What OCR Expects in a HIPAA Risk Analysis

Contact Our Team


Start Time:12:00 AM
End Time:12:00 AM
Contact Information
Additional Information

Provided by MHA Health Institute
Health Institute

Date & Time

Thursday, March 1
9:30 - 10:30 a.m.

Register on or before Tuesday, Feb. 20, to ensure delivery of instructional materials.

MHA members — $225
Nonmembers — $275

The webinar registration fee is for one phone line connection. Each additional phone line connection will be charged a registration fee. Multiple participants on the same connection is encouraged. Get more value by inviting colleagues to join you!

This webinar is being offered at a reduced registration fee to MHA-member hospitals because of a contribution from the MHA Management Services Corporation.


Compliance officers, privacy and security officers, legal counsel, health information management leadership and staff, information security, as well as board members and C-suite executives, including CMOs and CNOs. Others interested in or responsible for patient communications, information management, and privacy and security of protected health information under the Health Insurance Portability and Accountability Act should attend.

The following program content was provided by the speaker.


There are plenty of ways to squander several million dollars, but none quite as frustrating as forking over those hefty sums to the Department of Health & Human Services’ Office for Civil Rights. Thirty-nine of 52 OCR Corrective Action Plans/Resolution Agreements to date involved ePHI and, therefore, required risk analysis and risk management. Ninety percent of these organizations failed to complete a HIPAA Risk Analysis and 85 percent failed to complete a HIPAA Risk Management that meets OCR’s increasingly more stringent ‘standard of care.’

Organizations struggle to fully comprehend the scope of an OCR‐Quality Risk Analysis. Simply put, an accurate and complete HIPAA Risk Analysis must include all information assets in all lines of business in all facilities and in all locations. If that sounds like lot, it is. Attend this live web event, and learn a step‐by‐step methodology based on OCR and NIST guidance, aided high‐performing software.


At the conclusion of this session, the participants will be able to:

  • identify the HIPAA Risk Analysis implementation specification language at 45 CFR §164.308(a)(l)(ii)(A) of the HIPAA Security Rule
  • discuss the methodology outlined in the HHS/OCR "Guidance on Risk Analysis Requirements under the HIPAA Security Rule"
  • identify the underlying NIST Special Publications for performing a risk assessment and specifically, NIST SP 800-30 "Guide for Conducting Risk Assessments"
  • describe the documentation found in OCR investigation letters and "OCR Resolution Agreements/Corrective Action Plans"
  • implement the "OCR Audit Protocol — Updated April 2016" specific to risk analysis and risk management


Bob Chaput, CEO with Clearwater Compliance, is one of the health care cyber risk management industry’s most innovative leaders, accelerating best practices in a more reproducible and efficient way. He works with hospitals and health systems of all sizes, including more than 40 of the top Integrated Delivery Networks in the country. Chaput helps health care organizations not only defend against current cyber threats but also positions them to build capabilities for self‐sufficiency to defend against future cyber threats. His enterprise risk management analyses and insights are frequently featured in the country’s top health care and cybersecurity publications, journals and news sources. Chaput serves on the HealthCare’s Most Wired Survey Advisory Board and was a contributing co‐author to an American Society of Healthcare Risk Management academic textbook on the fundamentals of risk management, released in October 2017. Chaput has no real or perceived conflicts of interest that relate to this presentation.