Think You've Figured Out HIPAA Compliance? Sorry, You're Probably Wrong.

By: Robbie Morris on Jan 23, 2018 9:02:00 AM

security2.jpgWe hate to break it to you, but there's a HIPAA requirement you’re more than likely doing wrong. The Department of Health & Human Services’ Office for Civil Rights (OCR) is cracking down on requiring a true Healthcare Security Risk Analysis.

A HIPAA-required risk analysis includes a risk assessment of Patient Healthcare Information (PHI), review of policies and procedures, employee interviews for a HIPAA-HITECH audit, a thorough analysis of operational threats, and more. Even more surprising is the lack of risk assessments and vulnerability audits by healthcare organizations' business associates. Remember - anyone who comes in contact with your patient data is also accountable for protecting it.

An in-depth Healthcare Security Risk Analysis isn’t a new HIPAA requirement. OCR simply wasn’t enforcing it like they are now. So, what has changed?

Crisis in Cybersecurity

In 2017, PHI for nearly 5 million people was exposed or stolen as a result of the roughly 300 reported data breaches. That’s an increase from 2016 of more than 200 breaches. That number is expected to continue to grow at an alarming rate in 2018, which is why the OCR is cracking down on enforcing the complete analysis – it’s a healthcare organization’s best shot at discovering all its vulnerabilities and making changes.

Why It’s Not Happening

Most organization have the best of intentions, but they simply don’t understand the complexity of the HIPAA requirement. They’ve had a network assessment performed or a partial analysis with the expectation that these efforts would suffice auditors and protect their data. However, in 2017 hundreds of organizations were levied millions of dollars in fines when OCR audits revealed they hadn't fully met the risk analysis requirements.

UP NEXT: Where's my PHI?

Many healthcare leaders are unaware that a piece of their PHI is exposed in some way.

Read more: Where's my PHI?


robbie morris.jpgRobbie Morris is C Spire's VP of Healthcare and Security Solution Services. Contact him at


Topics: Healthcare, Cybersecurity Awareness Training

CONSIDER IT MANAGED. C Spire Business is the nation’s first full-stack managed solutions provider, capable of offering advanced connectivity, cloud, software, hardware, communications, professional services, cybersecurity, business continuity, and technology support in a single, seamless IT solution portfolio. The result is smarter. Faster. More secure. From desktop to data center, we meet you wherever you are and take on your biggest technology challenges.

Sign up for our monthly newsletter.

For the latest in technology trends, industry news, and C Spire updates.

Recent Posts

Sign up for our monthly newsletter

For the latest in technology trends, industry news, and C Spire updates.