For years, many organizations treated cybersecurity and compliance assessments as exercises designed to satisfy customer questionnaires or prepare for an annual audit. However, that approach is becoming increasingly risky.
Recent actions from the U.S. Department of Health and Human Services (HHS) suggest that regulators are shifting their focus from whether organizations performed an assessment to whether those assessments were rigorous, current and followed by meaningful remediation.
In May 2026, HHS reorganized its Office for Civil Rights (OCR), creating a dedicated Health Information Privacy, Data, and Cybersecurity Division responsible for enforcing the HIPAA Privacy, Security and Breach Notification Rules. That same month, HHS also introduced its Audit Enforcement and Risk Oversight (AERO) initiative, which uses AI to analyze years of audit history and identify organizations with unresolved findings or inadequate assessments.
While AERO specifically targets Single Audit requirements, its broader message is impossible to ignore: regulators are no longer satisfied with documentation alone. They increasingly expect organizations to identify security risks, prioritize remediation and demonstrate measurable progress over time.
For healthcare organizations, business associates and companies handling electronic protected health information (ePHI), this changes the conversation. A defensible Risk Analysis and documented remediation roadmap have become foundational evidence of a mature security program—not optional best practices.
One Assessment Doesn’t Solve Every Compliance Challenge
No single certification or assessment can satisfy every customer, regulator and board requirement. Instead, different business needs require different types of Risk Analyses and compliance assessments. Each produces a different artifact designed to answer a specific question.
Our latest white paper explores six of the most common assessments organizations should understand.
- HITRUST e1, i1 and r2 help organizations demonstrate security maturity at different stages of growth, from foundational compliance through comprehensive enterprise assurance.
- SOC 2 Type 1 and Type 2 provide independent attestations that validate security control design and operating effectiveness, helping organizations satisfy customer due diligence requirements.
- NIST and ISO 27005 Risk Assessments produce enterprise risk registers, control mappings and prioritized remediation roadmaps that support board reporting, cyber insurance renewals and executive decision-making.
- HIPAA Risk Analysis and HIPAA Compliance Assessments address two distinct needs. The HIPAA Risk Analysis identifies risks to ePHI and remains one of the most frequently cited documents in OCR enforcement actions, while a Compliance Assessment evaluates broader compliance with the HIPAA Security, Privacy and Breach Notification Rules.
- Vendor and Third-Party Risk Management (TPRM) helps organizations understand and manage the growing risks introduced by suppliers, business associates and other third parties through structured due diligence and continuous monitoring.
- State Privacy Conformance Assessments help organizations navigate the expanding landscape of consumer privacy laws that increasingly regulate health, wellness and personal data outside traditional HIPAA requirements.
Viewed together, these assessments form a broader compliance strategy rather than a collection of isolated projects. Each addresses a different source of organizational risk, whether it comes from regulators, customers, boards, insurers or business partners.
Learn Which Assessment Fits Your Organization
Understanding which assessment your organization actually needs—and when—is often more challenging than completing the assessment itself.
Our new white paper, Building a Compliance Program That Holds Up, explains how today’s leading compliance frameworks complement one another, when each assessment is appropriate and how organizations can build a program that supports customers, regulators and executive leadership without duplicating effort.
As enforcement expectations continue to evolve, choosing the right assessment today can help reduce regulatory exposure tomorrow.
Download the white paper to learn how HITRUST, SOC 2, HIPAA Risk Analyses, NIST and ISO risk assessments, third-party risk management and state privacy assessments work together to create a compliance program built for today’s regulatory environment.







