OCR Announces Risk Analysis Initiative

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which enforces HIPAA, recently announced a new enforcement initiative, the Risk Analysis Initiative, in conjunction with OCR’s seventh enforcement action stemming from a ransomware event. OCR explained, “This enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI).”

Compliance with the Security Rule and the Risk Analysis provision has been a consistent OCR enforcement priority for years, as well as an area in which OCR has routinely found provider deficiencies. At its core, the Security Rule requires that organizations implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The Risk Analysis provision further requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that is specifically tailored for the covered entity or business associate itself. While OCR has acknowledged that compliance is not intended to be a one-size-fits-all directive, this new initiative puts the spotlight on the need for covered entities and business associates to review their compliance endeavors and consider where to focus limited resources.

As noted in OCR’s announcement, “Ransomware and hacking are the primary cyberthreats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.” As all providers increasingly adopt the use of digital platforms, tools, and devices, including electronic medical records, telehealth services, and patient portals, system vulnerabilities and other cybersecurity risks are no longer the concerns of only large healthcare organizations. Accordingly, all covered entities, both large and small, should consider:

  • Where is ePHI created, held, stored, or transmitted within the organization?
  • Which employees, vendors, contractors, or consultants within and outside of the organization have “touchpoints” with ePHI?
  • What are the potential threats to compromise of ePHI from a physical, technological, or a policy/process standpoint?

This new Risk Analysis Initiative aligns with and underscores the seriousness of OCR’s position that adequate identification and remediation of threats and vulnerabilities to ePHI is not only essential to protection of such information but also a critical HIPAA compliance requirement. OCR noted in its announcement that the Risk Analysis Initiative was created “to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.” Based on OCR’s record under its other HIPAA enforcement initiative (the Right of Access Initiative, which was announced in 2019 and under which OCR recently announced its 50th action) the industry should expect redoubled focus from OCR on Risk Analysis compliance. For more information, please contact AGG Healthcare partners Lanchi Bombalier or Madison Pool.