In 2017, when the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), shared the results of their national Phase 2 HIPAA Audits, their findings were shocking. The OCR audit, which focused on HIPAA Security Risk Analysis and Management, reported that a whopping 83% of organizations they audited had a score of "inadequate" or "failure" on their information security risk analysis. What’s worse, 94% of organizations had a score of "inadequate" or "failure" on the establishing or maintaining of an information security risk management plan.
During Phase 2 of the audits, OCR conducted some 166 audits of covered entities (103 of which were for Privacy and Breach, 63 on security) and another 41 audits of business associates. These audits should have come as a surprise, as OCR announces their intent to conduct each phase of their audits. And yet, when the OCR announces their settlements, they often cite “failure to perform a Security Risk Assessment” as the main reason for non-compliance.
OCR Director, Roger Severino, has had some very clear–and strong–words about the importance of performing a HIPAA Security Risk Analysis, saying, "The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law.”
In January 2017, OCR announced they plan to expand the scope of their audits through on-site audits. Which means Phase 3 of the OCR’s audits will include auditors who may show up, unannounced, to view your HIPAA policies and practices in your place of business.
Obviously, the OCR continues to believe that every covered entity (and, we can infer, business associate) should be conducting regular assessments of their organizations, specifically HIPAA Privacy and Security. Yet, many organizations still don’t have the resources or know-how to navigate the complexity that is HIPAA.
As we enter into the latter half of 2019, you’ll likely be hearing a lot more about how and why you should be conducting an annual analysis of the privacy and security measures you have in place. But, if you happen to be lacking the knowledge for conducting your own 2019 HIPAA Risk Analysis, or you’d simply like a refresher on the best practices for conducting one for your organization, check out our webinar, Getting Out in Front of Your Annual Risk Assessment.