This entry is part 35 of 60 in the series HIPAA Security Risk Analysis Tips

Beware of Freshly-Minted, Self-Proclaimed HIPAA Risk Analysis Companies!  There is still great focus on completing the foundational risk analysis required at 45 CFR §164.308(a)(1)(ii)(A).  Here’s today’s big TIP — Select Your Risk Analysis Solution and Provider Very Carefully.  Download our HIPAA Risk Analysis Buyer’s Guide Checklist.

harnessing risk starts with a bona fide risk analysis

HIPAA Risk Analysis Tip – HIPAA Risk Analysis Buyer’s Guide Checklist

Just returning from the 2013 International Association of Privacy Professionals (IAPP) Global Privacy Summit in DC last week, we were privileged to hear the very latest updates from Office for Civil Rights (OCR) officials Director Leon Rodriguez, Deputy Director Sue McAndrew and leaders Linda Sanches and Verne Rinker.  The presentations made by the OCR officials at the 2013 IAPP Global Privacy Summit focused on Omnibus Final Rule changes and the summary information from the 2012 OCR HIPAA Audit Program.

In both cases as well as in discussions about the future of the HITECH-mandated audits of Covered Entities and Business Associates, the importance of completing a bona fide HIPAA Risk Analysis was underscored. The 2012 OCR HIPAA Audit findings included a determination that where Covered Entities did have performance audit gaps (not all 115 did), the failure to have complete a risk analysis was pervasive:

  • 47 of 59 Providers audited failed to complete an authentic HIPAA Risk Analysis
  • 20 of 35 Payors audited failed to complete an authentic HIPAA Risk Analysis
  • 2 of 7 Clearinghouses failed to complete an authentic HIPAA Risk Analysis

As had been indicated in previous public speeches and interviews by OCR Officials, they all once again emphasized the importance of completing this core Security Rule requirement and indicated the possibility of risk analyses becoming the area of focus for the next round of audits; this time including Business Associates as well as Covered Entities.  That focus on HIPAA Risk Analysis is no surprise since, to date, every Settlement Agreement/Corrective Action Plan entered into by the OCR cites failure to do a real HIPAA risk analysis.

Download HIPAA Risk Analysis Buyer’s Guide Checklist

We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?”  This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.

Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis

Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:

Please avail yourself of any of these free resources which you may access now by clicking on the links below:


If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – Sage Risk Management Advice from DruckerHIPAA Risk Analysis Tip – How To Conduct a Bona Fide HIPAA Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.