In February 2023, the HHS Office for Civil Rights released two reports to Congress, one of which discusses HIPAA complaints (HIPAA Privacy, Security, and Breach Notification Rule Compliance) and the other discussing healthcare breaches (Breaches of Unsecured Protected Health Information).
Each of these reports examines 2021, reviewing patient complaints and healthcare breaches. Ultimately, these reports point to the need for increased enforcement of HIPAA compliance.
OCR also issued a press release in late February 2023 to further this point.
Patient Complaints Continue to Rise
In 2021, 34,077 patient complaints were filed with OCR, beating the last four years. Although, some of these complaints were carried over from 2020 (at least 3,814).
In most cases, OCR opted to provide technical assistance to the organization before a compliance investigation was launched or found that the HIPAA rules and regulations did not apply to the organization in question.
However, 746 patient complaints resulted in compliance reviews in 2021. There were also 1,620 investigations closed that year. Forty-four percent of investigations ended in the need for corrective action, while the rest found insufficient evidence that a HIPAA violation occurred.
The Ebb and Flow of Breaches
While the number of breaches of less than 500 remained relatively consistent during the five years analyzed in this report, breaches affecting more than 500 have fluctuated over time.
In 2021, there were 63,571 breaches affecting fewer than 500 individuals reported to OCR. While that’s technically down from 2020, it’s only by a small margin. 2020 saw a record number of breaches, with 66,509 incidents reported.
There were an additional 609 breaches that affected 500 or more patients. This dropped from 2020, which saw 47 more breaches, but this still represents more than double the breaches reported in 2018.
All 609 breaches of 500 or more records resulted in a compliance review by OCR, as well as 22 of the incidents affecting fewer than 500. Another 43 healthcare organizations were investigated in 2021 as the result of multiple complaints issued against them.
What Happened to HIPAA Audits?
The HITECH Act dictates that HHS perform periodic audits of healthcare organizations to assess their compliance with HIPAA law. However, no such investigation has occurred since 2018.
Although the 2019 and 2020 reports to Congress mentioned preparations for criteria for implementing future audits, the 2021 report mentioned that it is still under development.
Unlike previous years, both reports noted that “OCR did not initiate any audits in 2021 due to a lack of financial resources.”
Keeping Up with Growing Need for OCR Enforcement
Although the OCR has suffered from a lack of resources in recent years, which resulted in less enforcement action, the investigations aren’t going away. If anything, the increase in patient complaints and healthcare breaches has pointed to the need to ramp up enforcement efforts.
OCR agrees.
In a press release published on February 27, 2023, OCR, announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division.
OCR Director Melanie Fontes Rainer stated, “OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws.”
“Breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals (large breaches) increased from 663 large breaches in 2020 to 714 large breaches in 2021. This trend is continuing and to date, hacking accounts for 80 percent of the large breaches OCR has received.”
“Today’s reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure and moves OCR into the future. This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”
OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to reflect their work and role in cybersecurity. HIPDC will continue to meet the growing demands to address health information privacy and cyber security concerns, stated the HHS release.
