U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Office for Civil Rights

December 1, 2025

HHS’ OCR Presents:

The HIPAA Security Rule: Risk Management

The HHS Office for Civil Rights (OCR) is producing a pre-recorded video for HIPAA covered entities and business associates (collectively, “regulated entities”) reviewing the requirements of the HIPAA Security Rule’s Risk Management implementation specification.  OCR welcomes questions that could be addressed during this video.  If you have questions about the Security Rule’s Risk Management requirement, please send them to OCRPresents@hhs.gov no later than December 8, 2025.

Speaker:

• Nicholas Heesters, Senior Advisor for Cybersecurity, HHS Office for Civil Rights

Topics include:

• HIPAA Security Rule Risk Management requirements
• OCR investigations with potential Risk Management violations
• Risk Management and cybersecurity resources
• Responses to select submitted questions

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information.  Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule can also be found on OCR’s website.  If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.  Follow HHS OCR on X (formerly Twitter) at @HHSOCR.  For additional information on a wide range of topics about the HIPAA Rules, please visit: https://www.hhs.gov/hipaa/index.html.  Information about OCR's civil rights authorities and responsibilities can be found at: https://www.hhs.gov/civil-rights/index.html.  If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html.