Office for Civil Rights brings 2 reports to Congress regarding state of HIPAA compliance and cybersecurity

On Friday, the Office for Civil Rights (OCR) delivered two reports to Congress regarding Health Insurance Portability and Accountability Act (HIPAA) compliance and breaches of unsecured health information.

The reports revealed (PDF) that between 2017 and 2021, complaints about violations of HIPAA increased 39% and large breaches reported increased 58%. OCR received (PDF) 609 notifications of events affecting 500 or more individuals that reached approximately 37.2 million individuals in total. Breaches affecting less than 500 individuals reported only affected a total of 319,215 individuals.  

“The healthcare industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer in a press release. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as vigorous enforcement program to address potential HIPAA violations.”

The U.S. Department of Health and Human Services’ OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to bring the reports to Congress annually. Regulated entities are expected to improve their ability to protect health information due to the shared reports.

The report to Congress on privacy and security rule compliance seeks to assess industry compliance with HIPAA. The report to Congress reveals the number, nature and response to breaches jeopardizing protected health information.

Along with the number of HIPAA violations, the annual report on the act protecting health information must also include the nature of the violation’s resolution and the number of reports that resulted in penalties. Organizations were required to take corrective action or pay civil penalties in 83% of cases.

Complaint investigations involved 13 organizations including Banner Health and Renown Health.

Banner agreed to pay $200,000 and take corrective action after two complaints against the 30-hospital health system alleged that they failed to provide patients with their medical records in a timely manner. The health system also paid $1.25 million after a 2016 hacking incident exposed the protected health information of 3 million people.

Renown shelled out $75,000 after it also allegedly violated the HIPAA right of access standard after a patient requested their records be sent to a third party.

OCR was not able to perform any audits in 2021 “due to a lack of financial resources.” The report also reflected that the office requested that monetary penalty caps related to the HITECH Act be increased in the 2023 fiscal year.

“These factors have combined to cause a severe strain on OCR’s limited staff and resources,” the report said. “This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector.”

The annual report to Congress on breaches of unsecured protected health information also revealed OCR responses to relevant incidences. OCR reported that the most common form of breach was hacking, and the largest attack of this kind affected 3.2 million people.

The office initiated investigations in all 609 protected health information breaches that affected 500 or more individuals and 22 breaches that affected less than 500 people. Two breach investigations involving Excellus Health Plan and Peachstate Health Management-owned AEON Clinical Laboratories led to monetary payments totaling $5.1 million.

Excellus agreed to pay $5.1 million and implement a corrective action plan addressing the company’s “failure to conduct an accurate and thorough risk analysis” and failure to implement risk management tools. The investigation took place after Excellus reported a cybersecurity incident to OCR where hackers installed malware and snatched 9.3 million individuals’ protected health information.