OCR Doubles Down: Risk Analysis Now a Key Enforcement Priority

 Is Your Organization an Attractive Target for Cybercriminals?

Office for Civil Rights (OCR) Director Melanie Rainer wants you to consider this question seriously. Speaking at the Safeguarding Health Information 2024 Summit on October 23-24, she remarked, “Oftentimes when we start to investigate and look under the covers, it was the case that HIPAA was not being followed and basic things like a risk analysis or risk management aren’t being performed, therefore making your organization an attractive target.”

This concern highlights why OCR recently launched its new Risk Analysis Enforcement Initiative.

A risk analysis is a required provision under the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A). Without conducting a proper risk analysis, an organization is unlikely to identify the risks and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), leaving itself vulnerable to attacks. Also, once risks are identified, they must be managed and reduced to an acceptable level.

OCR’s investigations into major data breaches have frequently revealed that many HIPAA-regulated entities are not conducting risk analysis adequately. Most either skip the risk analysis, conduct it infrequently, or perform incomplete assessments.

This high frequency of violations and the significant impact of failing to conduct comprehensive risk analyses prompted OCR to make risk analysis a top priority in its enforcement of HIPAA compliance.  “If you look at any of our enforcement work online, any of the cases in our press releases, risk analysis, four out of five times, is one of the elements that is flagged in those enforcement actions because it is not being prioritized.” Rainer said.

OCR’s increased enforcement is already evident:

In one notable case, the Bryan County Ambulance Authority in Oklahoma suffered a ransomware attack on November 24, 2021, which resulted in the encryption of files containing the electronic protected health information (ePHI) of 14,273 patients. OCR was notified of the breach in June 2022 and subsequently launched an investigation. The findings revealed that Bryan County Ambulance Authority had never conducted a risk analysis, a significant oversight that led to a financial penalty. OCR reached a $90,000 settlement with the authority, which included a corrective action plan (CAP) and compliance monitoring for a three-year period.

Under the CAP, Bryan County must conduct a thorough risk analysis, share the results with OCR, and provide a full inventory of all electronic devices, data systems, off-site storage locations, and applications that store or process ePHI. The organization is also required to perform an annual risk analysis and establish an enterprise risk management plan to address and minimize identified vulnerabilities. In addition, comprehensive policies and procedures for HIPAA compliance must be developed, shared with all relevant employees, and reinforced through training, with written confirmation from each staff member who accesses ePHI. OCR will receive quarterly reports on any violations to ensure compliance.

This enforcement action marks OCR’s 11th HIPAA financial penalty in 2024 and the 7th penalty related to a ransomware incident. To date, OCR has collected over $7 million in HIPAA fines this year—exceeding the total amount collected in 2022 and 2023 combined.

Helping You Meet OCR Expectations and Build a Stronger Cyber Risk Management and Compliance Program

Mitigating cyber incidents starts with understanding where your risks lie. Yet, many organizations only conduct limited, point-in-time risk analyses, leaving them vulnerable to gaps in compliance. As OCR’s recent actions highlight, the consequences of overlooking comprehensive risk analysis are becoming more severe. To prevent ransomware attacks, avoid breaches, and stay compliant, an ongoing risk analysis and response program is essential. Conducting a risk analysis that meets OCR standards requires:

  • The right expertise and skill sets
  • Sufficient resources
  • A detailed, effective process
  • Advanced technology to support the work

Feeling overwhelmed? We’re here to help.

At Clearwater, we equip your organization with:

  • Skilled risk analysts with extensive healthcare experience
  • The human capital to execute and sustain your program over time
  • A comprehensive process to analyze all assets with ePHI and respond to identified risks
  • A robust software platform to streamline, automate, and drive the workflow

We are proud to note our clients’ 100% success rate when submitting a risk analysis conducted in partnership with Clearwater to the OCR.  

Increasingly, healthcare organizations are subscribing to Clearwater’s ClearConfidence program which is designed to address the exact challenges that have recently led other organizations to face costly OCR penalties. Developed in collaboration with our Health System and Integrated Delivery Network (IDN) clients, ClearConfidence is a comprehensive, enterprise-wide managed services solution that goes beyond traditional compliance, offering continuous security and resilience.

This program is structured to align closely with OCR Guidance and NIST Risk Management standards, ensuring that every aspect of your risk analysis strategy is rigorously evaluated and managed according to the best practices. ClearConfidence systematically identifies and addresses risks for all assets containing electronic protected health information (ePHI), helping healthcare organizations maintain a proactive stance against cybersecurity threats, so you’re not left vulnerable or non-compliant.

ClearConfidence also solves a common pain point in risk management: administrative inefficiency. By streamlining processes, the program reduces time and overhead, allowing healthcare teams to achieve more with fewer resources. Executed over a three-year period, ClearConfidence adapts to each organization’s strategic goals, priorities, and available resources, offering a flexible yet thorough approach to security and compliance.

Ready to take the next step? Schedule an appointment today to speak with one of our professionals and learn how ClearConfidence can elevate your risk management and compliance program and keep your organization out of OCR’s crosshairs.

 

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.
Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.

Connect
With Us