If you build, run, or audit systems that touch protected health information (PHI), the HIPAA risk assessment is the document that quietly decides whether the next OCR investigation ends in a closure letter or a corrective action plan with a six-figure settlement. The proposed 2026 HIPAA Security Rule update (published as an NPRM in January 2025, still pending finalization at OCR) doesn't change the underlying requirement at 45 CFR § 164.308(a)(1)(ii)(A) — and OCR has repeatedly reaffirmed that the absence of a current, written risk analysis is itself the most-frequently-cited Security Rule deficiency.

This is the engineering view: what a defensible HIPAA risk assessment actually contains in 2026, how to model it, and what tooling fits the workflow.

1. The asset inventory is non-negotiable

Every defensible HIPAA risk assessment starts with a complete inventory of where ePHI lives, where it flows, and who touches it. If you can't enumerate every system, every integration, and every workforce role that creates / receives / maintains / transmits ePHI, the rest of the assessment is built on sand.

A minimal asset-inventory record per system: