HHS to Address HIPAA Complaint and Investigation Backlog with New Enforcement Division

HHS 2020 Proposed HIPAA Privacy Rule Updates

The HHS has announced it has restructured its Office for Civil Rights and has created three new divisions to get better use of its limited resources. OCR has been trying to get additional funding from Congress for some time to help deal with its increased workload, but those funds have not been forthcoming. OCR is the primary enforcer of HIPAA and investigates all breaches of 500 or more healthcare records, some smaller data breaches, and complaints about HIPAA violations, as well as enforcing civil rights, conscience, and religious freedoms statutes.

In its recent reports to Congress on its HIPAA enforcement activities, OCR explained that cyberattacks on healthcare organizations increased by 58% between 2017 and 2021 and complaints about potential HIPAA violations have also increased substantially. OCR enforces 55 civil rights, conscience, and privacy statutes and its caseload has continued to grow while its resources have remained the same. Across those 55 statutes, more than 51,000 complaints have been filed with OCR alleging violations of civil rights, privacy, security, and religious freedoms, and that its current funding and staffing constraints are affecting its ability to investigate complaints and data breaches.

With no further funding on the horizon, OCR has been forced to try to get more done with the limited resources at its disposal, hence the decision to restructure into three new divisions. The Health Information Privacy, Data, and Cybersecurity Division (HIPDC) is the new name for the Health Information Privacy Division (HIP) within OCR. The name has been changed to reflect its role in cybersecurity, and this division is responsible for investigations of reported data breaches, including hacking incidents which now account for 80% of all breaches reported to OCR by HIPAA-regulated entities. HIPDC will be focused on investigating these breaches and clearing the current backlog, as well as investigating HIPAA complaints.

The current Health Information Privacy, Operations and Resources, Civil Rights and Conscience and Religious Freedom divisions have been reorganized into functional cross-cutting areas for Policy, Strategic Planning, and Enforcement. This will allow staff to work within their areas of expertise, which is hoped will drive greater implementation and enforcement of the law.

By creating a structure that includes Enforcement, Policy, and Strategic Planning Divisions, OCR’s operational structure will reflect that of other federal civil rights offices, and the move to a skill set model will help OCR get much better use of its resources. โ€œThis structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing,โ€ said OCR Director Melanie Fontes Rainer.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/