HealthIT Security has a very good article on OCR HIPAA activities.
A key message is that not all OCR complaints result in HIPAA violations
OCR will continue to focus “its enforcement efforts and its resources” in areas of alleged non-compliance and “where corrective action under HIPAA may be the only remedy.”
In terms of OCR investigations though, Samuels added that most of the complaints received by OCR involve situations that are difficult to prove whether HIPAA violations took place. For example, in some of these cases evidence is either missing or doesn’t exist, witnesses are no longer available for interviews, or evidence is insufficient to sustain a case.
OCR also using HIPAA violations and fines to help other organizations:
“We hope that our resolution agreements will provide a template for other health care entities to take the proactive steps necessary to ensure compliance with HIPAA requirements,” Samuels wrote. “We’ve also initiated Phase II of our Audit Program, which will enable us to target our technical assistance to emerging challenges, provide information about replicable practices, and correct problems before they ripen into HIPAA violations.”
Overall, “OCR is laser-focused on breaches occurring at health care entities,” especially as healthcare cybersecurity threats evolve and patient data increases in value on the black market. The agency is working to ensure that healthcare organizations of all sizes understand the necessary steps to take that will keep health information secure.