You did the risk assessment. You checked the box. You filed the paperwork.

And yet, when the Office for Civil Rights (OCR) comes knocking: or worse, after a breach: your organization is still exposed.

Here's the uncomfortable truth: over 80% of covered entities fail to conduct proper HIPAA security risk assessments. Not because they don't try, but because they approach them wrong.

Generic, checkbox-style assessments don't cut it anymore. OCR has made that abundantly clear through enforcement actions totaling millions in fines just in the first months of 2025.

Let's break down exactly where these assessments go wrong: and what OCR actually expects from you.

---

The 10 Reasons Your Assessment Is Failing

1. You're Treating It Like a Checkbox

The most common mistake? Verifying that security systems exist without examining whether they actually work.

Having a firewall doesn't mean it's configured correctly. Having encryption doesn't mean it's applied everywhere it should be. OCR expects you to test how your systems behave when processing patient data: not just confirm that controls are technically in place.

Surface-level compliance creates a dangerous illusion of security.

2. You Identify Problems but Never Fix Them

This one gets organizations in serious trouble.

Bay Medical Center paid $1.2 million after their risk assessment identified security weaknesses six months before a breach. The problem? They never addressed those weaknesses.

Finding vulnerabilities is only half the equation. If you're not remediating what you find, you're building a paper trail that proves you knew about risks and did nothing. That's worse than not knowing at all.

3. Your Scope Is Too Narrow

Risk assessments commonly miss:

• Shadow IT systems employees set up without approval
• Legacy applications no one wants to touch
• Vendor-hosted environments and cloud platforms
• Medical devices connected to your network
• Backup systems and audit logs

If ePHI lives there, it needs to be assessed. Period. OCR requires enterprise-wide analysis: not just your primary EHR system.

4. You're Assuming Vendors Have It Covered

Technology vendors don't automatically handle your security obligations. Those integration points where different systems connect and exchange data? Those gaps between your responsibility and theirs?

Attackers love those blind spots.

Your assessment needs to evaluate every vendor relationship where ePHI flows. Don't assume: verify.

5. Your Access Controls Are Too Loose

Shared accounts. Excessive privileges. EHR logs that nobody audits.

These are audit red flags that show up constantly in OCR enforcement actions. Your assessment should verify that least-privilege principles are enforced and that you're actively monitoring for unauthorized access.

Who has access to what: and why? If you can't answer that clearly, neither can your assessment.

6. Encryption Gaps Are Everywhere

Many organizations encrypt data in some places but leave it exposed in others:

• Laptops and mobile devices
• Backup files and archives
• Internal messaging channels
• Data in transit between systems

Your assessment should map every location where ePHI exists and verify encryption status at each point. Partial encryption is partial protection.

7. Employee Training Exists on Paper Only

Your assessment probably notes that staff need training on phishing and social engineering. But is that training actually happening? Is it mandatory? Is it tested?

Human error remains one of the biggest contributors to healthcare breaches. Identifying the training gap without closing it is another documentation liability waiting to become evidence.

8. Your Incident Response Plan Has Never Been Tested

Having an incident response plan is required. Having one that works is what matters.

If your team hasn't run through a tabletop exercise or simulated a ransomware event, you don't actually know if your plan will hold up under pressure. Assessments that skip this step leave organizations scrambling when real incidents hit: and OCR notices delayed containment.

9. Assessment Findings Never Reach the Budget

Here's where many assessments die: the gap between IT documentation and executive action.

Risk findings that lack linkage to budget approval, project timelines, or resource allocation remain unimplemented. Your assessment needs executive sign-off and clear ownership of remediation tasks with deadlines.

Otherwise, it's just a report that sits in a folder.

10. You're Treating This as a One-Time Event

HIPAA requires ongoing risk management, not annual paperwork.

Your risk profile changes when you:

• Adopt new technology
• Merge with or acquire another organization
• Experience a security incident
• Onboard new vendors
• Change how you handle patient data

Continuous monitoring and regular reassessment aren't optional: they're what separates compliant organizations from vulnerable ones.

---

What OCR Actually Expects

OCR has been crystal clear through recent enforcement actions. Since January 2025, ten resolution agreements have highlighted the same fundamental failure: organizations not conducting comprehensive, enterprise-wide risk analysis.

Fines have ranged from $25,000 to $3 million.

Here's what OCR looks for:

Comprehensive Enterprise-Wide Analysis

Every system, application, and device that stores or transmits ePHI must be included. Vague or incomplete system documentation is a frequent audit failure.

Documented System Inventory

You need an updated inventory of all data systems, applications, and storage locations. OCR wants to see that you know where ePHI lives: and that you've evaluated the risks at each location.

Policies That Are Actually Implemented

Having policies isn't enough. They must be documented, communicated through mandatory training, and audited regularly for accuracy and relevance. One of the most frequent HIPAA Security Rule audit failures is the gap between written policies and actual practice.

Remediation With Accountability

OCR expects prioritized remediation with:

• Assigned owners for each vulnerability
• Specific deadlines for fixes
• Measurable success criteria
• Evidence that mitigations actually reduced risk

Identifying problems without demonstrating progress on fixing them is a compliance failure.

Executive Accountability

Assessments require leadership sign-off and recurring reviews. This prevents risk analysis from becoming an isolated IT document that leadership never sees or acts on.

---

The Bottom Line

Generic assessments fail because they prioritize the appearance of compliance over actual security.

OCR isn't looking for perfect systems. They're looking for evidence that you understand your risks, have a plan to address them, and are making documented progress.

That requires specificity. It requires ongoing attention. And it requires connecting your security assessment to real organizational resources and accountability.

If your current approach isn't delivering that, it's time to rethink how you're doing risk assessments.

---

How Hudson Sky Helps Healthcare Organizations Get This Right

At Hudson Sky, we specialize in HIPAA security risk assessments built for OCR scrutiny: not checkbox compliance.

Our approach covers your entire enterprise, identifies the gaps that matter, and connects findings to actionable remediation plans with clear ownership and timelines.

We work with healthcare organizations to build security programs that hold up under audit and actually protect patient data.

Ready to see what a real risk assessment looks like? Let's talk.