OCR Risk Analysis Methodology Applied to AI Voice Agents

A risk analysis that does not name your model provider, your vector store, your audio pipeline, and your prompt-injection threat is a risk analysis that will not survive an OCR data request. The 2026 Security Rule update closes the gap further.

What the law actually says

flowchart LR
  Voice[Voice call] --> Redact[PII / PHI redaction]
  Redact --> LLM[LLM with BAA]
  LLM --> Resp[Response]
  Resp --> Sanitize[Remove non-needed PHI]
  Sanitize --> Caller[Caller]
  Resp --> AuditDB[(Audit DB)]

45 CFR 164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it holds. OCR's Risk Analysis Initiative — formally launched in October 2024 — has produced more than a dozen settlement actions tied specifically to risk-analysis failures.

The proposed 2026 Security Rule update raises the bar. Under the NPRM, the risk analysis must include: a written technology asset inventory; a written assessment of the criticality of relevant technology assets; a written assessment of threats to the confidentiality, integrity, and availability of ePHI; and a written evaluation of likelihood and impact for each. The NPRM preamble explicitly identifies AI-related threats — model output errors, training-data leakage, prompt injection, and AI-driven ransomware — as material to the analysis.

NIST SP 800-66 Rev 2 (February 2024) is OCR's recommended methodology, and the NIST AI Risk Management Framework (AI RMF 1.0) overlays AI-specific threat modeling on top.

What this means for AI voice and chat agents

The risk analysis for an AI voice agent must enumerate, for the PHI that flows through the agent, every component, the criticality rating, the threat catalog, the existing controls, and the residual risk. Components include: telephony carrier, audio storage, ASR provider, model provider (and model name and version), prompt template store, vector database, embeddings model, EHR connector, scheduling tool, voicemail pipeline, transcription pipeline, summary generator, sentiment scorer, lead scorer, audit log store, dashboard, and admin console.

The AI-specific threat catalog includes prompt injection, jailbreaks, model output hallucination, sub-processor drift (a sub-processor adds a new sub-sub-processor without notice), training-data leakage from non-zero-retention endpoints, audio re-identification of "de-identified" recordings, voice-cloning impersonation, and adversarial input that triggers harmful tool calls. Each threat needs likelihood, impact, and a control reference.

How CallSphere implements

CallSphere maintains a written risk analysis covering all 37 production agents, 90+ tools, and 115+ database tables. The analysis names every model provider with its current BAA reference and zero-data-retention status, every ASR and TTS provider, the telephony carrier, the cloud host, and every analytical sub-component. AI-specific threats — prompt injection, hallucination, voice cloning, sub-processor drift — each have a documented control. The healthcare_voice PostgreSQL database has its own subsection covering encryption, access controls, audit trail, retention, and integrity controls. We re-run the risk analysis at least annually and after any material change. Customers under our BAA receive an executive summary on request. Healthcare buyers can review the architecture overview at /industries/healthcare, explore the behavioral-health LP at /lp/behavioral-health, and start with a 14-day trial.

Compliance and build checklist

1. Build a written technology asset inventory of every component on the PHI path.
2. Rate criticality of each asset — high/medium/low based on PHI exposure and dependency.
3. Catalog AI-specific threats: prompt injection, hallucination, sub-processor drift, training leakage, voice cloning.
4. Catalog general threats: ransomware, insider, credential compromise, supply-chain.
5. For each (asset, threat) pair, document existing controls and residual likelihood and impact.
6. Reference NIST SP 800-66 Rev 2 and NIST AI RMF 1.0 explicitly in the methodology section.
7. Capture model provider, model name, model version, and BAA reference for every model in the path.
8. Verify zero-data-retention status of every model endpoint that supports it.
9. Document the prompt template change-control process — versioned, reviewed, audit-logged.
10. Run a tabletop exercise against prompt injection and against ransomware scenarios annually.
11. Update the analysis on any material change: new model, new sub-processor, new tool, new vertical.
12. Share an executive summary with covered-entity customers under BAA on request.

FAQ

Is a one-page risk analysis enough? No. OCR's Risk Analysis Initiative settlements consistently cite cursory or templated analyses. The 2026 NPRM requires the analysis in writing with named methodology.

Does NIST 800-66 require AI-specific controls? NIST SP 800-66 Rev 2 (February 2024) is general HIPAA guidance. NIST AI RMF 1.0 is the AI-specific overlay. OCR expects both.

What is "sub-processor drift"? A sub-processor adds a downstream service (a new caching layer, a new analytics tool) without notifying the BA. The BAA flow-down clause and the risk analysis must catch it.

How often should I redo the risk analysis? At minimum annually. Always after a material change — new vertical, new model, new sub-processor, breach incident.

Can OCR demand the analysis without a complaint? Yes. OCR's Risk Analysis Initiative is a proactive program; risk analysis is also a standard data request in any compliance review.

Sources

• 45 CFR 164.308(a)(1), Security management process: https://www.ecfr.gov/current/title-45/section-164.308
• HHS, Risk Analysis Initiative announcements: https://www.hhs.gov/about/news/index.html
• NIST SP 800-66 Rev 2: https://csrc.nist.gov/pubs/sp/800/66/r2/final
• NIST AI Risk Management Framework 1.0: https://www.nist.gov/itl/ai-risk-management-framework
• HHS, Guidance on Risk Analysis: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html