The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement

Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.

Continue Reading.

David Quinn GaciochDavid Quinn Gacioch
  Dave Gacioch counsels clients across the health care industry and beyond on compliance and risk management issues. He also assists clients in conducting internal investigations and represents them in matters involving government investigations, enforcement actions and civil litigation. Read David Gacioch's full bio.


Amy C. PimentelAmy C. Pimentel
Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.


Edward G. ZachariasEdward G. Zacharias
  Edward (Ed) G. Zacharias focuses his practice on complex transactions and regulatory compliance matters. He represents hospitals and health systems, academic medical centers, physician group practices, post-acute care providers, health information technology vendors, biotech companies, insurers, pharmaceutical companies and a variety of other health care entities. Read Edward Zacharias' full bio.

STAY CONNECTED

TOPICS

ARCHIVES