How are HIPAA Violations Discovered?

HIPAA violations can continue for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA-covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators.
There are three main ways that HIPAA violations are discovered:

  1. Investigations into a data breach by OCR (or state attorneys general)
  2. Investigations into complaints about covered entities and business associates
  3. HIPAA compliance audits Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.