DSIR Deeper Dive: Regulatory Investigation Landscape
HIPAA-covered entity and business associate breaches continue to draw attention from the Office for Civil Rights (OCR) and other regulators. In almost every HIPAA incident we handled in 2019 involving more than 500 individuals, OCR issued a data request. While OCR investigations can be burdensome, few of them result in penalties.
State attorneys general have been laboratories of privacy enforcement. Over the years, they have devoted significant time and energy to, and played an increasingly active role in, data privacy and security matters. They have used their broad consumer protection authority and authority given them under the HITECH Act to enforce the HIPAA privacy and security rule in order to investigate data security lapses. More recently, we have seen expanded authority given to...