The Office for Civil Rights (OCR) has decided enough is enough. As a result, it has laid down the gauntlet. Conduct a bona fide security risk analysis, or else!

Risk management must come before compliance

Newly named OCR Director Jocelyn Samuels recently spelled out the agency’s stance on risk analysis at the annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology. Explaining that the agency continues to see a lack of comprehensive and enterprise wide risk analysis and risk management, Samuels was clear in saying that “enforcement is a critical part of our arsenal of tools to ensure compliance.”

[quote float=”right” style=”boxed”]“enforcement is a critical part of our arsenal of tools to ensure compliance.”[/quote]In her remarks, Samuels explained that monetary settlements and other enforcement activity send “an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”

Are you in the firing line?

Clearwater has been espousing for quite a while that it’s just as important for your organization to show good faith effort in identifying and managing risks to protected health information as it is to respond effectively once a breach has occurred. OCR has become increasingly focused on evaluating how organizations are complying in this area, after a string of audit and investigation findings continued to suggest most are not doing enough.

In simple terms, what this means is the days of checking a box on conducting a risk analysis are over. What it means is that most organizations need to pressure test their approaches to risk assessment and workforce training, which both are keys to effectively managing risk and avoiding adverse events.

It’s not all bad

The good news is that with clear expectations from OCR, organizations have a clear picture of what they need to do stay in good graces with federal regulators. An added bonus of OCR’s laser focus on risk analysis and risk management is that it will force many organizations to adopt better processes which will lead to better business and clinical outcomes, as well as a higher success rate for protecting the privacy of the patients they serve. In the end, they’ll be glad they delivered against OCR’s requirements for more reasons than one.

So don’t know where to start? Even more good news! Below are some helpful resources from Clearwater Compliance:


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.