Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

* Indicates a required field.


McBrayer Blogs

Related Blogs

OCR Offers “Lessons Learned” Regarding HIPAA Compliance, Part II

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following:

Risk Analysis and Risk Management

Covered entities should ensure that their security risk analysis is thorough and pay special attention to ePHI on hard drives, digital copies, USB drives, and mobile phones, etc.

Security Evaluation

Covered entities should conduct a security evaluation, whenever there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI.

Security and Control of Portable Electronic Devices

Covered entities should ensure that any PHI that is stored and transported on portable electronic devices is properly safeguarded, including encryption when appropriate.

Proper Disposal

For electronic devices and equipment that store PHI, covered entities should ensure that the device or equipment is purged or wiped thoroughly before recycling or discarding the device or equipment.

Physical Access Controls

Covered entities should ensure that physical safeguards are in place to limit access to facilities and workstations that maintain PHI.


Covered entities should ensure that employees are trained and are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

In the Compliance Report, OCR outlines its plan for future improved enforcement. OCR expressly stated that it will “work smarter” to cope with the increasing volume of complaints and will pay special attention to “high impact cases.” Compliance Report p. 23. In 2011 and 2012, OCR doubled the number of cases ending in Resolution Agreements, settlement, and corrective action plans and OCR promises to “continue this uncompromising enforcement posture in the future.”

If you are a covered entity or business associate and would like to know more about how to prevent a breach, contact the McBrayer health care attorneys today. Do not become a statistic! We can help you put OCR’s “Lessons Learned” into practice today!

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Lexington, KYLouisville, KYFrankfort, KY: MML&KFrankfort, KY LawGreenup, KYAshland, KYWashington, D.C.