According to OCR's press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of
unsecured electronic protected health information (ePHI).
The OCR enforces the HIPAA Privacy Rule, which
protects the privacy of PHI; the HIPAA Security Rule, which sets national standards for the security of
electronic PHI; and the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of
unsecured PHI.