HIPAA Compliance via CMDB: Bridging the ePHI Asset Gap

On March 5, 2026, the US Department of Health and Human Services Office for Civil Rights announced a HIPAA compliance settlement with MMG Fusion LLC, a Maryland healthcare software company. MMG had exposed the protected health information of approximately 15 million individuals. The breach itself was not the headline. The headline was what OCR found when it looked underneath it.

MMG Fusion had failed to conduct an accurate and thorough risk analysis of the electronic protected health information it held. For a company whose entire value proposition was handling sensitive health data on behalf of others, the foundational requirement the HIPAA Security Rule has mandated since 2003 had not been met.

The settlement included a three-year corrective action plan OCR will monitor directly. It was the 12th enforcement action under OCR’s Risk Analysis Initiative — a systematic program that OCR Director Paula Stannard confirmed makes HIPAA Security Rule requirements “imperative for strengthening cybersecurity before a breach occurs.”

What OCR found at MMG was not a sophisticated failure. It was a foundational one. The corrective action plan OCR imposed tells the story precisely. Before MMG could even begin its risk analysis, OCR required it to build a complete inventory of every facility, electronic system, data system, and application that creates, stores, transmits, or receives ePHI. Not as an output of the compliance process. As the prerequisite for it. OCR’s position is unambiguous: you cannot assess risk to ePHI if you do not first know every system that holds it.

MMG Fusion is not an outlier. It is a data point in a pattern OCR has been building since 2024. The Risk Analysis Initiative exists because risk analysis failures appear in virtually every major HIPAA enforcement action, across covered entities, business associates, health plans, and now, as the Star Group employer-sponsored plan settlement in January 2026 demonstrated, across organizational types that many compliance officers had not considered within the enforcement perimeter at all.

The operational picture underneath that enforcement pattern is stark. US hospitals average up to 7,500 networked devices in a 500-bed facility. Ninety-nine percent have at least one connected medical device carrying a known exploited vulnerability. The devices entering hospital networks arrive with documented inventories. They do not arrive secure by default.

More than 700 large breach investigations, each covering 500 or more individuals, are opened by OCR every year. That volume has more than tripled since 2010. The 2025 Change Healthcare ransomware attack exposed 192.7 million patient records, the largest healthcare breach on record, and investigators found that incomplete network visibility allowed attackers to move laterally across interconnected systems before the scope was understood. OCR does not investigate on a schedule. It investigates the day after a breach. What it asks for at that moment is not what your asset inventory looked like at your last annual review. It asks what your environment looked like when the incident occurred.

The gap between those two things, what the last review captured and what was actually running, is not a documentation problem. It is an operational one. MMG Fusion had a compliance posture. What it did not have was a current, accurate picture of every system touching ePHI at the moment OCR came looking. Fifteen million patient records were the cost of that distance.

In 2026, HIPAA compliance requires a technology asset inventory updated at minimum annually, a risk analysis built on top of that inventory, and, for every connected medical device entering your network, a Software Bill of Materials from the manufacturer that your own inventory must be capable of contextualizing. This article explains what each of those requirements means operationally, what the enforcement landscape looks like today, and what the infrastructure layer that keeps your inventory audit-ready at any point in time actually does.

What Is HIPAA and Who Does It Apply To

HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996 to establish national standards for protecting sensitive patient health information. The law applies to two categories of organizations: covered entities and business associates.

Covered entities are the organizations that originate or handle patient health information in the course of providing or paying for healthcare: hospitals, physician practices, health plans, and healthcare clearinghouses. Business associates are the vendors, contractors, and software providers that handle protected health information on behalf of covered entities. MMG Fusion was a business associate. Its covered entity clients, dental practices across the US, were not the ones who failed the risk analysis requirement. Their software vendor was. HIPAA holds business associates to the same Security Rule obligations as covered entities themselves, a fact the MMG Fusion settlement makes operationally real for every vendor that touches ePHI.

The law is organized into three rules that work together. The Privacy Rule governs how protected health information may be used and disclosed. The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media, when unsecured protected health information is breached. The Security Rule, the one at the center of OCR’s current enforcement wave, requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit.

The Security Rule’s core operational requirement is a risk analysis: an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI across every system that touches it. Not a policy document. Not a periodic audit. A living assessment of every system, every connection, and every vulnerability, kept current as the environment changes. That requirement has been in force since 2003. OCR’s enforcement record shows that for a significant portion of the regulated community, it has never been fully met.

