HIPAA Annual Report to Congress

The HHS Office for Civil Rights (OCR) has prepared its Annual Report to Congress on HIPAA, Privacy, Security, and Breach Notification Rule Compliance. This report reflects reporting, complaints, and actions in the 2021 calendar year. In this article, we present key highlights of the report.

Complaint Statistics

New HIPAA Complaints


Total complaints alleging violations of the HIPAA Rules

25% increase over 2020

39% increase from 2017 to 2021

Carried Over Complaints


Open complaints carried over from 2020

Breakdown by Complaint Resolution


 Total complaints resolved


78% resolved before initiating an investigation. Examples of this type would include alleged violations by an entity not covered by HIPAA, conduct that did not violate HIPAA Rules, or untimely reporting.


16% resolved by providing technical assistance in lieu of an investigation (pre-investigational technical assistance)


3% Covered Entity or Business Associate took corrective action


1% OCR provided technical assistance after initiating an investigation (post-investigated technical assistance).


Resolved via Resolution Agreements and Corrective Action Plans and monetary settlements totaling $815,150.


Resolved with civil monetary penalties totaling $150,000.


Breach Statistics

Under 500 Breach Reports


4% decrease from 2020

500+ Breach Reports


7% decrease from 2020


Compliance Review Statistics

Compliance Reviews Initiated


Reviews to investigate allegations of violations of HIPAA rules that arose from breaches (not complaints). Heavy focus (90%) on breach reports affecting 500 or more individuals.

Compliance Reviews Resolved


The vast majority of reviews were resolved with the entity taking corrective actions due to OCR involvement during the course of the investigation to come into compliance, agreeing to a settlement with a corrective action plan, or the imposition of a Civil Monetary Penalties (CMP).

Of the completed compliance reviews, two cases were resolved with resolution agreements, CAPs, and monetary settlements totaling $5,125,000. What did these settlements look like?

In the most egregious case, OCR investigated the Excellus Health Plan after it filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. Hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the PHI of more than 9.3 million individuals. OCR’s investigation found potential violations of the HIPAA Rules, including failure to conduct an enterprise-wide risk analysis and failures to implement risk management, information system activity review, and access controls. OCR considers these elements of HIPAA compliance foundational, thus applying a $5,150,000 penalty in addition to the Corrective Action Plan.

OCR Funding Constraints

Notably, the OCR did not perform any audits in 2021 due to a lack of financial resources. In April 2019, the maximum annual cap for three of the four penalty tiers was reduced (as it was determined this reflected a better reading of the HITECH Act). In the 2021 Annual Report, OCR requested that the HITECH civil monetary penalty caps be increased for 2023, but this update is pending at this time. These factors combined to cause strains on OCR’s limited staff and resources. This lack of necessary funding currently limits OCR’s HIPAA enforcement activities, and they have argued that it is critical to regaining resources during a time of substantial growth in cybersecurity attacks on the healthcare sector.

What is Relevant for Employers Today?

While the focus continues to be large health systems and commercial health plans, it is important that employers not rest on their laurels with regard to HIPAA Privacy and Security compliance. Despite acknowledged funding constraints, OCR has stated its intention to continue enforcement efforts in its mission to make sure that participant PHI is secure in the environment of heightened security risks.

Employers should confirm the following elements are in place for their group health plan:

  • Written HIPAA Privacy and Security policies and procedures in place
  • Training for all employees with access to PHI
  • Processes, procedures, and security systems are in place to protect participants' PHI
  • Business Associate Agreements are in place for all vendors with whom PHI is shared


The full 25-page HIPAA Annual Report to Congress can be found here.

Need Help Getting HIPAA Compliance in Order?

Vita will be hosting a webinar titled “HIPAA Privacy and Security Compliance: Your 20-Year Checkup” on March 15, 2023. The session will focus on the key compliance elements for employer health plans so that you can leave empowered with an action plan to get compliant. Sign-up here.

Post a comment