OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024

One of the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 is for the HHS Office for Civil Rights (OCR) to submit annual reports to Congress on compliance with the HIPAA Privacy and Security Rules, and the number and nature of breaches of unsecured protected health information. OCR has recently submitted the two reports to Congress for the calendar year 2024.

Data breaches continue to be reported in high numbers, although there was a 9% year-over-year decline in reported large healthcare data breaches. In 2024, OCR received 663 notifications of large breaches. While breaches declined, there was a massive increase in the number of affected individuals. Across the 663 reported breaches, the protected health information of 242,908,056 was exposed or impermissibly disclosed. That equates to approximately 69.5% of the current population of the United States.

The largest category of data breaches was hacking incidents, and one incident accounted for more than 79% of the year’s affected individuals – the hacking incident at Change Healthcare, which affected an estimated 192 million individuals. Hacking and other IT incidents accounted for 81% of large data breaches and more than 99% of all breached records.

Small healthcare data breaches are far more common. OCR received 74,299 reports of data breaches affecting fewer than 500 individuals, across which the protected health information of 340,618 individuals was exposed or impermissibly disclosed. Small data breaches increased for the third consecutive year and were up 9% year-over-year. The main cause of smaller breaches was unauthorized access or disclosure, such as the mismailing of patient records and misdirected emails. The smaller breaches are typically the result of carelessness or a lack of regular HIPAA training for the workforce.

OCR launched investigations into all large data breaches and two of the smaller breaches and resolved 785 breach investigations in 2024, with 12 investigations resulting in either a settlement with a corrective action plan or a civil monetary penalty.  OCR collected $7,813,831 in funds from those enforcement actions.

Through its investigations, OCR found that the most common violations related to risk analyses and risk management, information system activity reviews, audit controls, and the authentication of persons or entities. OCR currently has an enforcement initiative targeting noncompliance with the risk analysis requirement of the HIPAA Security Rule, which is being expanded this year to also cover risk management. In addition to regular assessments to identify risks and vulnerabilities to protected health information, OCR will require evidence that the identified risks and vulnerabilities have been addressed in a timely manner.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

In 2024, OCR received 30,256 new complaints about potential violations of the HIPAA Rules – down 2% year-over-year – and carried over 2,955 complaints from previous years. In 2024, OCR resolved 28,228 complaints, and nine investigations of complaints resulted in either a settlement and corrective action plan or a civil monetary penalty. Across those 9 enforcement actions, OCR collected $1,180,781 in penalties. In total, in calendar year 2024, OCR issued 22 fines to resolve alleged HIPAA violations, collecting a total of $9,944,612 in penalties.

A majority of complaints (62%) were resolved without opening an investigation, most commonly because a complaint was submitted about a HIPAA violation when the entity was not covered by HIPAA, or due to allegations of conduct that did not violate the HIPAA Rules. In 33% of cases, complaints were resolved by providing technical assistance on HIPAA compliance.

OCR completed 1,370 complaint investigations, with 48% requiring the regulated entity to take corrective action. In 51% of investigations, OCR found insufficient evidence that HIPAA had been violated, and in 3% of cases, technical assistance was provided after an investigation was initiated.

OCR initiated 730 compliance reviews, a 3% year-over-year increase, and OCR completed 797 compliance reviews. OCR conducted 89 outreach activities to raise awareness of individuals’ rights under HIPAA and provide HIPAA-regulated entities with advice on data breach trends.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/