HIPAA compliance means meeting the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule. For covered entities and business associates, compliance centers on conducting an accurate risk analysis of every system that creates, stores, transmits, or receives electronic protected health information, and keeping that analysis current as the environment changes.

Who Enforces HIPAA and Under Which Authority

HIPAA enforcement is administered by the US Department of Health and Human Services Office for Civil Rights. OCR’s authority to investigate, penalize, and impose corrective action on covered entities and business associates derives from HIPAA itself, strengthened by two subsequent legislative acts: the Health Information Technology for Economic and Clinical Health Act of 2009, which significantly increased civil monetary penalties and extended HIPAA obligations directly to business associates, and the Food and Drug Omnibus Reform Act of 2022, which added cybersecurity requirements for connected medical devices to the Federal Food, Drug, and Cosmetic Act.

OCR investigations are triggered four ways: a breach self-report filed by the covered entity or business associate, a complaint filed by a patient or workforce member, a proactive compliance audit initiated by OCR, or a referral from another federal or state agency. OCR is not waiting for organizations to come forward. It investigates all breaches affecting 500 or more individuals, mandatory, not discretionary. The 2024 to 2025 OCR audit program reviewed 50 covered entities and business associates specifically for Security Rule provisions related to hacking and ransomware. Proactive audits are active.

Enforcement has escalated in measurable steps. OCR doubled its financial penalties in 2016. In 2019 it launched the Right of Access Initiative, which has produced more than 50 settlements. In 2024 it launched the Risk Analysis Initiative. In early 2026 OCR confirmed that initiative will expand to include risk management, meaning organizations must now demonstrate not only that they identified risks but that they acted on them with documentation. Seventy-six percent of 2025 OCR enforcement actions included a risk analysis failure, the single most cited Security Rule violation across the year’s 21 settlements, at an average of $4.75 million per action (HIPAA Journal, 2026). Each escalation has narrowed the space between having a compliance program and being able to defend it under investigation.

Civil monetary penalties are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. For penalties assessed on or after January 28, 2026: Tier 4 willful neglect not corrected within 30 days carries a minimum of $73,011 per violation up to $2,190,294 per provision annually. The corrective action plan, however, is frequently the more operationally disruptive consequence: two to three years of mandatory reporting to OCR, documented remediation timelines, and HHS review and approval of risk analyses, policies, and training programs. The Star Group health plan paid $245,000. The corrective action plan running alongside that payment will cost multiples of that figure in internal compliance resources before the two-year monitoring period ends.

OCR investigations are triggered by a breach self-report, a patient complaint, a proactive compliance audit, or a federal referral. All breaches affecting 500 or more individuals trigger a mandatory OCR investigation. The Risk Analysis Initiative, launched in 2024 and expanding in 2026, means organizations must now document not only that they identified risks, but that they acted on them.

What Does HIPAA Compliance Actually Require in 2026

Two regulatory directions are converging on the same operational problem in 2026, one from the covered entity side, one from the device manufacturer side, and the gap between them sits inside every hospital’s live IT environment.

On the covered entity side, the proposed HIPAA Security Rule NPRM published January 6, 2025 requires covered entities and business associates to develop and maintain a technology asset inventory and a network map illustrating the movement of ePHI throughout their electronic information systems, updated at minimum every 12 months and in response to any operational change affecting ePHI. Asset inventory is moving from informal best practice to explicit regulatory requirement. Once the final rule is published, regulated entities will have 240 days to comply.

The proposed HIPAA Security Rule NPRM (January 2025) requires covered entities and business associates to maintain a complete technology asset inventory and network map showing ePHI movement, updated at least every 12 months and after any operational change. OCR’s existing corrective action plans already treat this inventory as the prerequisite for any risk analysis, not the output of it.

The 12-month floor is a compliance cadence. It is not an operational guarantee. US hospitals average up to 7,500 networked devices in a 500-bed facility, and large health systems operating multiple campuses may have tens of thousands. These are not static assets: they are replaced, patched, provisioned, decommissioned, and connected to new systems on a rolling basis. New staff arrive with credentials that need provisioning. New imaging equipment connects to the network. Vendor remote access is granted and revoked. The IT environment documented at one annual review is materially different from what is running six months later.

