45 CFR Part 164, Subpart C — Enforceable Today

Most HIPAA Vendors Sell You
A Rule That Isn't Law Yet.

We assess you against the Security Rule OCR actually enforces — the 2003 standards as amended by the 2013 Omnibus Final Rule. Risk analysis failures remain the #1 most-cited finding in OCR investigations, and in 2026 OCR expanded that enforcement initiative to cover risk management: what you actually did about what you found.

14
Documents OCR Can Ask For
#1
Risk Analysis — Most-Cited Finding
$2.19M
Willful Neglect · Annual Cap
6
Years of Required Retention

Who Must Comply

45 CFR §164.308(a)(1)(ii)(A) — Required

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit.

HHS OCR Risk Analysis Guidance →

The 2013 Omnibus Final Rule (78 FR 5566) implemented the HITECH Act and made business associates — and their subcontractors — directly liable for Security Rule compliance. The chain of liability runs all the way down.

🏥

Covered Entities

Providers, health plans, and clearinghouses that transmit health information electronically in connection with a covered transaction.

🤝

Business Associates

Any vendor that creates, receives, maintains, or transmits ePHI on behalf of a covered entity — IT firms, billing companies, cloud providers, MSPs.

🔗

Subcontractors

Any entity handling ePHI on behalf of a business associate. Post-Omnibus, you hold the BAA obligation — not your customer.

💻

Healthcare SaaS

EHR vendors, telehealth platforms, and app developers whose products store, process, or transmit ePHI.

The 14 Documents
OCR Can Ask You For

Eighteen standards. Thirty-six implementation specifications — 14 Required, 22 Addressable. Six standards carry no implementation specification at all; you comply with the standard text itself. Here is how it maps to documents you actually have to produce.

#Policy DocumentSatisfies (45 CFR)
00Information Security Program (ISP)§164.306(b),(d)(3),(e); §164.308(a)(2),(a)(8); §164.316
01Risk Management Policy§164.306(a); §164.308(a)(1)(i),(ii)(A),(ii)(B)
02Sanction Policy§164.308(a)(1)(ii)(C); §164.530(e)
03Audit, Logging & Activity Review Policy§164.308(a)(1)(ii)(D); §164.312(b)
04Workforce Security Policy§164.308(a)(3)
05Access Control Policy§164.308(a)(4); §164.312(a),(d)
06Security Awareness & Training Policy§164.308(a)(5); §164.530(b)
07Security Incident Response Policy§164.308(a)(6)
08Breach Notification Policy§164.400–414
09Contingency Planning Policy§164.308(a)(7)
10Business Associate Management Policy§164.308(b); §164.314(a); §164.502(e)
11Facility & Workstation Security Policy§164.310(a),(b),(c)
12Device & Media Control Policy§164.310(d)
13Data Integrity & Transmission Security Policy§164.312(c),(e)

"Addressable" Does Not Mean Optional

Under §164.306(d)(3), for each of the 22 addressable implementation specifications you must assess whether it is reasonable and appropriate in your environment, then either implement it — or document in writing why it is not, and implement an equivalent alternative measure where reasonable and appropriate.

An addressable specification that is neither implemented nor documented is a finding. This is where most self-assessments quietly fail.

What Most Practices
Actually Have

Training records. Maybe a BAA folder. Occasionally an old risk assessment the EHR vendor ran once. That is three of fourteen.

A checklist review of your policies is not a risk analysis. A vendor questionnaire is not a risk analysis. §164.308(a)(1)(ii)(A) requires an accurate and thorough assessment covering all ePHI, everywhere it is created, received, maintained, or transmitted — which means it starts with an asset inventory and a data-flow map, not a template.

What It Costs To Be Wrong

Civil monetary penalties, inflation-adjusted effective January 28, 2026.

TierCulpabilityPer ViolationCalendar-Year Cap
1Did not know$145 – $73,011$2,190,294*
2Reasonable cause$1,461 – $73,011$2,190,294*
3Willful neglect, corrected$14,602 – $73,011$2,190,294*
4Willful neglect, uncorrected$73,011 – $2,190,294$2,190,294

* OCR's April 2019 Notice of Enforcement Discretion applies substantially lower calendar-year caps to Tiers 1–3. It has never been rescinded, and the Federal Register schedule does not reflect it.

And the multiplier: under §160.406, a continuing violation is a separate violation for every day it persists. An unencrypted server is not one violation. It is one violation per day, per requirement.

The Highest-Leverage Control You Own

Encryption of ePHI at rest and in transit, performed consistent with HHS guidance, renders the information "secured" and removes it from the definition of unsecured PHI. The practical consequence: its loss does not trigger breach notification at all. It is addressable, not required — which means declining to encrypt is a decision you should expect to defend in writing, in front of OCR, after an incident.

What's Coming.
And What Isn't.

Status: PROPOSED. Not enforced.

HHS published a Notice of Proposed Rulemaking on January 6, 2025 (90 FR 800, RIN 0945-AA22). The comment period closed March 7, 2025 with roughly 4,745 comments. OCR's regulatory agenda targeted a final rule for May 2026 — that window passed with nothing published. More than 100 hospital systems and provider associations have formally asked HHS to withdraw the proposal.

