The first full day of HIMSS17 HIPAA had a big session. It featured Deven McGraw, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR).  She is also Acting Chief Privacy Officer for the Office of the National Coordinator for Health IT (ONC).  Clearly, it was one of the sessions at the top of the list for us to attend.  We got there early enough to be perched on the front row.  In this episode, we review what McGraw covered in her session and our thoughts on it.

HIPAA For MSPs by David Sims HIMSS17: Deven McGraw Talks HIPAA Enforcement
00:00:00 00:00:00

In this episode:

  • Who is Deven McGraw
  • What are the current objectives for legislative direction they will continue to work on until they are directed to change.
  • Additional guidance expected from OCR in 2017
  • Sharing information for treatment is allowed and people should stop overuse of HIPAA
  • Audit updates
  • Phishing cases
  • Consistent problems found in OCR investigations
    • People frequently, frequently fail to realize the proliferation of PHI in the organization
    • SRAs are never going to be easy but you do need to do them properly.
    • Ransomware attacks put a spotlight on the insufficient or lack of Business Continuity and Disaster Recover plans
  • A few other points she covered on guidance and future activity

Keep moving forward with plans in place for now.

  • 21st century cures
  • Access improvement
  • Exchange of information
  • Mental health data sharing guidance

Long-term HITECH objectives left

  • Share money for breach
  • Accounting of disclosure
  • Still long-term but new guidance on disclosure tracking coming

Other guidance

  • FAQs on research release of records
  • Texting phi
  • Social media what can be posted
  • CHERT and compliance with Sec rule – turn on sec options
  • Anatomy of a case explains how investigations work
  • Update FAQs on website to get them current
  • Minimum necessary guidance
  • Body cameras in ER


  • not intended as investigations
  • no docs returned are clearly not close to doing what they should
  • show you’re trying is way better than doing very little effort if any
  • permanent part of OCR will be audit program as defined in HITECH
  • draft audit reports as early as next week
  • Auditees get 10 days to respond with opinions or changes they would like to note
  • final reports not public as to details and who was audited
  • summary at end of audits will be public info on general findings

Consistent investigation findings

  • lack of up to date BAAs when they are needed
  • incomplete or inaccurate RAs. Frequently, frequently (underlined)underestimate proliferation of PHI and do not fully define all the places it exists
  • SRAs are never going to be easy but you have to do them so use the tools
  • have a reasonable and appropriate plan not a 10 year trajectory for risk management
  • addressable is not optional but document why
    • documentation of what you can and cannot secure must be done
  • not auditing and you have leeway on what to have in your plan but must have a plan and follow it
  • not patching software – please, please document devices that are not patched but you have to deploy the device anyway
  • insider threats means it is not ok to use default passwords
  • disposal of phi is the real low hanging fruit that shouldn’t be the thing causing breaches (like our dumpster diving discussion last week)
  • ransomware shined a big spotlight on lack of real DR BC plans
    • make a real plan not just everyone meet at the treehouse with a flashlight and some water


  • highlight high impact cases with the resolutions
  • they get made an example of on purpose so pay attention to the examples
  • breach by BA can cause a review of CE compliance program so don’t write that off
    • yet another reason to vet your BAs more than just signing a BAA
  • can’t eliminate breaches but have a plan and show you do try is most important

Cybersecurity Guidance

  • Cybersecurity newsletters
  • major focus to push out more information
  • Cybersecurity starts with good basic security and HIPAA is good basic security

Q & A

  • enormous size and complexity of industry with target on its back means it isn’t as easy as other industries to manage and implement similar solutions to things like the audit program they use for a power company
  • how to deID on genetic data successfully is a current work in progress to provide guidance
  • no we don’t take volunteers for audit but will consider it
  • best practices from audits is not something they can do as a clear checklist
    • but doing it like details say is best way
  • do we need to do due diligence of BAs.
    • Hard to define but some BAs should be included in your Risk Assessment. Not 100% required but not 0% either
  • NIST CSF inclusion in HIPAA sec rule?
    • see response to GAO report on this.
    • Open to doing it but not an objective to make it a requirement on their current work list
  • CMS MU money and HIPAA don’t know about each other but if we do then we share
  • legal medical rec definition is tricky but ONC working on it
  • ransomware doesn’t mean breach changed. Documentation is key or notify

We did record this episode while we were both exhausted at the end of the week.  You can tell that Donna’s equipment was her travel mic.  Sorry for that little issue.  Hopefully, the information will make up for the sound differences.

Oh, and we also got a chance to meet Deven McGraw and Tweeted the picture to prove it!