NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
Podcast highlights OCR enforcement trends and future rulemaking
This post originally appeared on American Health Lawyers Association on June 1, 2017.

On May 15, 2017, the Society on Corporate Compliance and Ethics posted a podcast of an interview with Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement at the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In the podcast, Ms. Peters discusses OCR enforcement trends, upcoming rulemaking, and the National Institutes of Health’s (NIH’s) All of Us Research Program (All of Us Program).

Ms. Peters discussed the different ways that compliance issues come to the attention of OCR, such as through complaints, breaches, from the media, or from other federal or state agencies, and how OCR sees the same types of compliance issues repeated again and again. She provided some insight as to how OCR chooses which cases to pursue, stating that OCR tends to pick cases with particularly egregious violations or those that will “send a message to the industry and be a teachable moment” to highlight OCR’s enforcement concerns. Examples of enforcement trends that are found in many recent OCR settlements include the lack of an enterprise-wide risk analysis, disclosures to third parties without HIPAA-compliant authorizations, and security issues related to portable media, such as laptops, thumb drives, phones, and other devices.

The podcast also addressed cybersecurity issues. In particular, Ms. Peters addressed the widespread issues related to ransomware, stating her view that ransomware will lead to a reportable breach in the “majority” of cases. She stated that OCR will expect an organization to provide support as to why it determined that its data was not compromised if it concludes a ransomware attack is not a reportable breach of unsecured protected health information.

In addition to addressing enforcement issues, Ms. Peters discussed OCR’s current rulemaking efforts, describing how the agency is working on a Notice of Proposed Rulemaking (NPRM) on the Health Information Technology for Economic and Clinical Health (HITECH) Act provision that will permit individuals harmed by HIPAA violations to share in the penalties related to such violations. Ms. Peters described the difficulty in crafting rules that attempt to quantify harm and that establish a formula for dividing a penalty or other recovery. She stated that OCR is still working on this NPRM.

Ms. Peters also described how OCR is continuing to work on rules governing the accounting of disclosures that is required under the HIPAA Privacy Rule. She stated that the previous NPRM on this issue resulted in numerous comments describing the burdens that would result from the HITECH Act’s requirements and that OCR is working to determine the appropriate way to implement the HITECH Act requirements while simultaneously addressing the public’s concerns.

Finally, the podcast conversation addressed the NIH’s All of Us Program, which is attempting to work with over a million individuals. NIH wants to collect health information from these individuals and analyze for long-term trends to understand general health risks to our society and to further enable precision medicine. Ms. Peters stated that OCR is working closely with those implementing the All of Us Program to ensure that privacy and security protections are in place even though the All of Us Program is not regulated by HIPAA.

Access the podcast.

*We would like to thank Valerie Breslin Montague (Nixon Peabody LLP, Chicago, IL) for authoring this alert. We also would like to thank Alisa L. Chestler (Baker Donelson Bearman Caldwell & Berkowitz PC, Washington, DC and Nashville, TN) and Michaela D. Poizner (Baker Donelson Bearman Caldwell & Berkowitz PC, Nashville, TN) for editing this alert. AHLA would like to thank the Health Information and Technology Practice Group leadership for sharing this alert with the Physician Organizations Practice Group.
Copyright 2017, American Health Lawyers Association, Washington, DC. Reprint permission granted.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory