Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. Significant confusion remains across the health care industry as to what actually constitutes a compliant risk analysis for purposes of the HIPAA Security Rule. On April 30, 2018 OCR issued guidance discussing the differences between a HIPAA Security Rule risk analysis and a HIPAA compliance “gap analysis.” Drawing from our experience reviewing clients’ historical risk analysis documents, helping clients to navigate OCR investigations and negotiating several recent HIPAA settlements with OCR, we elaborate on what constitutes a compliant HIPAA Security Rule risk analysis, discuss common risk analysis misunderstandings and pitfalls, and encourage covered entities and business associates to consider whether to conduct these reviews under attorney-client privilege.
On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.
In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).
OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.