The Office for Civil Rights (OCR) used a recent settlement with Advocate Health Care to remind Covered Entities and Business Associates why the Risk Analysis is a requirement for HIPAA compliance.

Risk AnalysisIn the press release issued on August 4, the Office for Civil Rights (OCR) outlined Advocate Health Care’s HIPAA-noncompliance settlement. Because of multiple large breaches and related HIPAA violations, Advocate must pay a fee of $5.55 million, which is the largest settlement to date, and adopt a corrective action plan.

The OCR began the investigation in 2013 after Advocate submitted three breach notification reports affecting approximately 4 million individuals combined. During the course of the investigation, the OCR determined that some of the noncompliance dated back to the inception of the HIPAA Security Rule, which was published February 20, 2003. Some of the areas of noncompliance included failing to conduct a thorough risk analysis; failing to implement policies and procedures, as well as facility access controls; failing to protect an unencrypted laptop or failing to encrypt the laptop; and failing to obtain a proper business associate agreement.

The OCR director Jocelyn Samuels stated: “We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”
Performing a Risk Analysis is a specific requirement for covered entities to be HIPAA compliant. It is the basis for determining the risk management program and determining how to best protect electronic Protected Health Information (ePHI). Additionally, based on the information requested in the Phase 2 audits, the OCR expects all covered entities and business associates to have already completed a thorough risk analysis at this point in time.

If you haven’t started or completed your risk analysis, use HIPAAgps’s simple, online system to get started!