Sixty percent of connected medical devices in US hospitals are end-of-life, meaning the manufacturer no longer issues security patches for them. They remain in clinical use because medical hardware lifespans extend 10 to 30 years, while the underlying software requires updates that eventually stop coming. Each carries an average of 6.2 known software vulnerabilities. Peer-reviewed analysis of FDA-cleared devices found that regulatory compliance does not eliminate known vulnerabilities from marketed hardware: hard-coded credentials and authentication gaps persist in on-market devices despite being explicitly addressed in FDA guidance since 2014. The devices entering hospital networks arrive with documented inventories. They do not arrive secure by default.

On the device manufacturer side, Section 524B of the FD&C Act, effective March 29, 2023, requires every connected medical device submitted for FDA premarket clearance to include a Software Bill of Materials: a machine-readable inventory of every software component in the device, including commercial, open-source, and off-the-shelf elements, along with a security architecture documenting all connections to hospital networks, cloud infrastructure, and related systems. The FDA’s February 2026 cybersecurity guidance makes the scope explicit: any device with software, internet connectivity, and vulnerability potential falls within the requirement. IEEE Standards Association has built a certification program explicitly aligned with Section 524B. Connected medical devices will increasingly compete on documented cybersecurity readiness the way they compete on clinical efficacy.

A Software Bill of Materials (SBOM) is a machine-readable inventory of every software component in a connected medical device, required by FDA Section 524B for any device seeking premarket clearance since March 2023. Hospitals need SBOMs to reconcile device-side documentation against their own asset inventory. Without a current hospital-side record, an SBOM cannot be matched to actual network state during a breach investigation.

The two-sided compliance gap this creates is structural. The device manufacturer documents their side: every software component, every connection, every vulnerability. HIPAA requires the hospital to document its side: every system that creates, stores, transmits, or receives ePHI, and every network connection those systems make. If the hospital’s inventory is outdated, the manufacturer’s SBOM is orphaned. At the moment of an OCR investigation, nobody can accurately account for what that device was connecting to inside the hospital’s environment when the breach occurred.

Life sciences organizations in Boston’s Kendall Square carry this two-sided pressure in concentrated form. Biotech and pharma organizations in that cluster carry simultaneous HIPAA obligations as covered entities and FDA 21 CFR Part 11 obligations as regulated research and manufacturing environments: the device-side compliance requirement and the covered-entity-side compliance requirement converging on the same asset inventory problem. For those organizations, that convergence is not a future compliance scenario. It is the current operating condition.

New York City health systems operate at a scale that makes this gap structural rather than theoretical. NYU Langone, Northwell Health, and NYC Health+Hospitals each run environments where device counts number in the tens of thousands, spread across multiple campuses, outpatient facilities, and affiliated networks. At that scale, the operational challenge of maintaining a current asset inventory is not a compliance exercise. It is an ongoing operational discipline.

The Texas Medical Center in Houston, the world’s largest medical complex, comprising more than 60 institutions and 1,345 licensed hospital beds across a single campus, represents the most concentrated version of this operational problem in the US. At that density of interconnected healthcare organizations sharing physical infrastructure, the asset inventory problem is not contained within a single covered entity. It spans institutional boundaries.

When OCR opens an investigation, it asks what the environment actually looked like at the moment of the breach, not what the last annual review was supposed to show. That enforcement posture now reaches organizational types many compliance officers had not considered within the HIPAA perimeter at all.

How Trusted Runtime Truth Bridges the Compliance Gap

The operational question is not whether to maintain an asset inventory: HIPAA requires one, and the proposed Security Rule NPRM will make it an explicit annual deliverable. The question is how to keep it accurate in an environment that changes between reviews, between the last scan and the next one, between the last scheduled inventory and the breach investigation that follows.

An annual review produces a snapshot. A snapshot reflects the environment at one point in time. In a 500-bed hospital adding devices, provisioning staff, onboarding vendors, and updating firmware on a rolling basis, that snapshot begins degrading the moment it is taken. By the time OCR opens an investigation, the gap between what the snapshot shows and what was actually running can span months of operational change: new devices connected, old ones decommissioned, vendor access granted and not revoked, software versions updated on some systems but not others.

This is where a CMDB operating with continuous discovery changes the compliance posture, not by replacing the annual review, but by ensuring that the inventory presented at any OCR investigation reflects the actual state of the environment at the moment that matters.

