How confident are you in your

Risk Analysis?

We are seeing this more and more:

"OCR has determined that the risk analysis submitted by your organization does not meet the requirement set forth at 45 CFR 164.308(a)(1)(ii)(A)."

Are you concerned that an audit or investigation might return this?

OCR has determined that the risk analysis submitted by your organization does not meet the requirement set forth at 45 CFR 164.308(a)(1)(ii)(A).  Please review OCR’s guidance on the Security Rule’s risk analysis / risk assessment requirement located at For additional information, you may also wish to consult the National Institute of Standards and Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located at” 

Request Your Review

A Risk Analysis Review Includes:

This HIPAA Risk Analysis Methodology Assessment highlights and utilizes the nine essential elements of a bona fide risk analysis as provided in HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

Our independent review is based on the standards laid out in 45 CFR §164.308(A)(1)(ii)(A) in the HIPAA Security Rule and Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

The review will result in a specific scorecard vis-a-vis this standard which OCR uses in its HIPAA Security Rule enforcement actions (e.g., investigations, audits, compliance reviews).  Specific recommendations in each of the nine areas will be provided.

This report will enable executives, managers,  attorneys and security professionals to reduce the legal, financial and regulatory risks that may result from failure to complete a proper risk analysis. It will identify the difference between a risk analysis, a compliance gap assessment and technical testing, provide examples from OCR investigations and settlements of what regulators expect to see in a risk analysis and risk management plan, and discuss the role of attorneys and client privilege with respect to the risk analysis process.  

Request Your Review

Key Findings Include:

  • Assessment of whether current form will meet OCR audit, compliance review or investigation standards.
  • Identification of deficiencies found based on HIPAA Security Rule Implementation Specifications and OCR Audit Protocol.
  • Identification of deficiencies found against “9 essential elements” of risk analysis in HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”

Why Clearwater?

  1. We’ve performed 100s of risk analyses for 100s of organizations
  2. Our risk analyses have been vetted as part of OCR / OIG / CMS enforcement activities
  3. Our rigorous award-winning approach has the exclusive endorsement of the American Hospital Association