The Hidden World of OCR’s HIPAA Enforcement:
Lessons Learned from Small Breaches, OCR’s Technical Assistance Program and Rejected Patient Complaints

May 24, 2018

Qualifies for 1.5 CEs from IAPP

Order Online Now

OCR makes news when it announces a settlement agreement over a HIPAA violation or initiates an audit program affecting a few hundred healthcare organizations.

But there is a less public side to HIPAA enforcement that received very little attention but affected hundreds of thousands of cases and continues to exert substantial influence on OCR’s enforcement strategy.

Every year, OCR reviews and acts on thousands of breaches that do not make the wall of shame. They are rarely made public except when OCR picks one for a settlement to make a specific point.

But with more than 300,0000 reports, these small breaches paint a significant picture of the cybersecurity posture of the healthcare system. And these reports require healthcare organizations and contractors to tell OCR what was done to fix these “smaller” problems.

OCR also has effectively enforcedg HIPAA through its patient complaint system. Since the program started, OCR forced more than 25,000 healthcare organizations to make changes to their HIPAA programs. In another 26,000 instances, OCR gave an incentive for healthcare organizations to make changes to their HIPAA programs before a formal investigation had begun.

Since its patient complaint system began 15 years ago, OCR also found that about 106,000 complaints fell outside its jurisdiction. While some were late and some were senseless, others reflected the public’s concern about the privacy of their health data outside of the healthcare system and provide valuable insights on the behavior in the Internet of Things.

So, while the public often focuses on the 2,300 or so major healthcare breaches and the 54 HIPAA resolution agreements and civil monetary penalties that made the news, OCR can make a credible claim to affecting  behavior in about 350,000 cases involving HIPAA privacy or security compliance programs since 2003.

There are important lessons to be learned from these little noticed elements of OCR’s enforcement program. And those lessons are becoming more important as healthcare continues to experience cybersecurity attacks as it moves further into the Internet of Things and the expectations of the public shift as the distinctions between patient and consumer disappear.

To give healthcare organizations, their contractors and mobile app developers a clearly understanding of the true threats to their business, Melamedia, LLC is sponsoring a 90-minute webinar:

The Hidden World of OCR’s HIPAA Enforcement:
Lessons Learned from  Small Breaches, OCR’s Technical Assistance Program
and Rejected Patient Complaints

Participants Will Be Briefed On:

  • The lessons learned about where and how data security is most threatened based on the hundreds of thousands of small breach reports OCR has received;
  • Common corrective actions that OCR has recommended in the 26,000 cases in which it provided pre-investigative help while responding to patient complaints;
  • What health data concerns were revealed by the 106,000 patient complaints that were deemed to be outside of HIPAA;
  • How all the data from these programs are used by OCR on the regional and HQ levels;
  • How and when OCR works with state attorneys general in responding to breaches and patient complaints; And much more.


Iliana Peters served as OCR’s Acting Deputy Director for Health Information Privacy and Security. Prior to that and for more than a decade, she both developed HIPAA  privacy and security policy, including on emerging technologies and cyber threats, and enforced HIPAA regulations through spearheading multi-million-dollar settlement agreements and civil monetary penalties under HIPAA. She is a shareholder in the national law firm, Polsinelli.

Abby Bonjean was an investigator for OCR out of the Chicago office. While at OCR, Abby concentrated on investigating large breaches, evaluating organizations’ responses to breach incidents, and their overall HIPAA compliance, as well as providing technical assistance to help entities come into compliance. Abby also served as the lead investigator for several high-profile investigations, including one of OCR’s largest settlements to date. She now works as associate with the national law firm, Polsinelli.

Dennis Melamed is president of Melamedia, LLC, a regulatory analysis and research firm. He is an adjunct professor at the Drexel College of Medicine where he teaches graduate level courses on health data stewardship, federal regulation of biomedical research and trends in medical device regulation. He is the editor and publisher of Health Information Privacy/Security Alert, which has been tracking health data privacy and security issues since 1997.

Contact: Katalin Sugar

Order Online or Download the Order Form