You cannot be out of compliance with a proposed rule. Any vendor telling you otherwise is selling you something. If a final rule issues, covered entities get 180 days and business associates get an additional 60. We will tell you the day it lands.

That said — every one of these proposed controls is good security, and several map directly to the failure modes behind the largest healthcare breaches on record. We treat them as a forward-looking roadmap. Never as a compliance finding.

🔐

MFA Everywhere Proposed

Today, §164.312(d) requires only that you verify a person is who they claim to be. MFA is not mandated. But in any honest risk analysis, its absence on remote and privileged access is a high-rated finding.

📦

Asset Inventory Proposed

Not separately required today — but you cannot perform an "accurate and thorough" risk analysis under §164.308(a)(1)(ii)(A) without one. Build it regardless.

🗺️

ePHI Network Map Proposed

Same reasoning. OCR expects your risk analysis to cover all ePHI wherever it lives, including at every business associate.

⏱️

72-Hour Restoration Proposed

Today §164.308(a)(7)(ii)(A)–(C) requires a backup plan, disaster recovery plan, and emergency mode operation plan — with no stated time limit. Set your own RTO and defend it.

🔒

Mandatory Encryption Proposed

Encryption is addressable today under §164.312(a)(2)(iv) and (e)(2)(ii). Implement it, or document why not and deploy an equivalent alternative.

🔍

Scans & Pen Testing Proposed

No current mandate. §164.308(a)(8) requires a periodic technical and nontechnical evaluation — the method is yours to choose and justify.

Find. Fix. Prove.

In 2026 OCR formally expanded its enforcement initiative beyond §164.308(a)(1)(ii)(A) risk analysis to include §164.308(a)(1)(ii)(B) risk management. Finding a gap is no longer the deliverable. Closing it, with a date attached, is.

🔎

Find

An enterprise-wide Security Risk Analysis structured to all nine elements of OCR's guidance — asset inventory, data-flow map, threat and vulnerability catalog, likelihood, impact, and risk determination.

🛠️

Fix

A CISM · CISA · CRISC certified practitioner works the register down — policies, safeguards, BAAs, training — instead of handing you a PDF that tells you to figure it out.

📑

Prove

Remediation is logged and timestamped. When OCR asks how you resolved a finding from eight months ago, you have an answer with a date on it.

Scoped To Your Organization

Every practice has a different ePHI footprint, vendor chain, and starting point. We scope after we look. Call (941) 385-4261 or book a free Compliance Reality Check.

Start Here

Compliance Reality Check

Free30 minutes · no obligation
  • We walk the 14-document crosswalk against what you actually have
  • Identify which Required implementation specifications are missing
  • Flag any business associate operating without a conformant BAA
  • Straight answer on scope and effort — no pitch deck
Book the Call →

Build It Out

Policy & Procedure Library

Call for PricingOften bundled with the assessment
  • All 13 policies mapped to the 18 Security Rule standards
  • Supporting procedures and standards — access provisioning, break-glass, log review, media sanitization, backup and restore
  • Policy-to-control crosswalk delivered as your own evidence index
  • Workforce acknowledgment forms and sanction schedule
  • Breach four-factor assessment form per §164.402
  • Annual review calendar tied to §164.316(b)(2)(iii)
Get a Quote →

Compliance Is Not
A One-Time Project

The assessment gets you a defensible baseline. The platform keeps it alive: risk assessment wizard, risk register, Business Associate registry, incident tracker, training records, policy library, and audit-ready reporting — every control mapped to its 45 CFR citation, with Required and Addressable specifications tracked separately.

StarterSingle location · small practice
ProfessionalMulti-location · remediation evidence tracking
EnterpriseMulti-entity · CISM · CISA · CRISC-led annual risk analysis review

BAA included on every tier · No setup fees · Cancel anytime

The HIPAA
Policy-to-Control Crosswalk

The 14 documents every covered entity and business associate must be able to hand OCR, and the exact regulation each one satisfies. One page. Built on the Security Rule as amended by the 2013 Omnibus Final Rule, not the proposed 2025 update.

Prepared by a CISM · CISA · CRISC certified consultant. Built on 45 CFR Part 164, Subpart C, as amended by the HIPAA Omnibus Final Rule, 78 FR 5566 (Jan. 25, 2013). Not legal advice, and not a substitute for a Security Risk Analysis.

Get instant access

Enter your details and the crosswalk unlocks immediately.

We'll only use this to send occasional HIPAA rule-change reminders. No spam, unsubscribe anytime, and we never sell your information.

🔒 Enter your details to unlock the download

This is a starting point — a one-time snapshot. HIPAA compliance is ongoing: the risk analysis must be reviewed on environmental or operational change, BAAs tracked, incidents logged, and training renewed. See how DSP HIPAA Comply keeps it living →

Count How Many Of The 14 You Have

Most practices stop at three. Book a free 30-minute Compliance Reality Check and we'll walk your gaps line by line — no obligation, no pitch deck.