The HIPAA Security Rule has long required every Covered Entity (CE)—and since September 2013, every Business Associate (BA)—to conduct a Risk Analysis.1 And yet, lack of a sufficient Risk Analysis continues to be one of the most commonly alleged violations in the US Department of Health and Human Services (HHS) Office for Civil Rights' (OCR's) HIPAA enforcement actions, appearing in half of all the settlements OCR has announced in the last 12 months and in almost all of the $1 million-plus settlements during that time period. 2 In the same vein, OCR recently announced that its Phase 2 Audits of CEs and Bas conducted during 2016‒2017 yielded the following results with respect to the Risk Analysis requirement:

In more familiar terms, OCR's auditors gave no Covered Entity an "A" on the Risk Analysis requirement, and only 14% of the Covered Entity class received a "B." Fully a third of the Covered Entity class received a "D," and another fifth of the Covered Entity class received an "F" (totaling more than half of audited Covered Entities falling below a "C"). The results for Business Associates were similarly discouraging. Our personal experience in defending OCR investigations and negotiating several recent HIPAA settlements has been similar, with OCR frequently rejecting as insufficient risk analyses that clients had paid expert consultants (including other law firms and Big Four accounting firms) hundreds of thousands of dollars to design or conduct.

There remains significant confusion across the health care industry and among the professional advisors who support it as to what actually constitutes a Risk Analysis for purposes of the HIPAA Security Rule—confusion for which HHS is at least partly responsible. Indeed, on April 30, 2018, as we were finalizing this article, OCR issued its latest Cybersecurity Newsletter, titled "Risk Analyses vs. Gap Analyses – What is the difference?" which aims to address some of that confusion. 3

This article discusses the distinction between a HIPAA Security Rule Risk Analysis and a HIPAA compliance gap analysis, reviews OCR's historical guidance on conducting a compliant Risk Analysis, and encourages CEs and BAs to consider carefully whether to conduct these reviews under attorney-client privilege. This distinction is critical for many reasons, not least of which is the fact that, in the enforcement context, OCR typically treats a CE's or BA's alleged failure to conduct an adequate Risk Analysis as at least a $1,000 per-day violation, spanning up to six years.


1 45 CFR § 164.308(a)(1)(ii)(A); 68 Fed. Reg. 8,334 (Feb. 20, 2003); 78 Fed. Reg. 5,589 (Jan. 25, 2013).


3 The newsletter was emailed to OCR's security distribution list, to which one can subscribe at An archive of prior newsletters is available at:

To view the full article, please click here.

The Continuing Disconnect Between The Health Care Industry And OCR On HIPAA's Risk Analysis Requirement

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.