ARTICLE
20 November 2024

It's Officially Enforcement Season: OCR Announces First Penalty Under New Risk Analysis Initiative

B
BakerHostetler

Contributor

Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
On October 31, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) embraced the end of Spooky Season by announcing two more ransomware-related enforcement actions.
United States Food, Drugs, Healthcare, Life Sciences

Key Takeaways

  • The Office for Civil Rights announced penalties pursuant to its Risk Analysis Initiative that emphasize the importance of the security risk analysis' form and substance.
  • OCR made clear it will not accept off-the-shelf or templated risk analyses from entities or their vendors that do not fully address the nuances of the organization and risk to its ePHI.
  • A risk management plan is a key part of the risk analysis process, and the risk analysis is not complete without the management plan.

Introduction

On October 31, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) embraced the end of Spooky Season by announcing two more ransomware-related enforcement actions. The first enforcement action, involving Plastic Surgery Associates of South Dakota, resolved for $500,000. The second, against Bryan County Ambulance Authority, resolved for $90,000. HIPAA-covered entities should pay special attention to the second resolution, however, as it is a formal introduction to OCR's new Risk Analysis Initiative.

Risk Analysis Initiative: A Closer Look

This is not the first "initiative" from OCR. In the five years, since announcing its Right of Access Initiative, the OCR issued 50 enforcement actions, and for those keeping score, that is a very high number of fines levied in a very short amount of time. If the Right of Access Initiative is any indication of how OCR will treat this newest initiative, HIPAA-covered entities need to review their risk analyses now instead of for OCR to request a copy during an investigation.

The Risk Analysis Initiative should not come as a surprise to anyone who has been tracking recent OCR commentary on risk analyses. In most enforcement actions, OCR cites covered entities for failing to conduct an accurate and thorough risk analysis to determine the risks and vulnerabilities to their ePHI. Performing a risk analysis is a required specification under the HIPAA Security Rule, enumerated at 45 CFR § 164.308(a)(1)(ii)(A). In most instances, OCR finds that the risk analysis is actually a "gap analysis" or that it contains an insufficient inventory of the entity's ePHI.

Security Risk Analysis: What It Is Not

OCR has long stated that there is "no single method or best practice" for conducting a security risk analysis that "guarantees compliance with the Security Rule." Off. of Civ. Rts. U.S. Dept. of Health and Hum. Services, Guidance on Risk Analysis Requirements under the HIPAA Security Rule (2010). Even as recently as the October 2024 joint NIST/HHS conference Safeguarding Health Information: Building Assurance Through HIPAA Security 2024, OCR took the position that it will not provide a model security risk analysis because each covered entity is unique and each risk analysis should also be unique. At this event, the OCR reaffirmed its position that its own Security Risk Analysis Tool is insufficient when conducting a security risk analysis, in part because it does a "bad job" of capturing technical vulnerabilities.

So how will security risk analyses be judged under the new Risk Analysis Initiative? While it may seem that OCR does not have a clear expectation of what it does want, we have a solid understanding of what the agency does not want to see in a review. Through our interactions with OCR and based on OCR's public comments, we've identified the following reasons OCR takes issue with a security risk analysis:

  • The "risk analysis" is really a gap analysis that maps a covered entity's current practices to HIPAA's requirements and assesses whether the requirements have been met.
  • The analysis simply uses the Security Risk Analysis Tool with no ePHI asset inventory or technical details.
  • The analysis is based on an assessment under another cybersecurity framework (e.g., NIST, HITRUST) that does not explicitly include an ePHI inventory and threats to that ePHI.

These framework-based assessments and gap assessments, while informative in a full analysis, do not capture the entire spectrum that OCR wants to see in a compliant security risk analysis.

The Importance of a Corresponding Risk Management Plan

The resolution agreements in Plastic Surgery Associates and Bryan County note the importance of developing and documenting a risk management plan that directly relates to the findings in the risk analysis. For our own clients, we've seen the benefits of an integrated approach. Developing risk management plan action items based on realistic and identified threats not only mitigates risks but inherently justifies the additional spending and resource allocation in a specific area.

The Security Risk Analysis and Risk Management Plan Should Be Reviewed at Least Annually

Finally, we expect the Risk Analysis Initiative to continue focusing on the frequency and cadence of risk analysis reviews. It is not uncommon for OCR to request copies of risk analyses and corresponding risk management plans from the previous six years during compliance investigations. Even if the requirement is to conduct a "regular" risk analysis, in practice, OCR equates "regularly" with "annually." Outside of an annual review, the 2010 guidance suggests updating the analysis when a covered entity "experience[s] a security incident, has had a change in ownership [or] turnover in key staff or management," or "is planning to incorporate new technology." With the continuing rise in cybersecurity threats and the increased scrutiny on compliance following an M&A transaction, compliance teams should prioritize regular reviews.

Conclusion

While OCR has emphasized the security risk analysis requirement for some time, the elevation to "Risk Analysis Initiative" means we are likely to see increased enforcement. As the October enforcement actions show, OCR will not accept an off-the-shelf, simple checkbox assessment that fails to address the entire environment, and it will flex its enforcement muscle when it does not like what it sees. If it has been more than a year since your last review, you have implemented new technology like AI or you are going through a corporate transaction, it is time to review your security analysis and consider updates to your risk management plan. If you have questions about your approach, please contact Kimi Gordy or your usual BakerHostetler advisor.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More