Insights · Behavioral Health

The HIPAA risk assessment: what OCR asks for first, and why yours is probably overdue

A security risk analysis isn't optional — it's the first document requested in any audit or breach investigation. Here's what a real one includes and how often to refresh it.

By Andrew · NextGen Strategy PartnersJune 30, 20265 min read

Ask a behavioral health director when their organization's last HIPAA security risk assessment was performed, and the most common answer is a pause. The second most common is a year that starts with "20" and ends uncomfortably long ago.

That matters because the Security Rule doesn't treat the risk analysis as a nice-to-have. It's a required administrative safeguard — and in practice, it's the first document the Office for Civil Rights requests when investigating a breach or running an audit. Arriving at that conversation without one doesn't just look bad; it's routinely cited in enforcement actions and settlements.

What a real risk assessment actually contains

A risk assessment is not a network scan, and it's not a certificate a vendor sells you. It's a documented analysis of where electronic protected health information lives in your organization and what could threaten it. Done properly, it covers:

The risk assessment is the document that turns "we take security seriously" from a sentence into evidence.

How often is "current"?

The rule requires the analysis to be reviewed and updated periodically; the widely accepted standard is annually, plus after any significant change — a new EHR, a move to telehealth, a merger, an incident. If your assessment predates your current systems, it doesn't describe your actual risk, and regulators know it.

The knock-on benefits nobody mentions

A current risk assessment quietly powers everything else: it's the backbone of your cyber-insurance answers, the evidence funders and referral partners increasingly want, and the honest to-do list that keeps your security spending pointed at real risk instead of vendor noise.

The practical takeaway

If you can't put your hands on a risk assessment dated within the last twelve months, that's the project — before the next EHR feature, before the new laptops. For our behavioral health clients, the annual assessment is built into the service, not billed as a project.

Andrew, founder of NextGen Strategy Partners

Andrew — Founder, NextGen Strategy Partners

Veteran-owned managed IT for the nonprofits, schools, behavioral health providers, and medical & dental practices of McHenry & Lake Counties. Request a free security assessment →

Find out where you stand — before someone else does.

Our free IT security assessment gives your leadership a plain-English report on your risks, your compliance gaps, and exactly what it would cost to fix them. No obligation, no jargon.

Request the free assessment