Severino: Protecting ePHI Starts With Properly Conducted Risk Analysis

Guarding electronic protected health information (ePHI) under HIPAA begins with a proper risk analysis, and most settlements issued by the HHS Office for Civil Rights (OCR) involve missing or inadequate risk analysis or risk management.

That’s the word from Bob Chaput, executive chairman and founder of the security firm Clearwater, and Roger Severino, former director of OCR and current senior fellow at the Ethics and Public Policy Center, who spoke Sept. 30 at a Clearwater-sponsored webinar focusing on what OCR wants in risk analysis.[1]

According to data compiled by Clearwater, 89% of the 62 ePHI-related cases that resulted in fines from OCR were due to a failure to conduct a quality risk analysis, Chaput said. “When ePHI is involved, the security rule applies, and therefore, with the security rule applying, risk analysis and risk management implementation specifications are examined by OCR,” Chaput explained. “The 89% basically represents that 55 of those 62 organizations in the ePHI cases had adverse findings.”

Out of the 48 OCR settlements and civil monetary penalties that occurred during Severino’s tenure, 26 involved ePHI events, Chaput said. A total of 85% of the corrective action plans included in the settlements of these incidents required risk analysis, and 73% of the CAPs required organizations to implement risk management plans and processes, the Clearwater analysis found.

In addition, nearly 90% of the settlement funds collected during Severino’s tenure as OCR director—$56.2 million out of $63.5 million total—was related to risk analysis and risk management events, Chaput said.

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field