Have You Conducted Your Annual Risk Assessment?
When the OCR shared results of their national Phase 2 HIPAA Audits, which focused on HIPAA Security Risk Analysis and Management, the results were shocking. OCR reported that 83% of organizations audited had a score of "inadequate" or "failure" on their information security risk analysis. What’s worse, 94% of organizations had a score of "inadequate" or "failure" on their establishing or maintaining of an information security risk management plan.
And yet, when the OCR announces their settlements, they often cite “failure to perform a Security Risk Assessment” as the main reason for non-compliance.
OCR Director, Roger Severino, has had some very clear–and strong–words about the importance of performing a HIPAA Security Risk Analysis. To wit, "The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law.”
It’s clear the OCR believes every covered entity should be conducting regular assessments of their organizations. Yet many organizations don’t know just how to navigate the complexity that is HIPAA. Which is why we created this on-demand, Getting Out in Front of Your Annual Risk Assessment, where we help you to:
- Learn from the Mistakes of Some Recent OCR Fines
- Understand HIPAA Security Risk Analysis Requirements
- See How You Can Perform Your Own Risk Analysis
- Remediate the Findings from Your Analysis