In determining that 9 out of 10 organizations are failing to meet very fundamental HIPAA information risk analysis requirements, OCR has cited these top 5 root causes for the adverse findings:
- The risk analysis was not asset-based – all systems / apps / technology that create, receive, maintain or transmit ePHI
- The risk analysis was not comprehensive enough – it does not include every information asset in every line of business in every facility in every location
- The risk analysis was not detailed enough – it does not consider every asset-threat-vulnerability scenario
- The risk analysis did not follow HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” – instead, it was just a controls checklist
- The risk analysis was not documented well-enough – there was no sufficient evidence of vibrant program
The challenge organizations are facing is how to conduct an accurate and comprehensive HIPAA Risk Analysis that includes all information assets in all lines of business in all facilities and in all locations. The combinations of asset-threat-vulnerability triples is overwhelming. Risk analyses cannot be performed efficiently and effectively with spreadsheets and accurate and comprehensive risk analysis is certainly not a matter of using a controls checklist.
View this recorded web event and learn a step-by-step methodology based on OCR and NIST guidance, aided by award-winning software. Clearwater is the best in the world at conducting OCR-quality risk analyses and risk management and have earned numerous awards and recognition, including the exclusive endorsement of the American Hospital Association. While OCR cannot endorse commercial organizations, Clearwater is a well-known and proven risk management partner in eyes of OCR.
What some of the attendees had to say about the live web event:
Presenting the 2017 settlements was a valuable reminder how important risk assessments are to this whole process.
I found the most value around the emphasis on the scope requirements of a Risk Assessment, with supporting examples and attention to granularity.
It’s great to hear from subject matter experts and knowledgeable insiders like Leon. This was a very good and useful webinar. Thank you!
All of the concepts you covered were valuable. This will occupy my mind for some time. Thank you all for sharing.
I found the comments and recommendations from Mr. Rodriguez and the reference material throughout the presentation most beneficial.
You Asked | We Answered
We know a Risk Analysis can be daunting. We tried to answer some questions to help you understand. Check out our HIPAA Risk Analysis Blog Series.
- And More To Come!
About Deepali Doddi and IceMiller, LLP
Deepali Doddi, J.D., CIPP/US
Associate, IceMiller LLP & Former Investigator, OCR,
- Attorney in Ice Miller’s Data Security and Privacy practice group
- HIPAA Investigator in HHS OCR’s Chicago regional office for 5+ years
- Served as lead investigator in several OCR HIPAA enforcement settlements
- Member: IAPP, AHLA, HCCA
- University of Notre Dame Law School (2010) B.A., Northwestern University (2007)
Contact us today to speak to one of our experts about how Clearwater Compliance can help your organization.