HHS Delivers Reports to Congress on HIPAA Compliance, Enforcement

February 26, 2024 - The HHS Office for Civil Rights (OCR) delivered two reports to Congress on HIPAA compliance and enforcement efforts logged by the department during the 2022 calendar year. HHS is required to submit these reports to Congress each year under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

“OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer.

“Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The contents of each report can help covered entities and business associates improve their own HIPAA compliance efforts by understanding OCR’s processes for investigating complaints and conducting compliance reviews.

OCR’S 2022 REPORT TO CONGRESS ON HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULE COMPLIANCE

OCR received more than 30,000 new complaints alleging HIPAA violations in 2022, and resolved more than 32,000 cases in the 2022 calendar year. OCR also completed 846 compliance reviews and required entities to take corrective actions or pay a monetary penalty in 80 percent of those investigations.

READ MORE: HHS Delivers 2 Reports to Congress On Healthcare Data Breaches, HIPAA Compliance

OCR has seen a 17 percent increase in HIPAA complaints received from 2018 to 2022 and a 107 percent increase in large breaches reported in that timeframe. The increased complaint volume has naturally placed a strain on OCR. But other factors have contributed to this strain as well, the report noted.

For example, in April 2019, HHS issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties, which significantly reduced the maximum annual cap for three of the four penalty tiers. With this limit in place, OCR is unable to obtain the funds that it needs to continue its enforcement activities at full capacity.

Additionally, HHS pointed to the implementation of the 2021 HITECH Amendment on recognized security practices (RSPs) as an additional hurdle. The amendment requires OCR to consider whether a covered entity has “adequately demonstrated that it had, for not less than the previous twelve months, recognized security practices in place.”

The measure was meant to incentivize covered entities to implement cybersecurity best practices, especially since OCR said it would consider the implementation of RSPs as a “mitigating factor” in HIPAA Security Rule investigations and audits. However, the latest report shows that OCR is facing challenges in regard to these recent regulatory changes.

“These efforts have significantly increased OCR’s workload and the length of time to complete HIPAA Security Rule investigations,” the report stated.

READ MORE: HHS Unveils Healthcare Cybersecurity Strategy

“These factors have combined to cause a severe strain on OCR’s limited staff and resources. This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector.”

OCR successfully conducted 124 outreach events for HIPAA covered entities and stakeholders, issued new guidance, and completed more than 1,200 complaint investigations in 2022. However, a lack of financial resources prevented OCR from conducting any audits that year.

Overall, the report to Congress highlighted OCR’s efforts to make the most of the resources they have as breach and complaint volumes continue to skyrocket.

OCR’S 2022 REPORT TO CONGRESS ON BREACHES OF UNSECURED PROTECTED HEALTH INFORMATION

Just like in previous years, hacking and IT incidents remained the largest category of breaches in 2022, making up 77 percent of reported breaches. What’s more, network servers remained the largest category by location for breaches impacting 500 or more individuals, comprising 58 percent of reported large breaches.

OCR initiated investigations into all 626 large breaches reported in 2022 and brought in more than $2.4 million via three breach investigation resolution agreements.

READ MORE: How HHS Cybersecurity Performance Goals Will Impact Healthcare

OCR stressed the importance of bolstering HIPAA compliance across the sector based on its 2022 findings.

“There is a continued need for regulated entities to improve compliance with the HIPAA Rules,” the report stated. “In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, response and reporting, and person or entity authentication were areas identified as needing improvement in 2022 OCR breach investigations.”

The breach reports that OCR received revealed common vulnerabilities and deficiencies. OCR was able to identify several areas of improvement for the sector tied to specific HIPAA Security Rule standards.

OCR suggested that covered entities focus on improving compliance with the security management process standard, the audit controls standard, and response and reporting requirements. Covered entities can these findings to inform future compliance efforts.