Hethcoat Quoted on OCR Enforcement of HIPAA Security Risk Analysis Requirement

“In most of the Risk Analysis Initiative enforcement actions to date, the CE [covered entity] or BA [business associate] suffered a ransomware attack, which resulted in a large-scale breach of ePHI [electronic protected health information] that the CE or BA reported to OCR,” Gayland said. “During its investigation in these cases, OCR determined that the CE or BA failed to conduct a sufficient risk analysis (if at all).”

He added, “OCR’s position is that compliance with the risk analysis requirement is the linchpin to preventing these breaches. If an organization does not understand the risk environment, attacks by threat actors are bound to occur.”

Gayland noted that OCR expects organizations to maintain detailed documentation of their risk analyses.

“Many organizations provide only summary reports or fail to retain documentation for the required period (typically six years), which is insufficient for demonstrating compliance during an audit or investigation,” he said.

Many organizations also frequently mistake a HIPAA compliance gap assessment for a risk analysis.

“While both are important, a gap assessment identifies compliance shortfalls, whereas a risk analysis is a security-focused evaluation of threats and vulnerabilities to ePHI,” Gayland said.

In reference to a recent settlement in which a behavioral health provider paid $225,000 to OCR to resolve allegations that it did not conduct a sufficient risk analysis, Gayland noted that “this case underscores that even in enforcement actions that are not labeled part of the Risk Analysis Initiative, OCR often finds that the underlying cause of a breach or noncompliance is the lack of a proper risk analysis or failure to act on its findings.”

Read the full article here. (Subscription required)

For additional analysis of the HIPAA Risk Analysis Initiative, read our alert here.