OCR Ransomware Settlements Focus on Risk Analysis Failures

In an article published by HIPAA Regulatory Alert, published by Healthcare Risk Management, Woods Rogers Principal Liz Heddleston weighs in on the most recent settlement by the Office of Civil Rights’ (OCR) to resolve an investigation of a ransomware attack. It is the latest in a string of settlements involving the failure of covered entities and business associates to conduct compliant risk analyses.  

“Covered entities must vet their business associates before entrusting them with PHI,” Liz told the publication. “At a minimum, covered entities should request documentation verifying that these vendors are performing risk analyses and have appropriate safeguards to protect PHI. Business associates are required to comply with the HIPAA Security Rule, and it’s a red flag if they are not performing a HIPAA-compliant risk analysis.”

View the full article on Relias Media. For more information on how the OCR requirements impact healthcare providers, contact Liz Heddleston.