The Office of Civil Rights (OCR), a division of the Department of Health and Human Services, is the governmental agency responsible for investigating and providing technical assistance to covered entities and business associates on matters of HIPAA compliance.  When a deficiency is found in a covered entity or business associate’s compliance with the Security Rule or the Privacy Rule, OCR takes necessary action to remedy the deficiency, including imposing penalties or requiring the covered entity or business associate to enter into corrective action plans.

As of the end of January, 2017, OCR reported that the most common HIPAA compliance issues that are investigated are as follows:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their own PHI;
  • Use and disclosure of more than the minimum necessary PHI; and
  • Lack of administrative safeguards of electronic PHI.

Additionally, the following covered entities are the most common with regards to taking corrective action in light of a compliance deficiency:

  • Private practices;
  • General hospitals;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans.