This presentation is a recording of a live web event co-hosted by former OCR Investigator, Deepali Doddi and Clearwater CEO, Bob Chaput presented on 09/26/2017.

For the latest information and to take advantage of interacting with our subject matter experts, we invite you to attend one of our live webinars.


In determining that 9 out of 10 organizations are failing to meet very fundamental HIPAA information risk analysis requirements, OCR has cited these top 5 root causes for the adverse findings:

  • The risk analysis was not asset-based – all systems / apps / technology that create, receive, maintain or transmit ePHI
  • The risk analysis was not comprehensive enough – it does not include every information asset in every line of business in every facility in every location
  • The risk analysis was not detailed enough – it does not consider every asset-threat-vulnerability scenario
  • The risk analysis did not follow HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” – instead, it was just a controls checklist
  • The risk analysis was not documented well-enough – there was no sufficient evidence of vibrant program

The challenge organizations are facing is how to conduct an accurate and comprehensive HIPAA Risk Analysis that includes all information assets in all lines of business in all facilities and in all locations.  The combinations of asset-threat-vulnerability triples is overwhelming.  Risk analyses cannot be performed efficiently and effectively with spreadsheets and accurate and comprehensive risk analysis is certainly not a matter of using a controls checklist.


View this recorded web event and learn a step-by-step methodology based on OCR and NIST guidance, aided by award-winning software.   Clearwater is the best in the world at conducting OCR-quality risk analyses and risk management and have earned numerous awards and recognition, including the exclusive endorsement of the American Hospital Association.  While OCR cannot endorse commercial organizations, Clearwater is a well-known and proven risk management partner in eyes of OCR.

What some of the attendees had to say about the live web event:

Presenting the 2017 settlements was a valuable reminder how important risk assessments are to this whole process.
Privacy Officer
I found the most value around the emphasis on the scope requirements of a Risk Assessment, with supporting examples and attention to granularity.
Chief Compliance Officer
It’s great to hear from subject matter experts and knowledgeable insiders like Leon. This was a very good and useful webinar. Thank you!
Chief Technology Officer
All of the concepts you covered were valuable. This will occupy my mind for some time. Thank you all for sharing.
IT Security Analyst
I found the comments and recommendations from Mr. Rodriguez and the reference material throughout the presentation most beneficial.
Manager: Security Audit & Compliance


You Asked | We Answered

We know a Risk Analysis can be daunting.  We tried to answer some questions to help you understand.  Check out our HIPAA Risk Analysis Blog Series.

Contact us today

About Deepali Doddi and IceMiller, LLP

Deepali Doddi, J.D., CIPP/US

Associate, IceMiller LLP & Former Investigator, OCR,

  • Attorney in Ice Miller’s Data Security and Privacy practice group
  • HIPAA Investigator in HHS OCR’s Chicago regional office for 5+ years
  • Served as lead investigator in several OCR HIPAA enforcement settlements
  • Member: IAPP, AHLA, HCCA
  • University of Notre Dame Law School (2010) B.A., Northwestern University (2007)

Contact us

Contact us today to speak to one of our experts about how Clearwater Compliance can help your organization.