How confident are you in your

Risk Analysis?

Data Network

68% of 2012 OCR Phase I Audits


Risk Analysis

We are seeing this more and more:

"OCR has determined that the risk analysis submitted by your organization does not meet the requirement set forth at 45 CFR 164.308(a)(1)(ii)(A)."

Brown pencil with step pile of paperwork as background

OCR’s Phase II Audit Program focus is on

Risk Analysis


Risk Management


Get a complimentary, expert second opinion of your risk analysis!

7 out of 10 Organizations Fail to meet OCR’s Standard of Quality on Risk Analysis. Certainty is a click away. Let’s get started!

Start Your Review

Are you concerned that an audit or investigation might return this?

OCR has determined that the risk analysis submitted by your organization does not meet the requirement set forth at 45 CFR 164.308(a)(1)(ii)(A).  Please review OCR’s guidance on the Security Rule’s risk analysis / risk assessment requirement located at For additional information, you may also wish to consult the National Institute of Standards and Technology’s SP 800-30 Rev. 1 “Guide for Conducting Risk Assessments,” located at” 

Your Complimentary Review Includes:

This complimentary HIPAA Risk Analysis Methodology Assessment highlights and utilizes the nine essential elements of a bona fide risk analysis as provided in HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

Our independent review is based on the standards laid out in 45 CFR §164.308(A)(1)(ii)(A) in the HIPAA Security Rule and Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

The review will result in a specific scorecard vis-a-vis this standard which OCR uses in its HIPAA Security Rule enforcement actions (e.g., investigations, audits, compliance reviews).  Specific recommendations in each of the nine areas will be provided.

This report will enable executives, managers,  attorneys and security professionals to reduce the legal, financial and regulatory risks that may result from failure to complete a proper risk analysis. It will identify the difference between a risk analysis, a compliance gap assessment and technical testing, provide examples from OCR investigations and settlements of what regulators expect to see in a risk analysis and risk management plan, and discuss the role of attorneys and client privilege with respect to the risk analysis process.  

Start Your Review

Key Findings Include:

  • Assessment of whether current form will meet OCR audit, compliance review or investigation standards.
  • Identification of deficiencies found based on HIPAA Security Rule Implementation Specifications and OCR Audit Protocol.
  • Identification of deficiencies found against “9 essential elements” of risk analysis in HHS/OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”

Why Clearwater?

  1. We’ve performed 100s of risk analyses for 100s of organizations
  2. Our risk analyses have been vetted as part of OCR / OIG / CMS enforcement activities
  3. Our rigorous award-winning approach has the exclusive endorsement of the American Hospital Association
Start Your Review