Wooden boardwalk through green meadow

HIPAA Shortcuts Can Be Costly

They were a big company serving dialysis patients world-wide. They had HIPAA policies and compliance officers. From the outside they looked golden.

But it turns out that management wasn’t paying attention to HIPAA risk analysis requirements. It cost them $millions.

Enforcement Priorities

How do we know what the OCR cares about? OCR tells us through announcements, press releases and newsletters.

Over the past fifteen months, there have been four highly visible announcements reminding us that all locations must have their own site-specific Risk Analysis-Risk Management plan.

1. February 2018

OCR announces Fresenius Medical Care Holdings, Inc., $3.5 Million Settlement Payment and 2-year Corrective Action Plan (more than 2,000 locations nationwide).

Roger Severino, Director of OCR said “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.”

2. April 2018

OCR Cybersecurity Newsletter: A risk analysis is a necessary tool to assist covered entities and business associates conduct a comprehensive evaluation of their enterprise to identify the Electronic Patient Health Information (ePHI) and associated risks and vulnerabilities.

3. October 2018

OCR Press Release:  What is an enterprise-wide risk analysis?  It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information — across all lines of business, in all facilities, and at all locations. It’s a requirement of the HIPAA Security Rule, helps healthcare organizations understand their security and prevent costly data breaches.  

4. May 2019

OCR announces Touchstone Medical Imaging, LLC $3 Million Settlement Payment and two-year Corrective Action Plan.

Said Roger Severino, “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Touchstone Corrective Action Plan:

TMI was required to complete a thorough, enterprise-wide analysis of security risks and vulnerabilities with a complete inventory of all equipment, systems, data storage facilities, and applications that contain electronic health information.


The HIPAA E-Tool® makes location-specific Risk Analysis easy and affordable without shortcuts. We provide step-by-step guidance and every question you need to answer. You don’t need expensive outside help to get this done. You create an inventory, identify risks, which populate your To-Do list, creating full documentation of your Risk Management Plan. All consistent with OCR recommended NIST (National Institute of Standards and Technology) procedures.

You can be golden.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU