HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail
There are plenty of ways to squander several million dollars, but none quite as frustrating as forking over those hefty sums to HHS’s Office for Civil Rights (OCR). In each of these recent cases, MAPFRE Life ($2.20MM), St. Joseph’s Health ($2.1MM), Advocate ($5.6MM), University of Mississippi Medical Center ($2.8MM) and Oregon Health and Science University ($2.7MM), the organizations were found not to have completed a HIPAA Risk Analysis that meets OCR’s increasing ‘standard of care’.
OCR’s press releases are containing increasingly stronger language from director Jocelyn Samuels. For example:
“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well.” “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”
“Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this (risk analysis) was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.”
OCR has now reached 45 settlement agreements and Corrective Action Plans (CAPs) , and the pace is accelerating. There were 13 in 2016, and two already this year. Samuels’ office has only imposed civil monetary penalties in two cases, so we’ve yet to see the full fury of the CMP system.
Of the 35 settlement cases involving ePHI, 32 organizations had adverse findings related to risk analysis. That’s a shocking 91% that totally failed to do risk analysis properly.
In nine out of ten cases where OCR brought the hammer down, the underlying cause was an epic failure in risk analysis – something that’s totally preventable. The top reasons why organizations are failing to meet OCR’s standards are:
- The risk analysis is not comprehensive enough; it does not include every information asset in every line-of-business in every facility in every location
- The risk analysis is not detailed enough; it does not consider every asset-threat-vulnerability scenario or ‘triple’ as a risk that needs to be analyzed
- The organization is not following published OCR/NIST guidance; among other misses, it does not include the 9 essential elements of a bona fide risk analysis required by OCR
- The organization does not provide enough documentation; there is no evidence of vibrant, ongoing information risk management program
No covered entity wants to see millions of dollars or more go down the drain this needlessly.
The solution: Let Clearwater complete a Confidential, Complimentary Review of your current risk analysis and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis. We are the best in the world at doing so!
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016