The Office for Civil Rights (OCR) has decided enough is enough. As a result, it has laid down the gauntlet. Conduct a bona fide security risk analysis, or else!
Risk management must come before compliance
Newly named OCR Director Jocelyn Samuels recently spelled out the agency’s stance on risk analysis at the annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology. Explaining that the agency continues to see a lack of comprehensive and enterprise wide risk analysis and risk management, Samuels was clear in saying that “enforcement is a critical part of our arsenal of tools to ensure compliance.”
[quote float=”right” style=”boxed”]“enforcement is a critical part of our arsenal of tools to ensure compliance.”[/quote]In her remarks, Samuels explained that monetary settlements and other enforcement activity send “an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously.”
Are you in the firing line?
Clearwater has been espousing for quite a while that it’s just as important for your organization to show good faith effort in identifying and managing risks to protected health information as it is to respond effectively once a breach has occurred. OCR has become increasingly focused on evaluating how organizations are complying in this area, after a string of audit and investigation findings continued to suggest most are not doing enough.
In simple terms, what this means is the days of checking a box on conducting a risk analysis are over. What it means is that most organizations need to pressure test their approaches to risk assessment and workforce training, which both are keys to effectively managing risk and avoiding adverse events.
It’s not all bad
The good news is that with clear expectations from OCR, organizations have a clear picture of what they need to do stay in good graces with federal regulators. An added bonus of OCR’s laser focus on risk analysis and risk management is that it will force many organizations to adopt better processes which will lead to better business and clinical outcomes, as well as a higher success rate for protecting the privacy of the patients they serve. In the end, they’ll be glad they delivered against OCR’s requirements for more reasons than one.
So don’t know where to start? Even more good news! Below are some helpful resources from Clearwater Compliance:
- Jumpstart your efforts by attending a Clearwater Information Risk Management BootCamp™ .
- Sign up for one of our complimentary best practices webinars with industry experts
- Subscribe to our newsletter for a robust summary of the latest information risk management news.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016