HHS Delivers 2 Reports to Congress On Healthcare Data Breaches, HIPAA Compliance

February 22, 2023 - The HHS Office for Civil Rights (OCR) delivered two reports to Congress that shed light on healthcare data breaches and HIPAA compliance efforts logged during the 2021 calendar year.

The reports contain detailed accounts of how OCR investigated compliances, collected breach reports, and conducted compliance reviews surrounding potential HIPAA violations in 2021.

“The [healthcare] industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” OCR Director Melanie Fontes Rainer said in an accompanying press release.

“We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Each report contains useful data points and may help covered entities and their business associates manage risk and prioritize key compliance efforts.

OCR’s 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

OCR’s 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance summarizes the HIPAA enforcement actions undertaken by OCR in 2021 and the outcomes of each action.

OCR received more than 34,000 complaints regarding alleged violations of HIPAA and HITECH in 2021, symbolizing a 25 percent increase from 2020. OCR resolved 78 percent of those complaints without an investigation.

Despite the increase in overall complaints, just 13 complaints resulted in resolution agreements and corrective action plans (CAPs). OCR issued a total of $815,150 in monetary settlements.

High-profile resolution agreements included a $200,000 settlement with Banner Health to resolve potential HIPAA right of access violations and a $5.1 million settlement with Excellus Health Plan to resolve potential HIPAA Privacy and Security Rule violations.

OCR also engaged in a variety of outreach activities in 2021 to educate the public and covered entities to address common compliance gaps. In 2021, OCR conducted 218 outreach events for covered entities and other industry stakeholders.

Covered entities and business associates can leverage OCR’s report to identify common compliance deficiencies and strengthen their own compliance programs.

OCR’s 2021 Report to Congress on Breaches of Unsecured Protected Health Information

OCR’s 2021 Report to Congress on Breaches of Unsecured Protected Health Information provides a detailed account of the number and nature of healthcare data breaches reported to the HHS Secretary in 2021.

OCR received 609 notices of breaches that impacted more than 500 individuals, representing a 7 percent decrease from 2020. Still, more than 37 million individuals were impacted by these breaches in 2021. In addition, OCR received more than 63,000 notices of breaches that impacted fewer than 500 individuals.

Hacking remained the most common breach type in 2021, making up 75 percent of all reported breaches. OCR resolved two breach investigations and totaled $5,125,000 in monetary payments. Nearly three-quarters of the breaches reported to OCR in 2021 impacted healthcare providers.

“There is a continued need for regulated entities to improve compliance with the HIPAA Rules, In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control were areas identified as needing improvement in 2021 OCR breach investigations,” the report noted.

Based on its 2021 findings, OCR recommended that covered entities and business associates focus on key areas of improvement, including risk management, information system activity review, and compliance with the Security Rule’s Audit Controls Standard and Access Control Standard.