Given the hundreds of thousands of HIPAA covered entities (CEs) and business associates (BAs) and the two dozen or so enforcement actions the HHS Office for Civil Rights takes annually, the odds are exceedingly slim that an organization will find itself in a formal sanctions process with OCR.
On the other hand, OCR does investigate every breach affecting more than 500 individuals as well as other complaints that come in, particularly egregious situations, and if things don’t go well, an organization could find itself dogged by the agency’s investigators.
So, wouldn’t it be nice to get inside the mind of an OCR investigator? Enter John Haskell, an investigator in OCR’s Mid-Atlantic Region, who joined the agency approximately 18 months ago. Since that time he has handled “close to 400 complaints,” gaining experience with a range of privacy issues and organizations, both “large and small.”