In the United States, healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities are required to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.
The HIPAA Security Rule calls for HIPAA-regulated entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and to identify risks and vulnerabilities to ePHI and reduce them to a low and acceptable level. The Privacy Rule sets standards concerning PHI, including limiting uses and disclosures of PHI, and the Breach Notification Rule requires individuals and the HHS to be advised of any breaches of PHI.
HIPAA compliance is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR), which investigates complaints about potential HIPAA violations, security incidents, and data breaches at HIPAA-regulated entities.
OCR has recently published its annual report to Congress on breaches of unsecured protected health information and HIPAA Privacy, Security, and Breach Notification Rule compliance for the calendar year 2020 – A requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The reports show that in 2020 there was a 4% decline in reports of alleged violations of the HIPAA Rules compared to 2019, with 27,182 new complaints received in 2020. OCR said it conducted 566 compliance reviews in 2020 and in 86% of those cases, corrective action was required. 8 cases were resolved with resolution agreements/corrective action plans and monetary payments totaling $13,017,400.
There was a 61% increase in reported breaches of 500 or more records – compared to a 35% increase the previous year – and a 6% increase in breaches of under 500 records – compared to a 0.5% decrease the previous year. The increase in data breaches was largely due to an increase in hacking/IT incidents at HIPAA-regulated entities.
In light of the increase in cyberattacks on the healthcare industry, OCR Director, Lisa J. Pino has called for HIPAA-regulated entities to take steps to improve their cybersecurity posture in 2022. In a recent blog post, Pino explained that the healthcare industry has had a turbulent year as a result of cybercriminals taking advantage of the COVID-19 pandemic and vulnerabilities such as the Log4Shell vulnerability in the Java-based logging software Log4j.
Pino explained that OCR investigations have revealed common areas of non-compliance with the HIPAA Security Rule related to risk analysis, risk management, access controls, and security awareness training. One common area of non-compliance is the failure to conduct an organization-wide risk analysis, instead, many healthcare organizations only conduct a risk analysis on electronic health records and fail to manage all risks and vulnerabilities to ePHI and reduced them to a low and acceptable level.
“Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network,” explained Pino.
Pino recommended reviewing risk management policies and procedures and ensuring cybersecurity best practices are followed such as regularly backing up data and testing backups, patching promptly, conducting regular vulnerability scans, and training the workforce on how to recognize phishing and other threats.
Pino also explained at the 31st annual HIPAA Summit that OCR is continuing to enforce compliance with the HIPAA Rules. Organizations that are found not to be in compliance can face severe financial penalties.