Insights from the HHS Office for Civil Rights Report to Congress
In February 2023, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) submitted two annual reports to Congress for 2021, highlighting the complaints, breaches, and enforcement actions taken during the year.
The Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance noted that the OCR resolved 17 investigations, leading to resolution agreements and correction action plans (CAPs), and imposed civil monetary penalties (CMPs) totaling $6.1M in collections. Even though there was a decrease in breaches reported in 2021, complaints to the OCR increased. The report shows that between 2017 and 2021, complaints received by OCR increased 39% and the number of compliance reviews initiated by the OCR grew by 44%. Breaches affecting 500 or more individuals rose by 58% during this period. Despite these increases, the OCR did not initiate any proactive audits of covered entities and business associates in 2021 due to a lack of financial resources. The OCR conducted 218 outreach events and conferences focusing on OCR actions related to the pandemic, including telehealth guidance, launching a HIPAA and COVID-19 website, and hosting webinars regarding updates to the HIPAA Security Risk Assessment (SRA) Tool.
The Report on Breaches of Unsecured Protected Health Information revealed that the OCR commenced investigations into 631 total breaches in 2021, 609 of which affected more than 500 individuals. Out of these, the OCR completed 554 investigations, resolved two of them with resolution agreements/CAPs, and collected CMPs totaling over $5.1M. The report emphasized the need for organizations to complete a thorough risk analysis and assessment of the potential risks and vulnerabilities to the electronic Protected Health Information (ePHI) they hold, as well as the necessity for risk management practices and regular reviews of information system activity. It was found that many entities had deficiencies in these areas.
The 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance detailed that the OCR received over 34,000 complaints regarding potential violations of HIPAA and HITECH, marking a 25 percent increase from 2020. The majority of these complaints (78 percent) were resolved without an investigation. Only 13 complaints resulted in resolution agreements and corrective action plans (CAPs), and the OCR issued a total of $815,150 in monetary settlements. High-profile resolution agreements included a $200,000 settlement with Banner Health and a $5.1 million settlement with Excellus Health Plan.
The 2021 Report to Congress on Breaches of Unsecured Protected Health Information noted a 7 percent decrease from 2020 in the number of breaches that impacted more than 500 individuals, with 609 such incidents reported. However, these breaches impacted more than 37 million individuals. In addition, more than 63,000 breaches that impacted fewer than 500 individuals were reported. Hacking was the most common breach type in 2021, accounting for 75 percent of all reported breaches. The OCR resolved two breach investigations, totaling $5,125,000 in monetary payments.
Based on the findings in 2021, the OCR recommended that covered entities and business associates focus on areas of improvement such as risk management, information system activity review, and compliance with the Security Rule’s Audit Controls Standard and Access Control Standard.