To download presentations from recent events, click on the links provided. If you are interested in any presentations from our previous events not currently linked, please contact us via email.

Notification of Events:

To be added to our email distribution list to receive notifications of future HIPAA COW events, please contact us via email. In the Subject box, please put “Add to Events Email List”.

Loading Events
This event has passed.

Program Brochure

Register Here

Early Bird Registration: $75

  • $95.00 after Monday, October 10, 2022


Thursday, November 3


8:10am – 9:10am

Upcoming Legislation and Recent OCR Guidance

Presented by: Sarah Coyne, JD (Quarles & Brady LLP), Rachel Weiss, JD (Quarles & Brady LLP), Kelsey Toledo, JD (Husch Blackwell LLP) and Noreen Vergara, JD (Husch Blackwell LLP)

In this session we will discuss recent changes and expected changes in the laws governing privacy or security of health care information including: The status of the expected final HIPAA regulations addressing coordination of care and access to care (NPRM Dec. 10, 2020); How HIPAA’s increased focus on “right of access” interfaces with the Information Blocking Rule and particularly the “Preventing Harm” exception; The effect of the U.S. Supreme Court’s decision in the Dobbs case on disclosure of information; Recent changes to the regulations governing substance use disorder (42 CFR Part 2) and related guidance, and interface with HIPAA; What we can learn from recent OCR enforcement actions and settlements; and HHS guidance on telehealth and audio only care encounters.



9:20am – 10:20am

De-Identification with the Expert Determination Method

Presented by: Bradley Malin, PhD (Vanderbilt University Medical Center)

This presentation will walk through the process of de-identification with the expert determination method from the perspective of an expert data scientist. What are the benefits of the expert determination method? What does the process look like? What should covered entities and business associates do before beginning the process?



10:30am – 11:30am

Common Misconceptions in Privacy and Security

Presented by Meghan O’Connor, JD (Quarles & Brady LLP), and Jeffrey Dunifon, CIPP/US (Dexcom)

What are the common misunderstandings, misinterpretations, and mistakes in operationalizing privacy, security, and breach notification requirements under HIPAA and state law? Attendees are encouraged to submit suggestions and questions in advance, and we will unpack them (anonymously) during this session. Examples include BAAs, offshoring, information blocking, HIPAA/FERPA intersection, etc. Can we stump the speakers?



11:40am – 12:40pm

Learn from Other’s Mistakes: How to Avoid an OCR Civil Monetary Penalty

Presented by: Elizabeth Delahoussaye, RHIA, CHPS (Ciox Health)

While you may or may not be familiar with the processes and inner workings of the Office of Civil Rights (OCR), this session will provide you access to over 20 lessons learned from organizations like yours. We’ll discuss the similarities of those who received civil monetary penalties as we review real-world scenarios from large hospitals and healthcare systems and small clinics alike. We’ll provide you with the toolset to ensure compliant and comprehensive data sharing across multiple EHR systems as we share industry-wide best practices. Join Ciox Health as we share the tips and tricks to providing high-quality patient and regulatory requirements, and avoiding complaints or worse, OCR actions and civil money penalties.



Friday, November 4, 2022

8:10am – 9:10am

Who Brought Cookies? OCR, DOJ, and Attorney General investigations into Healthcare’s Use of Website Trackers

Presented by: Aleksandra Vold, JD (Baker Hostetler), and Stefanie Ferrari (Baker Hostetler)

In spring of 2022, many healthcare entities were contacted by journalists at The Markup, asking if the entity was aware that it had a Facebook/Meta pixel on the entity’s website that was sending patient information to Facebook. The Markup published an article about healthcare’s use of advertising technology in June, naming dozens of prominent healthcare entities as using advertising technology and accusing those entities of sending confidential patient information to third parties. The article – and the entities’ use of adtech – caught many compliance and privacy teams by surprise, signaling a disconnect between marketing and compliance teams.  While entities rushed to assess their adtech posture, dozens of investigations have been launched by state AGs, state DOJs, HHS OCR, and the US Congress. BakerHostetler will give an inside view into the investigations, what is “adtech”, and what their covered entity clients are uncovering about the impacts to patient privacy.



9:20am – 10:20am

Data Destruction

Presented by: Kirsten Wild, RN, BSN, MBA, CHC (Wild Consulting) and Allison Dressel (Poisinelli)

How can your organization securely destroy data containing protected health information without violating the HIPAA obligation to apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form?  How can your organization limit incidental and avoid prohibited uses of PHI in connection with the disposal of information?  While most organizations have implemented cybersecurity measures that account for destruction of electronic data, many organizations continue to struggle with destruction of paper records, labeled prescription bottles, hospital identification bracelets or other tangible media containing PHI.    This panel will discuss the legal, operational and practical implications for covered entities and business associates related to data destruction.  The panel will discuss potential penalties and relevant OCR settlements, as well as provide practical pointers and advice on safe and compliant destruction of data.


Data Destruction Resources

OCR Resolution Agreement

Sample Certificate of Sanitization


10:30am – 11:30am

“So, You Have Remote Employees?” Panel Discussion on Practical Privacy, Security, and Compliance Tips

Presented by: Sarah Boswell-Healey, JD, CIPP-US,, CIPP-EU (United Health Group), Tricia Kvitrud, JD (University of Wisconsin-Madison) and Erica Mills (MHS Health Wisconsin)

Even if you had remote workers before, the past few years have changed how companies in the healthcare industry need to view privacy, security, and compliance. Does your company have health fitness apps, symptom check apps, or health reward apps? How can you monitor remote employees for keeping company (and patient and member) information secure and safe? What differences should be considered if your remote workers are clinician or non-clinicians? This panel will include perspectives from local and national health insurance firms, healthcare technology, and industry legal insights.