December 7, 2019

December 06, 2019

Subscribe to Latest Legal News and Analysis

December 05, 2019

Subscribe to Latest Legal News and Analysis

Part II: Office for Civil Rights (OCR) Offers “Lessons Learned” Regarding HIPAA (Health Insurance Portability and Accountability Act) Compliance

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following:

Risk Analysis and Risk Management

Covered entities should ensure that their security risk analysis is thorough and pay special attention to ePHI on hard drives, digital copies, USB drives, and mobile phones, etc.

Security Evaluation

Covered entities should conduct a security evaluation, whenever there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI.

Security and Control of Portable Electronic Devices

Covered entities should ensure that any PHI that is stored and transported on portable electronic devices is properly safeguarded, including encryption when appropriate.

Proper Disposal

For electronic devices and equipment that store PHI, covered entities should ensure that the device or equipment is purged or wiped thoroughly before recycling or discarding the device or equipment.

Physical Access Controls

Covered entities should ensure that physical safeguards are in place to limit access to facilities and workstations that maintain PHI.


Covered entities should ensure that employees are trained and are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

In the Compliance Report, OCR outlines its plan for future improved enforcement. OCR expressly stated that it will “work smarter” to cope with the increasing volume of complaints and will pay special attention to “high impact cases.” Compliance Report p. 23. In 2011 and 2012, OCR doubled the number of cases ending in Resolution Agreements, settlement, and corrective action plans and OCR promises to “continue this uncompromising enforcement posture in the future.”

© 2019 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.


About this Author

Emily M. Hord, Health Care Attorney, McBrayer Law Firm

Emily M. Hord is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC. Ms. Hord concentrates her practice in healthcare law and is located in the firm’s Lexington office. Ms. Hord has experience in a variety of health law issues. She has represented hospitals and healthcare networks, physicians and other medical professionals, nursing homes, and private physician practices. She provides services in the following areas: regulatory and statutory compliance, Certificate of Need and licensing, professional license defense, employment contracts for medical professionals, HIPAA...