The HHS’ Office for Civil Rights has sent annual reports to Congress on reported data breaches and its enforcement activities in 2021. The reports show there was a small decrease (7%) in large healthcare data breaches (500+ records) year-over-year, with 609 large data breaches occurring in 2021, and also a decrease in the number of reported small breaches (up to 499 records), with 63,571 small breaches reported in 2021, which is a 4.6% reduction from the previous year. While it is certainly good news that data breaches have decreased, OCR points out that the number of large data breaches increased by 58% between 2017 and 2021, and small data breaches increased by 5% over that period. In 2021, OCR launched investigations into all 609 large data breaches and 22 small data breaches.
One of the problems with the sheer number of data breaches being reported is the Department of Health and Human Services simply does not have the resources available to properly respond, investigate the data breaches for HIPAA violations, and take appropriate action, at least not in a timely manner. What OCR desperately needs is an increase in funding, as while data breaches have increased by 58%, appropriations over that period have not increased. That is a major problem considering the extent to which the healthcare industry is now being targeted by malicious actors.
In addition to investigating data breaches, OCR investigates complaints about HIPAA violations and the number of complaints increased by 25% in 2021. In 2021 OCR received 34,077 complaints about potential HIPAA violations and initiated 674 compliance reviews into those complaints with around 83% resolved through corrective action or civil monetary penalties/settlements. Around three-fourths of the complaints were resolved without an investigation. 17 investigations resulted in a financial penalty, with OCR collecting around $6.1 million in fines and settlements in 2021. The majority of the financial penalties resolved complaints about HIPAA Right of Access violations, where healthcare providers had failed to provide patients with timely access to their medical records.
OCR also imposed two financial penalties for HIPAA Security Rule violations – A $5.1 million penalty for Excellus Health plan for multiple HIPAA Security Rule failures that contributed to its massive 2015 data breach, and a $25,000 penalty for Peachstate Health Management dba AEON Clinical Laboratories for systemic noncompliance with the HIPAA Security Rule.
“The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”
While OCR is committed to enforcing HIPAA, if its budget is not increased, OCR’s staff and resources will continue to be severely strained, and that will naturally affect the ability of the department to enforce HIPAA compliance. OCR also points out that following its reinterpretation of the language of the HITECH Act, the maximum penalties in three of the four HIPAA violation penalty tiers was lowered, which has reduced the funds it collects through fines and settlements. OCR has written to Congress asking for the HITECH penalty amounts to be increased to help address the funding shortage.
The OCR reports to Congress can be downloaded here.