HIPAA Annual Report to Congress

System AdministratorTue, 07 Mar 2023 16:00:00 GMT 0

The HHS Office for Civil Rights (OCR) has prepared its Annual Report to Congress on HIPAA, Privacy, Security, and Breach Notification Rule Compliance. This report reflects reporting, complaints, and actions in the 2021 calendar year. In this article, we present key highlights of the report.
 

Complaint Statistics

New HIPAA Complaints

34,077

Total complaints alleging violations of the HIPAA Rules

25% increase over 2020

39% increase from 2017 to 2021

Carried Over Complaints

2,814

Open complaints carried over from 2020

Breakdown by Complaint Resolution

26,420

 Total complaints resolved

20,611

78% resolved before initiating an investigation. Examples of this type would include alleged violations by an entity not covered by HIPAA, conduct that did not violate HIPAA Rules, or untimely reporting.

4,169

16% resolved by providing technical assistance in lieu of an investigation (pre-investigational technical assistance)

718

3% Covered Entity or Business Associate took corrective action

89

1% OCR provided technical assistance after initiating an investigation (post-investigated technical assistance).

13

Resolved via Resolution Agreements and Corrective Action Plans and monetary settlements totaling $815,150.

2

Resolved with civil monetary penalties totaling $150,000.


 

Breach Statistics

Under 500 Breach Reports

65,571

4% decrease from 2020

500+ Breach Reports

609

7% decrease from 2020


 

Compliance Review Statistics

Compliance Reviews Initiated

674

Reviews to investigate allegations of violations of HIPAA rules that arose from breaches (not complaints). Heavy focus (90%) on breach reports affecting 500 or more individuals.

Compliance Reviews Resolved

573

The vast majority of reviews were resolved with the entity taking corrective actions due to OCR involvement during the course of the investigation to come into compliance, agreeing to a settlement with a corrective action plan, or the imposition of a Civil Monetary Penalties (CMP).


Of the completed compliance reviews, two cases were resolved with resolution agreements, CAPs, and monetary settlements totaling $5,125,000. What did these settlements look like?

In the most egregious case, OCR investigated the Excellus Health Plan after it filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. Hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the PHI of more than 9.3 million individuals. OCR’s investigation found potential violations of the HIPAA Rules, including failure to conduct an enterprise-wide risk analysis and failures to implement risk management, information system activity review, and access controls. OCR considers these elements of HIPAA compliance foundational, thus applying a $5,150,000 penalty in addition to the Corrective Action Plan.
 

OCR Funding Constraints

Notably, the OCR did not perform any audits in 2021 due to a lack of financial resources. In April 2019, the maximum annual cap for three of the four penalty tiers was reduced (as it was determined this reflected a better reading of the HITECH Act). In the 2021 Annual Report, OCR requested that the HITECH civil monetary penalty caps be increased for 2023, but this update is pending at this time. These factors combined to cause strains on OCR’s limited staff and resources. This lack of necessary funding currently limits OCR’s HIPAA enforcement activities, and they have argued that it is critical to regaining resources during a time of substantial growth in cybersecurity attacks on the healthcare sector.
 

What is Relevant for Employers Today?

While the focus continues to be large health systems and commercial health plans, it is important that employers not rest on their laurels with regard to HIPAA Privacy and Security compliance. Despite acknowledged funding constraints, OCR has stated its intention to continue enforcement efforts in its mission to make sure that participant PHI is secure in the environment of heightened security risks.

Employers should confirm the following elements are in place for their group health plan:

  • Written HIPAA Privacy and Security policies and procedures in place
  • Training for all employees with access to PHI
  • Processes, procedures, and security systems are in place to protect participants' PHI
  • Business Associate Agreements are in place for all vendors with whom PHI is shared
 

Reference

The full 25-page HIPAA Annual Report to Congress can be found here.
 

Need Help Getting HIPAA Compliance in Order?

Vita will be hosting a webinar titled “HIPAA Privacy and Security Compliance: Your 20-Year Checkup” on March 15, 2023. The session will focus on the key compliance elements for employer health plans so that you can leave empowered with an action plan to get compliant. Sign-up here.

Post a comment

The Vita Blog

Options

Blog Home Feed

Tags

Archive

March 2023 2 February 2023 7 January 2023 4 November 2022 1 October 2022 5 September 2022 3 August 2022 5 July 2022 1 June 2022 2 May 2022 4 April 2022 1 March 2022 3 February 2022 3 January 2022 2 December 2021 1 November 2021 3 October 2021 1 September 2021 1 August 2021 3 July 2021 2 June 2021 2 May 2021 5 April 2021 2 March 2021 7 February 2021 2 January 2021 1 December 2020 8 November 2020 6 October 2020 3 September 2020 2 August 2020 2 July 2020 2 June 2020 4 May 2020 2 April 2020 3 March 2020 5 February 2020 2 January 2020 1 December 2019 6 November 2019 2 October 2019 3 September 2019 1 August 2019 2 July 2019 2 June 2019 4 April 2019 1 March 2019 4 February 2019 1 January 2019 1 December 2018 2 November 2018 4 October 2018 4 August 2018 3 July 2018 1 May 2018 2 April 2018 4 March 2018 6 February 2018 8 January 2018 13