By Rodney King
On February 17, 2023, HHS-OCR (Health and Human Services, Office for Civil Rights) publicly released a pair of reports, HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. Think of these reports as their version of “what we did in 2021.”
Collectively, the reports total 51 pages of data, with a few pie charts and tables thrown in for good measure. Because compliance professionals like yourself are busy, we’ll examine what was reported, what we can infer from these actions, and speculate on what might be coming.
The Ups and Downs of Breaches
The number of breaches of less than 500 has remained remarkably consistent during the five years covered in this report. In 2021, OCR received 63,571 reports of breaches affecting fewer than 500 individuals. That’s down from the all-time high of 66,509 in 2020 but only 5.4 percent more than 2017’s low mark of 60,322.
It’s a different story when discussing breaches involving the protected health information (PHI) of 500 or more individuals. At least 609 large-scale breaches were logged in 2021, a drop of 47 from 2020’s “breachapalooza,” but that still represents more than double the breaches reported in 2018.
All 609 breaches of 500 or more records resulted in a compliance review by OCR, as well as 22 of the those affecting fewer than 500. Multiple complaints against a practice or business associate, media reports, and other sources resulted in 43 additional compliance reviews in 2021.
Complain, Complain, Complain…
Patients filed 34,077 complaints in 2021, more than in any of the previous four years. At least 3,814 open complaints carried over from 2020. Most complaints were resolved before opening an investigation for reasons such as the inapplicability of HIPAA rules or technical assistance was provided in lieu of investigating the complainee.
OCR identified 746 complaints that merited a compliance review in 2021 and closed 1,620 investigations. Half of the investigations found insufficient evidence that a violation of HIPAA rules had occurred, but 44 percent triggered a need for corrective action.
The Cost of Non-Compliance
Complaints and complaint investigations in 2021 led to 13 resolution agreements and/or CAPs (Corrective Action Plan), with monetary settlements totaling $815,150 and two CMPs (Civil Monetary Penalty) totaling $150,000. Most of these were the result of violations of HIPAA Right of Access to their medical records, which highlights OCR’s ongoing emphasis on responding to violations of this sort.
The agency closed 573 compliance reviews in 2021, with 83 percent leading to corrective action or a CMP. Two cases resulted in resolution agreements, CAPs, and a combined $5,125,000 in monetary settlements.
Where Were the Audits?
Although Section 13411 of the HITECH Act requires HHS to perform periodic audits of covered entity and business associate compliance with the HIPAA Rule, 2021 marked the third year in a row with no auditing performed. The agency completed Phase I audits in 2012 and Phase II audits in 2018. The calendar year 2019 and 2020 reports to Congress mentioned preparations for and/or development of the criteria for implementing future audits.
The latest report also stated that criteria for future audits were still being developed. Unlike previous years, both reports noted that, “OCR did not initiate any audits in 2021 due to a lack of financial resources.”
Here are a few insights we’ve gleaned from these two reports:
- Patients are complaining to HHS more, but it’s not necessarily translating into more investigations. Perhaps those complaining don’t understand the requirements of the law, or perhaps practices and business associates are tracking their HIPAA compliance more closely. It’s also possible that limited resources at OCR could be a contributing factor.
- A large-scale breach (500 or more) will definitely put you in the OCR’s crosshairs. Every large-scale breach in calendar year 2021 resulted in a compliance review by OCR. When you consider that 83 percent of closed compliance reviews resulted in some type of corrective action, that’s a list you don’t want to be on.
- Small-scale breaches mean a smaller chance of problems. Only 22 compliance reviews resulted from the 63,571 breaches affecting less than 500 individuals reported in 2021. That calculates to less than three-one-hundredths of a percent of the cases. OCR did not provide details on how they selected those 22 cases for review, so we are left to speculate on whether all small-scale breaches were reviewed or if a more random selection process was employed.
The Breach Report to Congress listed the following areas of vulnerability identified during the 2021 investigations that need improvement:
- Security Management Process Standard. Specifically, the report highlighted the need for organizations to conduct effective HIPAA Security Risk Analysis processes, improve Risk Management Activities, and to develop and implement proactive information system activity review processes to aid in early detection of malicious activity.
- Audit Controls Standard. To detect and stop unauthorized access of patient ePHI (electronic protected health information), organizations need robust audit controls. Early detection can help stop an intrusion before it causes serious harm. Some regulated entities don’t have mechanisms in place or use only a narrow subset of systems that contain or use ePHI.
- Access Control Standard. OCR found non-compliance with the access control standard, which led to breaches of ePHI. Examples of ineffectively implemented access controls discovered by OCR led to escalated privileges, unimpeded lateral movement to systems and networks within an organization, and deployment of malicious software.
It’s reasonable to think that these areas, as well as patient right of access violations will continue to be a focus of future OCR investigations.
The mention in both reports of the lack of money to conduct audits in 2021 may give further hints at what’s to come. As recently as September 2021, OCR asked Congress to increase the HITECH Act civil monetary penalty caps in the wake of a 2019 agency decision to reduce the annual civil monetary penalty caps for three of the four HIPAA violation tiers.
Given the moves last year to add tax agents to the IRS, coupled with the White House’s desire to see HIPAA protections strengthened in the wake of the Dobbs decision last year, the options are wide open. The upcoming elections in 2024 may limit the opportunity for possible action. Until then, use the information in both reports to learn from the mistakes of others.
Rodney King of Compliancy Group has experience as a journalist, a communications specialist for two government agencies, and a private sector analyst covering Regulatory Compliance.