HIPAA Risk Assessment in 2026: A Healthcare Engineer's Field Guide
If you build, run, or audit systems that touch protected health information (PHI), the HIPAA risk assessment is the document that quietly decides whether the next OCR investigation ends in a closure letter or a corrective action plan with a six-figure settlement. The proposed 2026 HIPAA Security Rule update (published as an NPRM in January 2025, still pending finalization at OCR) doesn't change the underlying requirement at 45 CFR § 164.308(a)(1)(ii)(A) — and OCR has repeatedly reaffirmed that the absence of a current, written risk analysis is itself the most-frequently-cited Security Rule deficiency . This is the engineering view: what a defensible HIPAA risk assessment actually contains in 2026, how to model it, and what tooling fits the workflow. 1. The asset inventory is non-negotiable Every defensible HIPAA risk assessment starts with a complete inventory of where ePHI lives, where it flows, and who touches it. If you can't enumerate every system, every integration, and every workforce role that creates / receives / maintains / transmits ePHI, the rest of the assessment is built on sand. A minimal asset-inventory record per system: { "system_id" : "ehr-prod-01" , "system_type" : "ehr" , "ephi_states" : [ "create" , "receive" , "maintain" , "transmit" ], "data_classification" : "phi-high" , "hosting" : { "type" : "saas" , "vendor" : "epic" , "region" : "us-east-1" }, "workforce_roles_with_access" : [ "clinician" , "billing" , "admin" ], "integrations" : [ { "to" : "billing-system" , "protocol" : "hl7-fhir" , "direction" : "outbound" }, { "to" : "patient-portal" , "protocol" : "https-rest" , "direction" : "bidirectional" } ], "encryption_at_rest" : true , "encryption_in_transit" : true , "mfa_enforced" : true , "audit_log_destination" : "central-siem" , "ba_agreement_on_file" : true , "last_reviewed" : "2026-05-15" } If you don't have this, build it before you do anything else. The HHS-provided ONC SRA Tool walks through asset enumeration but it's optimized for s