Preparing for and Overseeing Your Organization’s OCR Security Audit

January 10, 2013
2:00 - 3:30 pm ET


Health insurance plans that store, process or transmit electronic personal health information should be prepared for the possibility of being audited by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Over the past year, OCR has been actively conducting audits with an intense scrutiny on security practices and privacy protections. In this webinar, legal experts will share effective strategies to prepare for an OCR Security Audit.

Educational Objectives: 

Attendees will gain an overview on preparing for and supporting an OCR HIPAA Audit. Our speakers will take a closer look at:

  1. The genesis for the agency’s audit program and protocol
  2. The importance of private companies preparing for an OCR Security Audit
  3. Key strategies for managing an OCR Security Audit
  4. The key issues OCR will be reviewing, and how companies can proactively prepare to address them
  5. Common corrective actions and OCR’s enforcement approach

Target Audiences: 

The ideal target level for this workshop includes:

  • Health insurance professionals who are responsible for any aspect of compliance in their day-to-day career
  • Leadership engaged in compliance and regulatory activities
  • Security Officers and Information Technology professionals
  • Attorneys and legal staff
  • Health care consultants


  1. Planning for an Audit:
    1. The essential elements of an effective privacy/security program
    2. An overview of why the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is conducting security audits, along with past issues and future agency plans
    3. An overview of the top issues private health insurance companies may be facing if selected for an OCR audit
    4. Key strategies companies should be thinking about and employing, including performing a “walk-through” (i.e., an internal assessment that tests the same issues OCR may employ)
    5. Review of existing security and privacy considerations
  1. Internal Risk Assessments
    1. Evaluating the need for a new risk assessment
    2. Considerations/tips for “meaningful” risk assessment processes
    3. Key areas where resources should be focused
    4. Risk assessment processes and threat identification
    5. Vulnerability detection tools and potential controls
    6. Identifying key gaps and mitigation strategies
  1. Successful strategies during an onsite OCR audit
    1. What to do when the agency is onsite
    2. Top Issues OCR has Identified
    3. Actions/mistakes to avoid
    4. Potential actions to take if deficiencies are found by an OCR audit


Robert Hudock, Member of the Firm, Epstein, Becker & Green, P.C. 

Lynn Shapiro Snyder, Senior Member of the Firm, Epstein, Becker & Green, P.C. 

Patricia Wagner, Member of the Firm, Epstein, Becker & Green, P.C.

Faculty Biographies: 

Robert Hudockis a Member of the Firm in the Health Care and Life Sciences practice, in the firm’s Washington, D.C., office. He practices in the firm’s E-Health Group. His practice includes information security, privacy, data forensics/e-discovery, legal and business issues of outsourcing, encryption (FIPS/ ISO Standards), legal implications of expert systems, and knowledge management systems. He is a skilled security and legal professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker to secure client's information systems. He is a Certified Information Systems Security Professional (CISSP).

Lynn Shapiro Snyder is a Senior Member of the Firm in the Health Care and Life Sciences and Litigation practices in the firm’s Washington, D.C., office, and she is Strategic Counsel with EBG Advisors, Inc. She has over thirty years of experience at Epstein Becker Green, advising clients about federal, state, and international health law issues, including Medicare, Medicaid, TRICARE, compliance, and managed care issues. Her clients include health care providers, payers, pharmaceutical/device manufacturers, and those companies and financial services firms that support the health care industry. She is a frequent speaker and publishes extensively

Patricia Wagner is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm’s Washington, D.C. office. She has experience representing a wide range of health care clients in all aspects of privacy matters, including helping clients develop general strategies to achieve state and federal privacy compliance. She has also advised numerous managed care plans on nuanced privacy issues and concerns. She serves as the Privacy Officer for the Firm and regularly speaks on privacy topics. Her experience also includes advising clients on a variety of matters related to federal and state antitrust issues and representing clients in antitrust matters in front of the Federal Trade Commission, the United States Department of Justice, and state antitrust authorities.

Registration Rates
Members: $145
Non-members: $175
Government: $125


The content presented in this webinar is solely attributable to the speaker and does not represent an endorsement by America's Health Insurance Plans (AHIP) of the accuracy of the information presented in the audio conference or any opinion expressed by the speaker.