Select Page

HIPAA Risk Analysis Tip – What Captures OCR’s Attention?

here’s pain in the voices of CISOs who haven’t been able to persuade their executive team to invest in an accurate, thorough enterprise-wide HIPAA risk analysis and risk management plan.

CEOs too often are willing to take on risk to increase revenue rather than mitigate existing risk to avoid cost.  The story goes something like: “We’ll never be chosen for an audit, less than 200 organizations have been selected.  Even if we do have a breach, it’s unlikely they’ll ever decide to investigate us.  There’s 1800 organizations listed on OCR’s wall of shame, in an industry that has over 10,000,000 organizations responsible for protecting PHI.  What are the chances?!”

OCR investigations and resulting resolution agreements / corrective action plans have increasingly larger $ settlement amounts, broad exposure, reputational damage and on-going incremental operational costs and distraction.  And those enforcement actions often result from circumstances about which OCR wants to highlight to make a specific point.

OCR has demonstrated that all types of organizations are subject to enforcement actions.  Examples include:

  • State Universities – Idaho State University and the University of Mass-Amherst
  • County government – Skagit County Public Health Department
  • Community Services – Anchorage Community Mental Health Services
  • State Government – Alaska Department for Health and Human Services
  • Private Physician Practices – Cancer Care Group and Phoenix Cardiac Surgery
  • Specialty Services – Massachusetts Eye and Ear Infirmary
  • Research institutions – Feinstein Institute for Medical Research

OCR has demonstrated that all types of regulatory violations are subject to enforcement actions.  Examples include:

  • For a breach under 500 Records – Hospice of North Idaho
  • For not filing a required breach report – 1st one following the HITECH Act -BCBST
  • For not reporting breaches in timely manner – Presence Health
  • For lack of institutional oversight – University of Mississippi Medical Center
  • For failure to erase photocopier hard drive – Affinity Health Plan
  • For failure to cooperate – CIGNET
  • Referral from OIG, for marketing without permission – Management Services Organization

OCR has demonstrated that varying trigger events may result in enforcement actions:

  • Nine (9) of the fifty (50) investigations that led to settlement agreements were initiated by complaints?
  • Another four (4) were initiated following news reported in the media.
  • Five (5) others focused on business associates and business associate agreements.
  • Lately, since OCR has fixed their tracking system (thanks to OIG’s recommendation), the reporting of multiple breach reports has stimulated investigative activities and resulted in settlement agreements with six (6) more organizations.
  • Successful hacks have prompted OCR to look into the policies, procedures and evidence of monitoring access, implementing patches, and social engineering training of five (5) organizations, in addition to another five (5) dinged for not having encrypted laptops, thumb drives or mobile devices.

Good news – all the OCR Resolution Agreements / Corrective Action Plans are available for review and learning.

So the short story is that it doesn’t have to be a big breach, or a complex situation, or even a blatant failure for OCR to decide an enforcement action and ultimately a resolution agreement and corrective action plan is in order.

Once they are in, if the case involves ePHI, you can be 100% certain that they will be looking for that risk analysis that would have identified the vulnerability that was exploited by the threat, because controls and safeguards were insufficient to protect the information.  And when that isn’t done, or it isn’t done right, the fines and disruption will follow.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Rethinking the HIPAA Security Rule: Why Forward Path 2025 Might Be the Better Way Forward

Late last year, the US Department of Health and Human Services (HHS) introduced a more prescriptive regulatory framework for the HIPAA Security Rule, which comes at a critical time. As the industry faces unprecedented numbers of breach-related sensitive record exposures, it’s clear healthcare organizations and their supporting partners need to do more to protect patient data, but is the Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule the answer?
Assumed Breach Simulation: Lateral Movement

Assumed Breach Simulation: Lateral Movement

A cyberattack doesn’t always start with an exposed perimeter. Sometimes, all it takes is a single compromised workstation — compromised through social engineering attacks, use of weak access management. To help clients gauge the potential for a breach to occur through these attack vectors, I and my colleagues on Clearwater’s Technical Testing team perform what is called assumed breach testing – a cybersecurity assessment that evaluates an organization’s ability detect, respond to, and recover from a breach.
RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

RSA 2025 Recap: AI, Innovation, and Identity Take Center Stage

The cybersecurity world descended on San Francisco last week for RSA Conference 2025, and Clearwater was proud to be there alongside our Redspin colleagues. From AI to identity, from innovation to infrastructure, this year’s RSA reflected both the rapid evolution of cybersecurity technology, and the mounting pressure on organizations to stay ahead of new threats. Here’s what stood out to our team on the ground.
No results found.