New OCR Deputy Director for Health Information Privacy Appointed

by | Jun 19, 2015

Deven McGraw been appointed to the role of Deputy Director of Health Information Privacy, and must get the agency auditing, advising and enforcing as it is supposed to be. Ms McGraw will be filling the role left vacant by  departure of Susan McAndrew, who retired last year, and is set to assume the role on June 29.

The OCR has taken its time to identify a replacement for Susan McAndrew. That wait certainly seems to have paid off.

McGraw boasts an impressive resumé, with experience in both the public and private sector. She has developed strong strategic management skills and has held the posts of Chief Operating Officer at the National Partnership for Women & Families and Director of the Health Privacy Project at the Center for Democracy & Technology. McGraw is familiar with challenges, and has an extensive working knowledge of the particulars of healthcare privacy and security laws.

She served as partner at Manatt Phelps & Phelps and co-chair of the firm’s privacy and security practice. She has also been an adviser to the HHS for the past 6 years and has testified before congress on privacy matters many times; in addition to serving on the federal Health IT Policy Committee.

The OCR decribed the role McGraw will play at the OCR in the announcing of her appointment. “McGraw will spearhead OCRs policy, enforcement, and outreach efforts on the HIPAA Privacy, Security, and Breach Notification Rules; as well as lead OCR’s work on Presidential and Departmental priorities on health privacy and security.”

There are two major challenges which require immediate action to be taken. The second phase of the HIPAA compliance audits has been delayed for some time. The OCR has taken action having sent out pre-audit surveys. After the responses have been gathered, covered bodies need to be selected for audit. No announcement has been made by the OCR as to when they will begin but the pressure is on to make a start soon.

The OCR must also help covered bodies achieve compliance with HIPAA Security, Privacy and Breach Notification Rules. One of the ways the agency will aim to do this is by issuing technical guidance. New guidance has been slow to emerge of late and many covered bodies are struggling to comply with HIPAA Rules due to this. The legislation is, after all, nearly 20 years old.

The OCR must make good on its promise to help covered bodies more and issue new technical guidance to help covered entities and their Business Associates implement the necessary measures to protect the privacy of patients and keep healthcare data secure.

The OCR has lost some key members of staff in recent months and the effects are still being felt. The agency has had to adapt to a new Director, Jocelyn Samuels, and Susan McAndrew’s absence will be felt. The appointment of Deven McGraw should certainly help to redress this.

There is a lot to be done and with little funding, which will make McGraw’s job difficult. Despite having the rigt skill-set she have to squeeze even more out of the resources the OCR has at its disposal.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy