There are plenty of ways to squander several million dollars, but none quite as frustrating as forking over those hefty sums to HHS’s Office for Civil Rights (OCR). In each of these recent cases, Texas health system ($2.20MM), St. Joseph’s Health ($2.1MM), and Advocate ($5.6MM), the organizations were found not to have completed a HIPAA Risk Analysis that meets OCR’s increasingly more stringent ‘standard of care’.
It is clear that many organizations struggle to fully comprehend the scope of an OCR-Quality Risk Analysis. Simply put, an accurate and complete HIPAA Risk Analysis must include all information assets in all lines of business in all facilities and in all locations. If that sounds like lot, it is. But when approached with a step-by-step methodology based on OCR and NIST guidance, aided by award-winning software, it is achievable.
This 75-minute webinar has been designed to help covered entities and business associates understand and act on the specific Risk Analysis requirements included in:
- the HIPAA Risk Analysis implementation specification language at 45 CFR §164.308(a)(1)(ii)(A) of the HIPAA Security Rule;
- the methodology outlined in the HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”;
- the underlying NIST Special Publications for performing a risk assessment and, specifically NIST SP 800-30 “Guide for Conducting Risk Assessments”;
- the documentation found in OCR investigation letters and “OCR Resolution Agreements / Corrective Action Plans”.
- the “OCR Audit Protocol – Updated April 2016” specific to Risk Analysis and Risk Management .
- our work with numerous organizations subjected to OCR enforcement actions that included reviews of organizations’ risk analyses.
Date & Time
February 7, 2018
11 am – 12.15 pm CT
In determining that 9 out of 10 organizations are failing to meet very fundamental HIPAA information risk analysis requirements, OCR has cited these top 5 root causes for the adverse findings:
- The risk analysis was not asset-based – all systems / apps / technology that create, receive, maintain or transmit ePHI
- The risk analysis was not comprehensive enough – it does not include every information asset in every line of business in every facility in every location
- The risk analysis was not detailed enough – it does not consider every asset-threat-vulnerability scenario
- The risk analysis did not follow HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” – instead, it was just a controls checklist
- The risk analysis was not documented well-enough – there was no sufficient evidence of vibrant program
The challenge organizations are facing is how to conduct an accurate and comprehensive HIPAA Risk Analysis that includes all information assets in all lines of business in all facilities and in all locations. The combinations of asset-threat-vulnerability triples is overwhelming. Risk analyses cannot be performed efficiently and effectively with spreadsheets and accurate and comprehensive risk analysis is certainly not a matter of using a controls checklist.
Attend this live web event and learn a step-by-step methodology based on OCR and NIST guidance, aided by award-winning software. Clearwater is the best in the world at conducting OCR-quality risk analyses and risk management and have earned numerous awards and recognition, including the exclusive enforcement of the American Hospital Association. While OCR cannot endorse commercial organizations, Clearwater is a well-known and proven risk management partner in eyes of OCR. Their tacit endorsement is evidenced in recent web and live speaking events with current and former members of the Office for Civil Rights. For example, we conducted this webinar on May 3rd: “What OCR Expects in Your HIPAA Risk Analysis: A Conversation with Former OCR Director Leon Rodriguez”.
If you receive, create, maintain or transmit ePHI or any sensitive information for which you cannot afford loss or harm, you should attend this session.
- Explaining the difference between compliance and security
Citing the specific regulatory requirements for risk assessment
Defining fundamental risk terminology
Explaining why risk assessment is a core foundational step for any information security program
Describe the fundamentals of Information Risk Assessment
- Describe the fundamentals of Information Risk Management
- All registrants will receive a copy of all slide materials.