OCR Reports to Congress on HIPAA Compliance and Data Breaches
The Department of Health and Human Services recently submitted its annual reports to Congress on the state of HIPAA compliance and healthcare data breaches for calendar year 2022.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires the HHS to submit annual reports to Congress on compliance with the HIPAA Privacy, Security, and Breach Notification Rules and on breaches of unsecured protected health information. The reports provide insights into the state of compliance, HIPAA enforcement, and healthcare data breach trends.
The data breach report highlights the extent to which hackers are targeting the healthcare industry. 77% of all data breaches (500+ records) in 2022 were hacking/IT incidents, and 58% involved network servers. The HHS’ Office for Civil Rights investigates all large data breaches but the sheer number of breaches being reported has placed OCR’s resources under strain and there is a huge backlog of cases. Between 2018 and 2022, there was a 107% increase in large data breaches but aside from increased to account for inflation, OCR’s budget has remained flat for years. With more breaches being reported, OCR’s hands are tied, and they simply cannot be investigated promptly.
The problem for OCR is not just the volume of data breaches. OCR is able to use funds collected from its enforcement actions, but fines have been reduced dramatically. In April 2019, OCR announced that it had reviewed the language of the HITECH Act, which called for penalties for HIPAA violations to be increased, and determined that the language had been misinterpreted and the maximum penalties for HIPAA violations had to be reduced in three of the four penalty tiers. The HITECH Act requires OCR to conduct annual audits of HIPAA-regulated entities, but with finances strained, 2022 was another year where there were no funds to conduct HIPAA compliance audits.
Another problem for OCR which has added to its workload is the 2021 amendment to the HITECH Act, which requires OCR to consider the recognized security practices that have been implemented when determining appropriate sanctions and penalties for HIPAA violations. Having to review evidence of those practices having been adopted has considerably increased OCR’s workload and the length of time it takes to conduct investigations into HIPAA Security Rule compliance. OCR has called for Congress to increase the penalties for HIPAA violations and, as OCR does every year, requested additional funds from Congress to allow it to police HIPAA more effectively.
The data breaches investigated by OCR show the most common areas of noncompliance, where HIPAA-regulated entities have either failed to understand their responsibilities or have not invested sufficient resources into their compliance programs. The most common areas of noncompliance were risk analyses and risk management, information system activity reviews, audit controls, response and reporting, and person or entity authentication.
In addition to investigating data breaches, OCR investigates complaints about potential HIPAA violations. In 2022, OCR received 30,435 new complaints alleging violations of the HIPAA Rules and resolved 32,250 complaints. Between 2018 and 2022 there has been a 17% increase in complaints about potential HIPAA violations. 17 complaint investigations resulted in resolution agreements and corrective action plans, with OCR collecting $802,500 in settlements and $100,000 in civil monetary penalties.
In calendar year 2022, OCR completed 846 compliance reviews, and in 80% of those investigations, the entities were required to take corrective action or pay a financial penalty. Three of those compliance reviews resulted in monetary payments totaling $2,425,640.
“OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the healthcare industry to drive compliance and protect against security threats.”
