In September of 2017, OCR shared preliminary results of their Phase 2, nation-wide, HIPAA Audits.
As it relates to HIPAA Security Risk Analysis and Management the results were pretty shocking.
OCR reported that 83% of those they audited had a score of "inadequate" or "failure" on their performance of an information security risk analysis while 94% had a score of "inadequate" or "failure" on their efforts of establishing or maintaining an information security risk management plan.
A couple months ago the OCR announced their $3.5 million settlement with Fresenius Medical Care North America (FMCNA). The main reason cited by the OCR was that Fresenius "failed to heed HIPAA’s risk analysis and risk management rules." OCR Director Roger Severino had some very clear and strong words about the importance of performing a HIPAA Security Risk Analysis.
He said, "The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity. Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients' health information in accordance with the law."
HIPAA enforcement is on the rise. The primary enforcement body is the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR).
They've warned that the most common HIPAA compliance error they consistently see is failure to perform an adequate HIPAA Security Risk Analysis. If health care organizations participated in Meaningful Use or MACRA (The Medicare Access and CHIP Reauthorization Act of 2015) then they are required to annually certify to performing a HIPAA Security Risk Analysis.
Even if an organization did not participate in these programs, if they are required to comply with HIPAA then they need to perform this analysis periodically.