The U.S. Department of Health & Human Services Office for Civil Rights (OCR) has advanced transparency and accountability in the healthcare sector by issuing two Reports to Congress focused on HIPAA compliance and enforcement, specifically involving the HIPAA Privacy, Security, and Breach Notification Rule Compliance, along with Breaches of Unsecured Protected Health Information. Mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, these annual reports provide regulated entities, including health care providers, health plans, and healthcare clearinghouses, with valuable insights to guide their HIPAA compliance efforts. The reports detail OCR’s actions in investigating complaints, breach reports, and compliance reviews related to potential violations of the HIPAA Rules.
The 2022 Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance discloses key information, including the staggering number of 30,435 new complaints received by OCR, demonstrating the heightened awareness and vigilance in reporting potential violations. OCR successfully resolved 32,250 complaints, emphasizing the commitment to addressing reported issues promptly. The report highlights the resolution of 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs), resulting in monetary settlements totaling $802,500, and one complaint investigation that led to a civil money penalty of $100,000. The report also found that OCR conducted 846 compliance reviews, with corrective actions or civil money penalties imposed in 80% of cases, totaling 674 investigations. Three compliance reviews were successfully resolved with RA/CAPs and monetary payments amounting to $2,425,640.
The 2022 Report on Breaches of Unsecured Protected Health Information also covers incidents reported to the Secretary of HHS throughout the calendar year, highlighting trends and vulnerabilities. Hacking/IT incidents remained the largest breach category, comprising 77% of reported breaches and impacting a large number of individuals. OCR also noted the consistent prevalence of network servers as the primary location for breaches involving 500 or more individuals, constituting 58% of the reported large breaches. This comprehensive report emphasizes the persistent cybersecurity challenges faced by the healthcare sector and emphasizes the urgent and ongoing need for regulated entities to elevate their compliance with HIPAA Security Rule requirements. Areas such as risk analysis, information system activity review, audit controls, response and reporting mechanisms, as well as person or entity authentication are key in this aspect, offering valuable insights for entities to strengthen their defenses and proactively address potential security threats.
These reports provide valuable objectives for the healthcare industry, emphasizing the importance of maintaining robust HIPAA compliance efforts. OCR Director Melanie Fontes Rainer stressed their importance, stating “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”