February 17, 2023
The HHS Office for Civil Rights (OCR) filed two reports to Congress for 2021 on HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information to help healthcare providers achieve better compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
These reports delivered to Congress included HIPAA-related data on the previous cases investigated regarding non-compliance. It also highlighted insights into trends, including cybersecurity readiness.
Table of Contents
The 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance shows the total number of complaints and compliance reviews initiated by OCR. It also presents how they resolved each complaint and the evaluated outcome.
In 2021, there were several data breaches pertaining to unsecured protected health information (PHI). These reports have come to the attention of the Secretary of HHS and were filed for immediate action.
Furthermore, the report also highlighted the importance of enhancing compliance with the HIPAA Security Rule. The document also stressed the need for improved risk analysis and risk management, information system activity review, audit trails, and access controls.
OCR Director, Melanie Fontes Rainer, said in a statement, “The healthcare industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information.”
“We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations,” she reiterated.
Under the law, the OCR may act only on complaints filed against an entity found violating the HIPAA rules. Accordingly, these complaints must be filed promptly and within 180 days after discovery. In some cases, the OCR can waive this timeframe, given that the individual shows a reasonable reason for failing to submit the complaint.
On the contrary, the OCR may close the case if no substantial evidence can support the complaint. The government agency will also work with the company or institution to develop a corrective action plan, thereby preventing the risk of future violations.
Hundred of cases were filed in 2021, wherein 17 of those successfully reached resolution agreements amounting to $6.1 million. Between 2017 and 2021, the total number of complaints and breaches continued to increase by 39%. The compliance reviews initiated by the OCR also grew by 44%. More than 500 individuals, or 58%, were affected by the breach.
Overall, there were a total of 26,420 complaints OCR resolved in 2021. The top issues include Impermissible Uses and Disclosures (702 complaints), Right of Access (667 complaints), Safeguards (637 complaints), Administrative Safeguards (Security Rule) (156 complaints), and Breach-Notice to Individuals (97 complaints).
If additional enforcement action is needed, the OCR pursues a resolution agreement with a monetary penalty and a corrective action plan (CAP). Should the covered entity fail to comply with the terms outlined in the resolution agreement, the OCR proposes a civil monetary penalty to help deter future noncompliance. It’s also a way for them to fund their ongoing enforcement efforts.
In response to a complaint, the secretary may initiate a compliance review per the HIPAA regulations. During the investigation, the OCR will collect the complaints and identify potential violations.
In 2021, OCR initiated 674 compliance reviews to investigate the alleged HIPAA violations outside the filed complaints. A total of 609 compliance reviews resulted in a breach report affecting 500 or more individuals.
The majority of these cases were resolved after taking corrective actions.
Of all the cases closed, 554 of them came from breach reports. Two of them were resolved through resolution agreements and CAP settlements amounting to $5,125,000.
Key Findings and Insights on HIPAA Cases Investigated
According to the 2021 report, OCR received 34,077 complaints regarding violations of the HIPAA Rules and the HITECH Act. Overall, OCR resolved 78% of complaints before conducting an investigation.
The OCR resolved 13 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements amounting to $815,150 and $150,000, respectively.
Generally, the top five issues shown in the report included impermissible uses and disclosures, right of access, safeguards, administrative safeguards or security rule, and breach notice to individuals.
Annual Report on Breaches of Unsecured PHI: Key Insights
Hacking incidents remain the main areas of concern, comprising 75% of the reported data breaches. The largest category by location for these breaches identified network servers, affecting 500 or more people.
Unauthorized access or disclosure of PHI records ranked second in the list of the general causes of breaches. Meanwhile, theft of electronic equipment/portable devices or paper containing PHI ranked third. Lastly, the loss of electronic media or paper records containing PHI and improper disposal of PHI ranked fourth and fifth on the list.
Similar to the previous years, breach incidents in 2021 also involved misdirected communications. In most cases, one person mistakenly mailed the test results to the wrong patient. Some files were also attached incorrectly to patient records, and member ID cards were mailed to the wrong individuals.
Nature and number of reported breaches in 2021
The OCR received 63,571 reports of breaches that affected less than 500 individuals in 2021. On the other hand, the more minor violations affected around 319,215 individuals. The covered entities are as follows: Health Care Providers (91%), Health Plans (7%), Business Associates (2%), and Healthcare clearing houses (1%).
The largest category of breaches for unsecured PHI involved IT incidents, with around 75% of received reports. For breaches affecting less than 500 individuals, unauthorized access or disclosure was the highest, while paper records were the largest by location.
Areas of Improvement in HIPAA Security Rule Compliance
Based on the 2021 HIPAA Compliance and Data Breach Reports findings, regulated entities such as healthcare organizations must improve their compliance with the HIPAA rules.
For instance, risk management is a lifelong responsibility, not just for a specific year or period. Therefore, covered entities should conduct regular review analyses and adjust accordingly based on the ever-changing circumstances. Furthermore, data safeguards should be enhanced continuously, including audit and access controls, to ensure privacy and HIPAA compliance.
Filing Complaints With OCR for HIPAA Violations
The HHS Office for Civil Rights (OCR) encourages individuals to file complaints for HIPAA violations. Suppose you feel that your privacy has been compromised. In that case, the government agency will conduct further investigation and suggest a course of action to resolve the privacy and security issues accordingly.