Whether a covered entity’s notice of a reportable breach or a complaint triggers investigation, OCR reviews the information, or evidence, that it gathers in each case. In some cases, it is determined that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:
- Voluntary compliance
- Corrective action; and/or
- Resolution agreement.
OCR reported that in 2013 there were 4,459 investigative closures, with nearly 78% of those investigations closed with corrective action related to their enforcement.1
From 2008-2013, over $28 million in Resolution Agreements and fines have resulted.2
Other enforcement actions
Even when OCR doesn’t penalize the breached and investigated entity with a fine, OCR’s enforcement may require actions to remedy the complaint and issue directives for future compliance. Ongoing scrutiny by OCR and possibly other governmental agencies such as the Federal Trade Commission (FTC) may be involved.
1. Susan McAndrew, JD, Deputy Director, Health Information Privacy Division. OCR Update and Outreach, Stepping Up Compliance in 2014. Presented at 22nd National HIPAA Summit, February 5, 2014.
2. U.S. Department of Health and Human Resources. Case Examples and Resolution Agreements: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/