The Office for Civil Rights (OCR) has decided enough is enough. As a result, it has laid down the gauntlet. Conduct a bona fide security risk analysis, or else!

Risk management must come before compliance

Newly named OCR Director Jocelyn Samuels recently spelled out the agency’s stance on risk analysis at the annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology. Explaining that the agency continues to see a lack of comprehensive and enterprise wide risk analysis and risk management, Samuels was clear in saying that “enforcement is a critical part of our arsenal of tools to ensure compliance.”

[quote float=”right” style=”boxed”]“enforcement is a critical part of our arsenal of tools to ensure compliance.”[/quote]In her remarks, Samuels explained that monetary settlements and other enforcement activity send “an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”

Are you in the firing line?

Clearwater has been espousing for quite a while that it’s just as important for your organization to show good faith effort in identifying and managing risks to protected health information as it is to respond effectively once a breach has occurred. OCR has become increasingly focused on evaluating how organizations are complying in this area, after a string of audit and investigation findings continued to suggest most are not doing enough.

In simple terms, what this means is the days of checking a box on conducting a risk analysis are over. What it means is that most organizations need to pressure test their approaches to risk assessment and workforce training, which both are keys to effectively managing risk and avoiding adverse events.

It’s not all bad

The good news is that with clear expectations from OCR, organizations have a clear picture of what they need to do stay in good graces with federal regulators. An added bonus of OCR’s laser focus on risk analysis and risk management is that it will force many organizations to adopt better processes which will lead to better business and clinical outcomes, as well as a higher success rate for protecting the privacy of the patients they serve. In the end, they’ll be glad they delivered against OCR’s requirements for more reasons than one.

So don’t know where to start? Even more good news! Below are some helpful resources from Clearwater Compliance:


Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.