Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement
Amy C. PimentelAmy C. Pimentel focuses her practice on privacy and data security and general health law. Her clients operate in a variety of industries, including health care, consumer products, retail, food and beverage, technology, banking and other financial services. Read Amy Pimentel's full bio.
David Quinn GaciochDave Gacioch counsels clients across the health care industry and beyond on compliance and risk management issues. He also assists clients in conducting internal investigations and represents them in matters involving government investigations, enforcement actions and civil litigation. Read David Gacioch's full bio.
Edward G. ZachariasEdward (Ed) G. Zacharias focuses his practice on complex transactions and regulatory compliance matters. He represents hospitals and health systems, academic medical centers, physician group practices, post-acute care providers, health information technology vendors, biotech companies, insurers, pharmaceutical companies and a variety of other health care entities. Read Edward Zacharias' full bio.
Related Posts
- Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers
- Pressure Points: OCR Enforcement Activity in 2014
- Just in Time for the Holidays: Another HIPAA Settlement
- Future Forward: Data Arrangements During and After COVID-19
- Digital Health Year in Review: 2017 Trends and Looking Ahead to 2018
STAY CONNECTED
TOPICS
ARCHIVES
RECENT POSTS
- Final Episode | Markets Under Pressure Strategies for Restructuring and Risk Management
- Episode Two | Managing Capitalization Structures and Investor Relationships in Today’s Digital Health Market
- Episode One | Workforce Management Solutions in an Uncertain Economic Environment
- Navigating Volatile Markets in the Digital Health Ecosystem | Introduction – What to Consider
- 2021 Digital Health Year in Review
