HIPAA Risk Analysis & Risk Management – OCR-NIST Procedures Simply Explained

Date: Wednesday,
September 15, 2021

10:00 AM PDT | 01:00 PM EDT

90 Minutes
Paul R. Hales
Webinar Id:
0 Days Left To Register


One Attendee
Unlimited Attendees


One Attendee
Unlimited Attendees ?


Live + Recorded
$299 $348  
One Attendee
Live + Recorded
$599 $698  
Unlimited Attendees ?


Risk Analysis and Risk Management (RA-RM) are OCR's top enforcement priority and the basis of every HIPAA Compliance program.

RA-RM steps are easy to follow - if you know the steps. But the HIPAA Rules do not lay out specific RA-RM steps. According to OCR the HIPAA RA-RM steps are easy to find.

They simply are certain procedures explained by the National Institute of Standards and Technology (NIST) in manuals that are free to download.

Nevertheless, the largest, most important nationwide HIPAA violation is failure to perform HIPAA compliant RA-RM as revealed by OCR on December 17, 2020 when it published shocking results of its Phase 2 HIPAA Compliance Audits.

OCR found:

  • 86% of covered entities and 83% of business associates failed the Risk Analysis Audit
  • 94% of covered entities and 88% of business associates failed the Risk Management Audit

They failed despite the fact that they had been provided with all the audit questions and a list of the documents they would be required to provide well in advance and knew they were short-listed to be audited! OCR Guidance – NIST Procedures

OCR has provided significant RA-RM guidance beginning in 2010 explaining 9 Risk Analysis elements and recommendation that organizations follow NIST procedures. This webinar explains key NIST terms such as Risk, Threat, Vulnerability, Impact, Likelihood and Control and the NIST RA-RM procedures in plain language, step-by-step. OCR/NIST RA-RM steps are easy to follow when you know the steps.

The HIPAA Security Rule RA-RM applies to Protected Health Information (PHI) transmitted or maintained Electronically (EPHI).

But every organization has PHI in other forms like paper - “Non-EPHI” and the HIPAA Privacy Rule requires administrative, technical and physical safeguards to protect all PHI. We show you how to apply NIST procedures to conduct RA-RM of PHI in any form or format.

Learn how to protect your organization by identifying the risks and managing those risks to all PHI in every form and format. It will turn HIPAA RA-RM mystery into mastery.

You’ll learn how to perform the steps and create the documentation you need to pass an OCR audit. Most important, however, you’ll see how to identify and manage Risks to the Privacy and Security of protected health information (PHI) maintained and transmitted in any form that seriously endanger your organization’s well-being.

Why you should Attend: Failure to do HIPAA RA-RM puts your organization in grave danger. This webinar will show you how to do a complete HIPAA RA-RM step-by-step – and how easy it is to follow those steps.

You should attend this this webinar to learn how you can stop worrying about not doing RA-RM and simply do it in compliance with the HIPAA Rules.

Areas Covered in the Session:
  • Step-by-step guidance enabling administrative staff of Covered Entities and Business Associates of any size to complete a HIPAA RA-RM efficiently every year even if they have never done one before
  • OCR Guidance - How to do Risk Analysis & Risk Management
    • OCR's recommended NIST HIPAA RA-RM Procedures
  • HIPAA RA-RM in 3 Acts
    • Act 1 - Setup - Risk Analysis Assemble Information - Identify Risks, Assess and Document Risk Levels
    • Act 2 - Confrontation - Risk Management Actions - Reduce Risks to reasonable and appropriate level - maintain Documentation
    • Act 3 - Resolution - Risk Management Program focused on your Organization's specific Risks Documented, Active, periodically reviewed
  • Dangers senior management, owners and organizations face if they fail to do HIPAA RA-RM
  • Clear explanation of HIPAA Risk Analysis and Risk Management following NIST procedures and demonstrated onscreen with illustrations from easy-to-use interactive software

Who Will Benefit: All Health Care Covered Entities
  • Practice Managers - Covered Entities
  • HIPAA Compliance Officials
  • HIPAA Privacy Officers
  • HIPAA Security Officers
  • Patient Engagement Officials
  • Health Information Technology Supervisors
  • Risk Managers - Covered Entities
  • Health Care Providers practicing as individuals or in small groups
  • Group Health Plan Administrators
  • Third Party Group Health Plan Administrators
  • Covered Entity Senior Management and Owners
  • Attorneys for Covered Entities - In-house and Outside Counsel
  • Compliance Committee - Covered Entity Board of Trustees
  • C-Suite Executives - all Covered Entities
  • Chief Compliance Officer - all Covered Entities

All Business Associates
  • Billing and Coding companies
  • Practice Management Companies
  • IT Vendors
  • Data Storage firms (electronic and paper)
  • Secure and unsecure providers of PHI Email and Text Message services
  • Vendors of patient satisfaction surveys
  • Collection Agencies
  • Law Firms representing Health Care Providers & Business Associates

Speaker Profile
Paul R. Hales, J.D. is widely recognized for his expert knowledge and ability to explain the HIPAA Rules clearly in plain language. Paul is an attorney licensed to practice before the Supreme Court of the United States and a graduate of Columbia University Law School with an international practice in HIPAA privacy and security. He is the author of all content in The HIPAA E-Tool®, an Internet-based, complete HIPAA compliance solution with separate editions for Covered Entities, Business Associates, Health Plans and Third Party Administrators.

You Recently Viewed