
Conclusion
OCR's focus on security risk assessments reflects the fundamental role this process plays in HIPAA compliance. The Houston practice's $127,000 settlement demonstrates that having a risk assessment document is insufficient. The assessment must be accurate, thorough, specific to the organization, and demonstrably used to inform security decisions.
The 78% of Q1 2026 settlements involving risk assessment deficiencies indicates systematic problems across healthcare organizations. Many practices treat risk assessment as a compliance checkbox, purchasing templates or generating generic documents that satisfy internal audit but fail OCR scrutiny. This approach is no longer viable given OCR's enforcement priority and the significant penalties for inadequate assessments.
Texas medical practices face particular scrutiny, appearing disproportionately in enforcement actions and facing additional state-level compliance requirements. Effective risk assessment requires investment in technical vulnerability assessment, customization of analysis to specific organizational circumstances, and ongoing maintenance as a living document. These investments are essential given OCR's demonstrated willingness to impose substantial penalties for assessment deficiencies and the fundamental role risk assessment plays in effective security programs.
78% of OCR settlements in Q1 2026 involved risk assessment deficiencies, with average penalties of $145,000. If your risk assessment is template-based, has not been updated in the past year, or does not address your specific systems and threats, you are at significant enforcement risk.