URMC CAP Includes Keeping Risk Analysis Fresh

The University of Rochester Medical Center (URMC) recently entered into a $3 million settlement agreement and corrective action plan (CAP) with the HHS Office for Civil Rights (OCR).[1] It was one of three enforcement actions OCR announced in November.

The CAP requires URMC to conduct an “accurate and thorough” risk analysis and develop and implement a management plan to address risks and vulnerabilities.[2] But OCR doesn’t want it to get too far into the process without OCR oversight.

Specifically, URMC must first submit a “statement of work” for the conduct of the analysis, which is to address the “vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by URMC.” This is due to OCR by the end of February (90 days from the effective date of the settlement). The two sides intend to “meet and confer in good faith” if OCR asks URMC to revise the statement of work.

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field