Learn about the three common risk assessment mistakes that cost health care entities hundreds of thousands of dollars in fines.

The absolute largest risk assessment mistake is not conducting one.  A risk assessment is required for HIPAA compliance.  Oftentimes, covered entities don’t conduct risk assessments, and then, when the Office for Civil Rights (OCR) investigates a large-scale breach, they’re fined a pretty penny.

An example of this occurred when Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to a settlement in 2016 after an investigation that started in April of 2014.  CHCS was required to pay $650,000 and conduct a risk assessment.

The second largest mistake is not conducting a full risk assessment.  Some organizations will conduct a risk assessment that doesn’t include the full scope of accessible and stored protected health information (PHI).

For example, University of Washington Medicine had to pay $750,000 as part of a HIPAA settlement from a breach that occurred in 2013 due to a partial risk assessment.  UW Medicine’s incomplete risk assessment didn’t cover all the entities that had access to PHI. The OCR Director Jocelyn Samuels said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The third largest mistake is not conducting a risk assessment regularly.  Many organizations will conduct an initial risk assessment and then it is never conducted again.  A specific HIPAA requirement is evaluation.  This means that an organization must perform periodic evaluations, or risk assessments.  While HIPAA does not state a specific timeline, best practice suggests an annual or bi-annual risk assessment or when major changes are made to the organization.


To start your risk assessment, join HIPAAgps today.