HIPAA Risk Analysis Tip – What Captures OCR's Attention?

Home/Compliance and Information Risk Management Blog /HIPAA Risk Analysis Tip – What Captures OCR's Attention?

HIPAA Risk Analysis Tip – What Captures OCR's Attention?

HIPAA Risk Analysis

There’s pain in the voices of CISOs who haven’t been able to persuade their executive team to invest in an accurate, thorough enterprise-wide HIPAA risk analysis and risk management plan.


CEOs too often are willing to take on risk to increase revenue rather than mitigate existing risk to avoid cost.  The story goes something like: “We’ll never be chosen for an audit, less than 200 organizations have been selected.  Even if we do have a breach, it’s unlikely they’ll ever decide to investigate us.  There’s 1800 organizations listed on OCR’s wall of shame, in an industry that has over 10,000,000 organizations responsible for protecting PHI.  What are the chances?!”


OCR investigations and resulting resolution agreements / corrective action plans have increasingly larger $ settlement amounts, broad exposure, reputational damage and on-going incremental operational costs and distraction.  And those enforcement actions often result from circumstances about which OCR wants to highlight to make a specific point.


OCR has demonstrated that all types of organizations are subject to enforcement actions.  Examples include:


  • State Universities - Idaho State University and the University of Mass-Amherst
  • County government - Skagit County Public Health Department
  • Community Services - Anchorage Community Mental Health Services
  • State Government - Alaska Department for Health and Human Services
  • Private Physician Practices - Cancer Care Group and Phoenix Cardiac Surgery
  • Specialty Services - Massachusetts Eye and Ear Infirmary
  • Research institutions – Feinstein Institute for Medical Research

OCR has demonstrated that all types of regulatory violations are subject to enforcement actions.  Examples include:


  • For a breach under 500 Records - Hospice of North Idaho
  • For not filing a required breach report - 1st one following the HITECH Act -BCBST
  • For not reporting breaches in timely manner - Presence Health
  • For lack of institutional oversight - University of Mississippi Medical Center
  • For failure to erase photocopier hard drive - Affinity Health Plan
  • For failure to cooperate - CIGNET
  • Referral from OIG, for marketing without permission – Management Services Organization

OCR has demonstrated that varying trigger events may result in enforcement actions:


  • Nine (9) of the fifty (50) investigations that led to settlement agreements were initiated by complaints?
  • Another four (4) were initiated following news reported in the media.
  • Five (5) others focused on business associates and business associate agreements.
  • Lately, since OCR has fixed their tracking system (thanks to OIG’s recommendation), the reporting of multiple breach reports has stimulated investigative activities and resulted in settlement agreements with six (6) more organizations.
  • Successful hacks have prompted OCR to look into the policies, procedures and evidence of monitoring access, implementing patches, and social engineering training of five (5) organizations, in addition to another five (5) dinged for not having encrypted laptops, thumb drives or mobile devices.

Good news - all the OCR Resolution Agreements / Corrective Action Plans are available for review and learning.


So the short story is that it doesn’t have to be a big breach, or a complex situation, or even a blatant failure for OCR to decide an enforcement action and ultimately a resolution agreement and corrective action plan is in order.


Once they are in, if the case involves ePHI, you can be 100% certain that they will be looking for that risk analysis that would have identified the vulnerability that was exploited by the threat, because controls and safeguards were insufficient to protect the information.  And when that isn’t done, or it isn’t done right, the fines and disruption will follow.


Now what?

  1. Attend our May 3rd "Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis"  Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
  2. Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" .
  3. Learn the definition of an information asset.
  4. View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
  5. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
  6. Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.

About the Author: Bob Chaput

Bob Chaput

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Subscribe for News