Virima operates at this infrastructure layer, delivering what Virima calls Trusted Runtime Truth: a live, verifiable record of every asset, its connections, its change history, and its ownership, built from discovery rather than manual documentation. High-frequency discovery cycles identify devices, applications, and systems that create, store, or transmit ePHI, including vendor-managed systems and AWS and Azure infrastructure, building a current asset inventory from actual operational state rather than manual input. ViVID™ Service Mapping shows what connects to what: which systems feed which, where ePHI flows, which vendor connections touch regulated data, giving compliance teams a visual dependency record that holds up under OCR scrutiny. Regular discovery cycles flag changes between formal reviews so the annual inventory starts from current operational truth rather than last year’s spreadsheet.

The compliance requirement is annual. The operational reality is that environments change on a rolling basis. The infrastructure that closes the distance between those two timelines is the CMDB, not as a compliance product, but as the operational foundation that makes a defensible, audit-ready inventory possible at any point in time. Reviewing CMDB best practices alongside your compliance program is a practical starting point for any team aligning their asset infrastructure to OCR’s expectations.

A CMDB supports HIPAA compliance by maintaining a current, discovery-sourced record of every asset that touches ePHI, including vendor-managed systems and cloud infrastructure. When OCR investigates, it asks what the environment looked like when the breach occurred, not when the last annual review was conducted. A CMDB makes that question answerable at any point in time.

Chicago health systems carry an additional compliance layer that sharpens this operational requirement. Illinois HB 3653 stacks state-level data governance and cybersecurity requirements on top of federal HIPAA obligations, widening the enforcement surface and narrowing the margin for inventory gaps. For health systems operating in Cook County and across the Chicago metro, the asset inventory problem is not a single-regulator question. It is a multi-jurisdictional one.

Dallas/Fort Worth health systems, anchored by UT Southwestern Medical Center, Baylor Scott & White Health, and Texas Health Resources, operate multi-facility networks where the dependency mapping challenge is the defining operational constraint. Distributed campuses, shared IT infrastructure, and multi-entity data flows mean that an accurate inventory is not a single-organization exercise. It requires consistent, discovery-sourced visibility across institutional boundaries, maintained through regular discovery cycles, to know where ePHI sits and what it connects to at any given point.

See how Virima’s discovery-sourced CMDB builds a defensible ePHI asset inventory

The Road Ahead for Healthcare Practitioners in the US

Three things changed in 2026 that did not exist in the same combination in any prior year. The proposed HIPAA Security Rule NPRM moves asset inventory from guidance to explicit regulatory requirement, with a 240-day compliance window from final rule publication. FDA Section 524B is now fully in effect, meaning every new connected device entering a hospital arrives with a documented software inventory that the hospital’s own asset record must be capable of contextualizing. And OCR’s Risk Analysis Initiative is expanding from risk identification to risk management, meaning organizations must now demonstrate not only that they found their vulnerabilities but that they acted on them, with documentation OCR can review.

Organizations that treat asset inventory as a periodic compliance exercise will find themselves defending a January spreadsheet at an October breach investigation. The average cost of a healthcare data breach reached $10.93 million in 2025, the highest of any industry for the fourteenth consecutive year (IBM Cost of Data Breach Report, 2025). The distance between those two dates, measured in device additions, firmware updates, vendor connections, and staff provisioning events, is the operational exposure. Understanding healthcare IT asset management requirements is where most compliance officers need to start: the regulatory baseline has always required knowing what you have, but the 2026 Security Rule NPRM makes that baseline explicit and auditable. Understanding the difference between active vs passive IT asset discovery methods matters too: active scans produce a point-in-time record; a discovery-sourced CMDB keeps that record current between reviews.

California adds a further enforcement layer for health systems operating in Los Angeles. The Confidentiality of Medical Information Act imposes state-level protections on medical information that extend beyond HIPAA’s federal floor, additional obligations, additional enforcement jurisdiction, and an additional reason why the asset inventory problem in a Los Angeles health system is not resolved by federal compliance posture alone.

The asset inventory is not a compliance deliverable. It is the operational infrastructure that every other compliance obligation depends on. You cannot conduct a risk analysis without knowing every system that holds ePHI. You cannot respond to an OCR investigation without being able to show what your environment looked like when the incident occurred. You cannot reconcile a manufacturer’s SBOM against your network without knowing what your network contains. For organizations ready to build a CMDB that meets this standard, the starting point is a discovery-sourced asset foundation, not a spreadsheet migration.

MMG Fusion knew this by the time OCR was done with them. The corrective action plan said it directly: build the inventory first. Everything else follows from that.

Schedule a demo to see how Virima maps ePHI flows before your next OCR investigation

Frequently Asked Questions