A news report from a few days ago is actually a good example of the frustration some experience with OCR investigation of breaches.
TL;DR version: a breach was reported by the media in March, 2017. This site also noted it. But now, more than one year later, there have been no consequences for the entity, it seems, and no one has even contacted witnesses to ask for their statements.
On July 23, Phil Rogers of NBC Chicago reported:
Fully sixteen months after NBC 5 Investigates revealed a trove of medical records in a Naperville doctor’s unsecured basement, state and federal investigators have levied no discipline, despite what appears to have been a blatant violation of federal privacy rules.
[..]
Sixteen months later, neither HHS nor two state agencies appear to have taken any action, despite the fact that the doctor’s records were in full view of furnace and hot water repair people, and of course, our own crew from NBC 5 which verified the records existence. After our repeated contacts with Baber’s attorney, we watched as the doctor hired a moving crew to remove the documents. Jarvis-Neavins moved out shortly after that. But she said it wasn’t until last month that anyone from HHS even contacted her.
Read more on NBC Chicago.
OCR has always been underfunded and under-resourced, but it is, indeed, frustrating that blatant breaches occur and there is simply no timely follow-up or consequences. If enforcement is to have any deterrent effect, it really needs to be more timely. And if entities get away with not reporting or disclosing breaches at all, why shouldn’t others risk that, too?
Sadly, I don’t expect this to get any better given the current administration’s priorities.