If you are visually impaired or blind, you can visit the PDF version by Pressing CONTROL + ALT + 4
<br /> May 2, 2018<br /> The Continuing Disconnect between the Health Care Industry and OCR<br /> on HIPAA's Risk Analysis Requirement<br /> David Quinn Gacioch, Edward G. Zacharias, Amy C. Pimentel<br /> The HIPAA Security Rule has long required every Covered Entity (CE)—and since September 2013, every Business Associate<br /> (BA)—to conduct a Risk Analysis.1 And yet, lack of a sufficient Risk Analysis continues to be one of the most commonly alleged<br /> violations in the US Department of Health and Human Services (HHS) Office for Civil Rights' (OCR's) HIPAA enforcement<br /> actions, appearing in half of all the settlements OCR has announced in the last 12 months and in almost all of the $1 million-plus<br /> settlements during that time period.2 In the same vein, OCR recently announced that its Phase 2 Audits of CEs and BAs<br /> conducted during 2016‒2017 yielded the following results with respect to the Risk Analysis requirement:<br /> Rating<br /> % of Audited<br<a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 1" href="http://viewer.zmags.com/publication/d110c62e?page=1"> May 2, 2018 The Continuing Disconnect between </a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 2" href="http://viewer.zmags.com/publication/d110c62e?page=2"> In more familiar terms, OCR's auditors gave no Co</a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 3" href="http://viewer.zmags.com/publication/d110c62e?page=3"> ON THE SUBJECT of data integrity that would be</a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 4" href="http://viewer.zmags.com/publication/d110c62e?page=4"> force of law14 (at least outside the confines of </a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 5" href="http://viewer.zmags.com/publication/d110c62e?page=5"> requirements for a compliant Risk Analysis, but i</a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 6" href="http://viewer.zmags.com/publication/d110c62e?page=6"> between a Security Rule-compliant Risk Analy</a> <a title="The Continuing Disconnect between the Health Care Industry and OCR on HIPAA&rsquo;s Risk Analysis Require page 7" href="http://viewer.zmags.com/publication/d110c62e?page=7"> Office Locations BOSTON 28 State Street Boston, </a>