HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail

Home/Compliance and Information Risk Management Blog /HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail

HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail

HIPAA Risk AnalysisThere are plenty of ways to squander several million dollars, but none quite as frustrating as forking over those hefty sums to HHS’s Office for Civil Rights (OCR).  In each of these recent cases, MAPFRE Life ($2.20MM), St. Joseph’s Health ($2.1MM), Advocate ($5.6MM), University of Mississippi Medical Center ($2.8MM) and Oregon Health and Science University ($2.7MM), the organizations were found not to have completed a HIPAA Risk Analysis that meets OCR’s increasing ‘standard of care’.


OCR’s press releases are containing increasingly stronger language from director Jocelyn Samuels. For example:


“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well.” “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences."




“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”




"Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this (risk analysis) was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule." 


OCR has now reached 45 settlement agreements and Corrective Action Plans (CAPs) , and the pace is accelerating. There were 13 in 2016, and two already this year. Samuels’ office has only imposed civil monetary penalties in two cases, so we’ve yet to see the full fury of the CMP system.


Of the 35 settlement cases involving ePHI, 32 organizations had adverse findings related to risk analysis. That’s a shocking 91% that totally failed to do risk analysis properly.


In nine out of ten cases where OCR brought the hammer down, the underlying cause was an epic failure in risk analysis – something that’s totally preventable.  The top reasons why organizations are failing to meet OCR's standards are:


  1. The risk analysis is not comprehensive enough; it does not include every information asset in every line-of-business in every facility in every location
  2. The risk analysis is not detailed enough; it does not consider every asset-threat-vulnerability scenario or 'triple' as a risk that needs to be analyzed
  3. The organization is not following published OCR/NIST guidance; among other misses, it does not include the 9 essential elements of a bona fide risk analysis required by OCR
  4. The organization does not provide enough documentation; there is no evidence of vibrant, ongoing information risk management program


No covered entity wants to see millions of dollars or more go down the drain this needlessly.


The solution: Let Clearwater complete a Confidential, Complimentary Review of your current risk analysis and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis. We are the best in the world at doing so!

About the Author: Bob Chaput

Bob Chaput

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Subscribe for News