This presentation is a recording of a live web event co-hosted by former OCR Leader and Investigator, Iliana Peters and Clearwater CEO, Bob Chaput presented on 03/14/2018.

For the latest information and to take advantage of interacting with our subject matter experts, we invite you to attend one of our live webinars.

In this webinar, attendees will hear directly from former OCR Leader and Investigator, Iliana Peters, as she provides insight into why so many healthcare organizations struggle to meet the HIPAA Security Rule, particularly Risk Analysis requirements.

Many struggle to understand the difference between the HIPAA Security Evaluation required at 45 CFR §164.308(a)(8) and the HIPAA Security Risk Analysis required at 45 CFR §164.308(a)(1).  Understanding the critical differences between these two requirements is essential.  

Complying with the HIPAA Security Final Rule involves many steps and considerations.  We focus on the two evaluations you must complete, by law. Both of which are required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 22 Standards and 53 Implementation Specifications that comprise the Administrative, Physical and Technical Safeguards in the HIPAA Security Final Rule. Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

This type of evaluation is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program or maintaining an existing program. The output of the evaluation establishes a baseline of overall compliance which can be measured by the executive team, compliance or risk officer, audit committee or board. Think FOREST view.

A HIPAA Security Risk Assessment (Analysis) is also required by law to be performed by every CE and BA.

The Security Final Rule states:
45 C.F.R. § 164.308(a)(1)(ii)(A) RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]

Additionally, completion of the Risk Assessment is a core requirement to meet Meaningful Use objectives.

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Assessment are required by law and important and necessary steps on your HIPAA Security compliance journey. Knowing what evaluation to complete when is a challenging decision even for the largest and most sophisticated organizations.


The approaches presented in the webinar have been used by organizations of all sizes and are purposefully designed to be used by the largest CEs and BAs (e.g., hospitals, insurers, care management firms, etc) to the smallest CEs, BAs and subcontractors (e.g., small medical practices, clinics, dental offices, medical billing companies etc.).

No matter where you are in your HIPAA compliance journey, you will benefit from learning about:

  • The requirements of the HIPAA Security Final Rule for evaluations
  • The difference between a compliance assessment and a risk assessment
  • The HIPAA Security Final Rule civil and criminal penalties
  • Practical, actionable steps to complete the evaluations required by law

Please submit the form to access the on-demand webinar with former OCR Leader and Investigator, Iliana Peters.

About Iliana Peters

Iliana Peters, JD, CISSP

Shareholder, Polsinelli & Former Acting Deputy Director HHS Office for Civil Rights

Iliana L. Peters believes good data privacy and security is fundamental to ensuring patients’ trust in the health care system, and to helping health care clients succeed in an ever-changing landscape of threats to data security. She is recognized by the health care industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data.

For over a decade, she both developed health information privacy and security policy, including on emerging technologies and cyber threats, for the Department of Health and Human Services, and enforced HIPAA regulations through spearheading multi-million dollar settlement agreements and civil money penalties pursuant to HIPAA. Iliana also focused on training individuals in both the private and public sector, including compliance investigators, auditors, and State Attorneys General, on HIPAA regulations and policy, and on good data privacy and security practices.

Contact us

Contact us today to speak to one of our experts about how Clearwater Compliance can help your organization.