This entry is part 49 of 49 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail

HIPAA Risk AnalysisThere are plenty of ways to squander several million dollars, but none quite as frustrating as forking over those hefty sums to HHS’s Office for Civil Rights (OCR).  In each of these recent cases, MAPFRE Life ($2.20MM), St. Joseph’s Health ($2.1MM), Advocate ($5.6MM), University of Mississippi Medical Center ($2.8MM) and Oregon Health and Science University ($2.7MM), the organizations were found not to have completed a HIPAA Risk Analysis that meets OCR’s increasing ‘standard of care’.

OCR’s press releases are containing increasingly stronger language from director Jocelyn Samuels. For example:

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well.” “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”


“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”


“Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this (risk analysis) was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.” 

OCR has now reached 45 settlement agreements and Corrective Action Plans (CAPs) , and the pace is accelerating. There were 13 in 2016, and two already this year. Samuels’ office has only imposed civil monetary penalties in two cases, so we’ve yet to see the full fury of the CMP system.

Of the 35 settlement cases involving ePHI, 32 organizations had adverse findings related to risk analysis. That’s a shocking 91% that totally failed to do risk analysis properly.

In nine out of ten cases where OCR brought the hammer down, the underlying cause was an epic failure in risk analysis – something that’s totally preventable.  The top reasons why organizations are failing to meet OCR’s standards are:

  1. The risk analysis is not comprehensive enough; it does not include every information asset in every line-of-business in every facility in every location
  2. The risk analysis is not detailed enough; it does not consider every asset-threat-vulnerability scenario or ‘triple’ as a risk that needs to be analyzed
  3. The organization is not following published OCR/NIST guidance; among other misses, it does not include the 9 essential elements of a bona fide risk analysis required by OCR
  4. The organization does not provide enough documentation; there is no evidence of vibrant, ongoing information risk management program

No covered entity wants to see millions of dollars or more go down the drain this needlessly.

The solution: Let Clearwater complete a Confidential, Complimentary Review of your current risk analysis and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis. We are the best in the world at doing so!

Series Navigation<< HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.