The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) is resuming its HIPAA compliance audit program this
fall, with focus on business associates. As scary as that may seem, there are other ways in which you’ll find OCR knocking on your door.
See also: 5 reasons HIPAA is important to insurance agents
Investigations also come about because of client complaints sent to OCR or due to a breach of protected health information (PHI). Where the audits only provide a chance of being recognized by OCR, complaints and breaches guarantee an investigation and fines. Another pitfall of these types of investigations is how long they take.
"All too often, complaint investigations and compliance reviews begun by OCR drag on for many, many months because there are not enough investigators in the regional offices to keep up with the complaints filed by consumers," David Holtzman says. "Covered entities and business associates deserve the opportunity to a prompt investigation and resolution of these agency enforcement activities." (See original article here
OCR is working toward increasing their resources to effectively respond to the large number of complaints received every year by funding themselves through non-compliance fines. Meaning, as you see fines racking up in the news, you should think of how many more individuals OCR can employ to investigate more incidents — a never-ending circle.