Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement

Amy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.

Dave Gacioch counsels clients across the health care industry and beyond on compliance and risk management issues. He also assists clients in conducting internal investigations and represents them in matters involving government investigations, enforcement actions and civil litigation. Read David Gacioch's full bio.

Edward (Ed) G. Zacharias focuses his practice on complex transactions and regulatory compliance matters. He represents hospitals and health systems, academic medical centers, physician group practices, post-acute care providers, health information technology vendors, biotech companies, insurers, pharmaceutical companies and a variety of other health care entities. Read Edward Zacharias' full bio.
Related Posts
- Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers
- Pressure Points: OCR Enforcement Activity in 2014
- Just in Time for the Holidays: Another HIPAA Settlement
- Future Forward: Data Arrangements During and After COVID-19
- Digital Health Year in Review: 2017 Trends and Looking Ahead to 2018
STAY CONNECTED
TOPICS
ARCHIVES
RECENT POSTS
- 2021 Digital Health Year in Review
- Telemedicine Providers Take Note – The No Surprises Act Is Effective January 1, 2022
- Staying Connected: An Update on Medicare Reimbursement for Telehealth Services After the PHE
- McDermott Partners Recognized As Digital Health Power Players
- CMS Addresses Virtual Care Expansion in CY 2022 Medicare Physician Fee Schedule Proposal



