HIPAA Reports Released
The HHS Office for Civil Rights (OCR) recently released two reports for Congressional review. These reports address HIPAA breaches and complaints reported to OCR during the 2020 calendar year as well as the enforcement actions taken by OCR in response to those reports.
How Does This Apply to Employee Benefits?
As a reminder, all group health plans are subject to the HIPAA Privacy and Security rules as well as breach notification requirements. These reports provide a useful synopsis of enforcement activity and offer some additional insights, including the reminder that OCR opens compliance reviews for all breaches affecting 500 or more individuals. The breach notification report includes a helpful list of the most common post-breach remedial actions taken to mitigate harm and prevent potential future breaches (summarized at the end of this article). Covered Entities should take note of the trends identified in these reports and examine their own compliance in light of these developments.
Compliance Report Highlights
Report Contents: This report provides an overview of HIPAA’s privacy, security, and breach notification rules, followed by a more detailed discussion of OCR’s enforcement process and a summary of 2020 complaints and compliance reviews.
No Penalties: OCR did not assess any civil monetary penalties or initiate any audits in 2020.
Top Violations: The breach report contains useful information regarding the most commonly reported categories of breaches. The top five violations alleged in complaints resolved by OCR involved:
Complaint Resolution: Technical assistance or corrective action resolved 59% of the complaints. Of the compliance reviews opened in 2020, 88% resulted from large breach notifications, and 2% resulted from small breach notifications. The remaining compliance reviews stemmed from incidents brought to OCR’s attention by other means, including media reports.
Resolution Agreements: An appendix includes a summary of the 11 resolution agreements reached following the compliance investigations. While the facts of the cases vary, there were commonalities in compliance issues identified and in the requirements of resolution agreements. Many of the resolution agreements required the covered entities to conduct enterprise-wide risk analysis and develop and implement risk management. The development of right of access policies and workforce training regarding those policies was another recurring requirement. Risk analysis and management and the right of access have been areas of focus for OCR for several years, and this report makes clear that both remain high on OCR’s list of enforcement priorities.
Breach Notification Report Highlights
Overview: This report begins with an overview of the notification requirements for covered entities and business associates following discovery of a breach of unsecured PHI.
Breach Notifications Received: The OCR reports that they received 656 large breach notifications (affecting 500 or more individuals), 66,509 notifications of breaches affecting fewer than 500 individuals, and 27,182 complaints alleging violations of HIPAA and the HITECH Act. The number of “500+” breaches increased by 61% from the number received in 2019, and those 656 breaches affected over 37 million individuals. In addition, 66,509 small breach notifications were received, affecting more than 312,000 individuals.
Source of Breaches: Breaches at health plans and business associates represented 23% of large breach reports. Following is a summary of the breach source areas:
68% of the “500+” breaches involved hacking/IT incidents of electronic equipment or a network server (which involved use of malware, ransomware, phishing, and posting PHI on public websites)
23% involved unauthorized access or disclosure of records containing PHI
5% involved thefts of electronic equipment/devices
2% involved loss of electronic media or paper records (2%)
2% involved improper disposal of protected health information
OCR Recommendations: The report concludes with a summary of security standards and implementation specifications that, based on investigations, need improvement. The OCR urged covered entities to focus on the following areas:
Risk analysis and risk management processes
Information system activity reviews
Security awareness and training
Links to OCR Reports
Breach Notification Report