5 Mistakes Covered Entities and Business Associates Made During a Security Risk Analysis
- March 2, 2021
In December 2020, the Office for Civil Rights (OCR) published the 2016-2017 HIPAA Audits Industry Report results. According to the report, Covered Entities (CE) and Business Associates (BA) continue to struggle with Risk Analysis and Risk Management.
Of the 166 CE’s and BA’s the OCR audited, only a small percentage were compliant with conducting a Security Risk Analysis (SRA) that meets the requirements outlined in the security rule (14% of CEs and 17% of BAs).
The five things entities failed to do during a security risk analysis include:
- Identify and assess the risks to all of the electronic protected health information (ePHI) in their possession
- Develop and implement policies and procedures for conducting a risk analysis
- Identify threats and vulnerabilities, consider their potential likelihoods and impacts, and rate the risk to ePHI
- Review and periodically update a risk analysis in response to changes in the environment and operations, security incidents, or the occurrence of a significant event
- Conduct risk analyses consistent with policies and procedures
The report enhances industry awareness of compliance obligations and improves how protected health information (PHI) is secured. Organizations without a robust SRA and procedures for adequately safeguarding PHI are at risk of data loss and corruption. CEs and BAs will be held liable for damages that result from not addressing weaknesses that an SRA can identify.
SRAs discover potential risks within the organization’s network, web, mobile, cloud, virtual, and IoT infrastructure. Conducting a thorough SRA will also address any deficiencies in compliance policies, physical and technical safeguards, and disaster mitigation strategies.