HIPAA Complaints, OCR Investigations, and Security Risk Analysis for Healthcare Delivery Organizations – A Common Thread

Rich Curtiss, Director, Healthcare Cyber Risk Services, Coalfire

Many HIPAA covered entities (CEs) and business associates (BAs) may not be meeting the regulatory mandate as defined in §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This implementation specification requires that healthcare delivery organizations (HDOs) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

This requires what I’ll call an Office for Civil Rights (OCR)-grade risk analysis that is clearly scoped and defined under the title “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.”1

There are several factors contributing to decisions not to conduct an OCR-grade risk analysis including the reduction in formal OCR audits against CEs and BAs. Is this a reasonable and/or appropriate rationale for delaying or reducing scope and the priority of a risk analysis?

The thinking goes something like this: The OCR isn’t executing audits, so I don’t need to concern myself with conducting or updating my risk analysis since they won’t be calling, writing, or visiting.  Therefore, I’ll use my budget for something else.

Unfortunately, this is a gambit that may not play out in your favor given a corollary HIPAA Privacy Rule specification and guidance regarding HIPAA complaints and potential OCR investigations. Specifically, anyone may file a health information privacy or security complaint directly to the OCR using the OCR Portal. Complaints may also be submitted via email or mail. They can be anonymous and may be submitted when an individual thinks a healthcare organization is not “following the rules.” 

The complaint process is documented by the U.S. Department of Health & Human Services (HHS) on their website, which contains links to the portal and other amplifying information. HIPAA requires that CEs and BAs make this same information available to individuals whose Protected Health Information (PHI) may be under their control.

What does this have to do with an OCR risk analysis? A lot!

Once the OCR determines a complaint is legitimate, they will contact the organization to determine whether an official investigation is required. The paper trail begins with an official OCR investigation letter. The letter will typically require submittal of all applicable HIPAA documentation including policies and procedures related to the complaint. Among the documentation required by the OCR is the submission of the organization’s latest risk analysis and risk management plan. Sometimes this request takes the form of an enterprise risk analysis. This analysis would cover all hospitals, practices, and centers associated with the HDO and not just the affected facility.

The OCR routinely presents statistics indicating that a very large portion (more than 80%) of submitted risk analyses fail to meet their standards for thoroughness, completeness, and construct. There’s often much confusion in the healthcare sector about what constitutes an acceptable OCR risk analysis, and many organizations take a simplified approach to determine how well they meet the Security Rule specifications and consider this a risk analysis. In April 2018, the OCR released a newsletter informing their constituency of the differences between a HIPAA Security Rule gap analysis and a well-defined risk analysis. 

It’s all about the electronic PHI (ePHI) and where it lives. How is ePHI being protected, safeguarded, controlled, maintained, stored, processed, created, sent, and received? It’s not necessarily simple, but critical and necessary.

Remember – it only takes one complaint to the OCR to launch an investigation that results in a request for your most current risk analysis and risk management plan. Would it be OCR-grade? Before the OCR comes knocking, you should ensure your risk analysis is accurate, thorough, and meets OCR expectations.


Rich Curtiss


Rich Curtiss — Director, Healthcare Cyber Risk Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS