Latest round of OCR audits highlight HIPAA risk analysis and risk management shortcomings

John Piotrowski, Senior Consultant, Healthcare Cyber Risk Services, Coalfire

Phase 2 OCR audit summary

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has released its latest report with findings from their 2016 and 2017 series of audits as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)/HITECH Privacy, Security, and Breach Notification Rules (HIPAA Rules).

In all, 166 covered entities (CEs) and 41 business associates (BAs) underwent audits against the HIPAA Rules. While compliance with breach notification and posting Notice of Privacy Practices (NPP) were found to rate well, most covered entities came up short in the remaining five areas that were audited. The majority of covered entities did not meet requirements for:

  • Properly safeguarding protected health information (PHI)
  • Ensuring the right of individual access
  • Providing appropriate content in their NPP

And finally, the majority of CEs and BAs failed to adhere to requirements for risk analysis and risk management, despite provisions from the prior set of audits conducted in 2012. Ultimately, over 80% of audit ratings did not meet appropriate compliance activities for risk analysis and risk management.

Risk analysis and risk management audit background

Now, one may ask, “why are risk analysis and risk management requirements not being met for something that’s been around for a quarter century?” The answer is: there has consistently been a failure to perform a risk analysis as defined in the OCR methodology. OCR has defined a nine-step process and recommends the use of NIST (National Institute of Standards and Technology) information security products to meet the HIPAA Security Rule Implementation Specifications for Risk Analysis and Risk Management. If this first step isn’t taken, then there is a high likelihood that an entity will fall in the 80% of those who don’t meet sufficient HIPAA risk analysis and risk management practices.

The following question will likely be, “Okay, so how do we follow protocol for conducting a risk analysis with merit and maintain an effective, ongoing risk management program moving forward?” First, don’t do what most audited entities have done, which includes:

  • Performing a “check-the-box” analysis that does not adhere to the nine essential elements of an OCR risk analysis.
    • Many entities believe this option to be cost-effective. A more accurate term would be “insufficient.”
  • Assign risk responsibilities to in-house staff where identifying high security risks conflicts with their self-interests. Work can quickly become skewed and cover up legitimate risks.

The above tactics have a history of resulting in financial, operational, and reputational harm. Failure to invest in effective resources in the short term can render costs much higher in the long run.

Additionally, the healthcare industry has an extensive amount of legacy systems and processes that increase attack surfaces from both inside and outside actors. A comprehensive risk management program can make significant inroads into reducing or even eliminating risk that otherwise wouldn’t be discovered without conducting an OCR-ready risk analysis and remediation.

Coalfire risk analysis and risk management methodology

Risk Analysis

A Coalfire risk analysis focuses on providing clients with a defensible, OCR-ready, risk analysis and risk management plan that aligns and conforms with the HIPAA Security Rule Standards and Implementation Specifications including 45 C.F.R. § 164.308(a)(1)(ii)(A) and 45 C.F.R. § 164.308(a)(1)(ii)(B) and OCR “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule.”

Several strategies are practiced by Coalfire in order to differentiate itself from the risk analysis and risk management practices that have been deemed insufficient in four out of every five OCR audits.


Other Practices (>80%)

Coalfire Practices

Thorough analysis of threats to PHI

“Check-the-box” assessment of HIPAA Rules requirements

In-depth environmental analysis of all PHI assets

Industry best practices for risk analysis methodology

Home-grown processes

Finely tuned methodology built on OCR and NIST requirements and standards

Consultant expertise

First- or second-year associate consultants handling other industry verticals

Senior consultants with 5+ years specializing in healthcare risk

OCR-ready reports

Unfamiliar with OCR’s nine essential elements of a HIPAA risk analysis

Reports accepted by OCR as reasonable and appropriate in addressing Risk Analysis and Risk Management requirements

Partnership in cybersecurity

“One and done” project

Multi-year deals with clients that recognize the value added to long-term Information Security Management Programs

Risk Management

Coalfire’s information security risk management methodology assesses the threat environment to determine potential vulnerabilities related to:

  • Administrative Safeguards
  • Technical Safeguards
  • Documentation Controls
  • Physical Safeguards
  • Privacy Safeguards

Coalfire’s approach implements key provisions of the NIST Risk Management Framework (RMF) document compendium (e.g., SP 800-30, 37, 39, 53, and 66) as recommended by OCR. Additional threats and vulnerabilities related to the ePHI (electronic protected health information) environments, which do not have specific HIPAA references but are important cybersecurity concerns, will be assessed to ensure a “comprehensive and thorough” set of deliverables.

The full audit report is available at HHS.

John Piotrowski


John Piotrowski — Senior Consultant, Healthcare Cyber Risk Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS