OF DIGITAL INTEREST
OF DIGITAL INTEREST
Legal news and analysis of all things digital
OF DIGITAL INTEREST
Legal news and analysis of all things digital

The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement

By , and on May 6, 2018
Posted In Cybersecurity, Data Privacy, Telehealth

Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.

Continue Reading.

Tags: “gap analysis”, attorney-client privilege, compliant risk analysis, Health Insurance Portability and Accountability Act of 1996, HIPAA, HIPAA Security Rule, OCR, OCR settlements, Office for Civil Rights
David Quinn GaciochDavid Quinn Gacioch
  Dave Gacioch counsels clients across the health care industry and beyond on compliance and risk management issues. He also assists clients in conducting internal investigations and represents them in matters involving government investigations, enforcement actions and civil litigation. Read David Gacioch's full bio.

Amy C. PimentelAmy C. Pimentel
Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.

Edward G. ZachariasEdward G. Zacharias
  Edward (Ed) G. Zacharias focuses his practice on complex transactions and regulatory compliance matters. He represents hospitals and health systems, academic medical centers, physician group practices, post-acute care providers, health information technology vendors, biotech companies, insurers, pharmaceutical companies and a variety of other health care entities. Read Edward Zacharias' full bio.

Related Posts

BLOG EDITORS

Stephen W. Bernstein

Marshall E. Jackson, Jr.

Lisa Schmitz Mazur

Michael G. Morgan

Romain Perray

Amy C. Pimentel

Vernessa T. Pollard

STAY CONNECTED

TOPICS

ARCHIVES

Legal Notices  |  Privacy & Cookies Policy

Attorney Advertising © 2020 McDermott Will & Emery

Contact Us: info@mwe.com

Attorney Advertising ©2020 McDermott Will & Emery