HIPAA Enforcement Update Provided by OCR’s Iliana Peters

by | May 27, 2017

Iliana Peters, Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR reviews all data breaches involving the exposure of theft of greater than 500 healthcare records at one time. The body also investigates official complaints about potential HIPAA violations. Those reviews continue to reveal similar non-compliance issues. Ms Peters said many issues occur on a recurring basis.

She said one of the most commonly experienced problems is the failure to carry out a comprehensive, organization-wide risk assessment and ensure any vulnerabilities discovered are addressed through a HIPAA-compliant risk management process. Many recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments incorrect, either failing to conduct them in the first place, not conducting them frequently enough or not conducting them to the standard demanded by HIPAA.

Ms Peters stated out that privacy violations are occurring on a regular basis, with many HIPAA-covered entities still not certain of the allowable uses and disclosures of PHI. OCR recently revealed that two settlements have been agreed with covered entities that have  disclosed patients’ health information to employers and the media within proper permission.

Peters described how the healthcare industry is not doing a good job at preventing cybersecurity incidents. She said that  and that warrants attention, but it is important for OCR not to just focus on the currently ‘sexy’ issues. OCR is also concentrating efforts on addressing the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been many instances where ePHI has been shown up due to the failure to use encryption. Peters said that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with many organizations in recent months as a result of the lack of appropriate safeguards and policies and adequate procedures covering removable devices.

Peters stated that OCR has been working on sharing penalties with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to define and quantify harm. OCR is working on an advanced notice of proposed rule making and will be seeking direction from the public as to how funds should be shared.

The OCR is also working on initiatives to enhance privacy protections at non-HIPAA covered entities. For instance, patients are being advised to share their health data with research organizations and through the “All of Us” initiative. For those programs to make a difference, patients need to be sure their data will be protected. OCR is providing guidance to organizations and partners to ensure that patient data is protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of working with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

The Compliance Perspectives podcast can be listened to at this link.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy