Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Repeat-breach patterns and the §164.308(a)(1) risk analysis obligation: what ongoing risk management actually requires

Repeat breaches at a single covered entity signal systemic risk-management failure — here's how the HIPAA Security Rule's ongoing risk analysis requirement applies to your practice.

Patient Protect ResearchMay 23, 2026First reported in HIPAA Pulse →

The control gap

A covered entity that experiences a second significant breach within 15 months of a first has almost certainly failed one of the Security Rule's most foundational requirements: the obligation under 45 CFR §164.308(a)(1)(ii)(A) to conduct an accurate and thorough risk analysis — and, critically, to act on it. The rule is not a one-time checkbox; it requires ongoing reassessment whenever the environment changes, including after a security incident. Recent reporting in HIPAA Pulse on a Virginia radiology practice that disclosed a second breach affecting approximately 266,000 patients — before notifications for a 1.4-million-patient first breach were even complete — illustrates exactly what regulatory scrutiny looks like when that cycle breaks down. First reported in HIPAA Pulse → https://hipaapulse.com/radiology-associates-of-richmond-discloses-second-data-breach-266k-people-affected-47058914

OCR's enforcement record makes the stakes clear: when sequential breaches occur, investigators examine whether post-incident remediation from the first event was documented, tested, and formally verified — not merely claimed.

The HIPAA Security Rule provision in play

45 CFR §164.308(a)(1) — Security Management Process requires covered entities to implement policies and procedures to prevent, detect, contain, and correct security violations. The required implementation specifications include a risk analysis (§164.308(a)(1)(ii)(A)), risk management (§164.308(a)(1)(ii)(B)), and sanction policy and information system activity review. A related provision — 45 CFR §164.404 (Breach Notification Rule) — requires HHS notification within 60 days of breach discovery, a clock that does not pause for investigation timelines.

How Patient Protect addresses this

  • Security Risk Assessment (SRA): Patient Protect's built-in SRA generates a documented, timestamped risk analysis that satisfies §164.308(a)(1)(ii)(A). Running it after any incident — not just annually — creates the paper trail OCR looks for when evaluating whether remediation was genuine.
  • Autonomous Compliance Engine: Continuously recalculates your compliance posture as your environment changes. A new vendor relationship, a staff role change, or a resolved incident all feed back into live risk scoring — so the gap between "first breach resolved" and "second breach occurring" doesn't go unmonitored.
  • Information Systems Inventory: Radiology and imaging-intensive practices need an explicit map of where ePHI lives. Patient Protect's inventory module documents systems, storage locations, and data flows — the foundation for any credible risk analysis in a complex clinical environment.
  • BAA Management / Vendor Risk Scanner: Multi-state breach filings frequently signal data passed through a business associate's systems. Patient Protect tracks BAA status and surfaces vendor relationships that may carry unreviewed security obligations.
  • Event Log and Compliance Scoreboard: Provides the documented audit trail — with timestamped activity — that demonstrates an active compliance program, not just a completed form.

Practical next steps

  • Restart your risk analysis clock after any incident. Treat breach resolution as a trigger for a new SRA, not the end of the compliance workflow.
  • Document your breach-discovery date explicitly. The 60-day HHS notification clock starts at discovery. Build an internal escalation procedure that records this date the moment a potential incident is identified.
  • Audit your BAA inventory this week. If any vendor touches ePHI across state lines, confirm their notification obligations are current and contractually enforceable.
  • Map where imaging data actually resides. DICOM files, RIS data, and associated clinical records often span cloud, co-located, and on-premise storage. An accurate inventory is the prerequisite for every other control.
  • Verify remediation with documented evidence. After any incident, require written confirmation — not just a vendor attestation — that each identified vulnerability has been closed and tested.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/radiology-associates-of-richmond-discloses-second-data-breach-266k-people-affected-47058914