OCR’s HIPAA Compliance and Data Breaches Annual Report

The Department of Health and Human Services (HHS) Office for Civil Rights has sent its annual reports to Congress regarding compliance with the HIPAA Privacy, Security, and Breach Notification Rule and exposure of unsecured protected health information (PHI) for 2022.

HIPAA Compliance in 2022

OCR details in the yearly report that large data breaches have increased 107% from 2018 to 2022. Concerns concerning possible HIPAA violations have grown by 17% in a similar time. OCR currently needs to examine if an entity has applied recommended security procedures when deciding penalties. Because of this, OCR’s work has substantially increased but OCR has not been provided extra funds. OCR likewise re-examined the terms of the HITECH Act in 2019 and lessened the fine amounts in three penalty tiers, making it possible to pay smaller fines. The rise in workload and minimizing of the penalty sums has put significant pressure on OCR’s small team and sources. Insufficient resources are hindering its means to inspect complaints and data breaches during the significant increase in cyberattacks on the healthcare market. OCR is expected by the HITECH Act to carry out annual audits to evaluate HIPAA compliance, although no such audits were done in 2022 because of insufficient financial resources.

Overview of HIPAA Issues

In 2022, complaints were reduced by 11% year-over-year, and compliance assessments increased by <1%. There were 30,435 new complaints obtained claiming HIPAA Regulations and the HITECH Act violations. 11,465 complaints were unresolved from prior years. 32,250 complaints had been solved even prior to starting an investigation. 2,882 complaints were settled via technical support and 560 resolved complaints through voluntary corrective action. 686 complaints did not have enough evidence of HIPAA violations. 15 complaints were investigated and ended in OCR giving technical help. 17 complaints were settled via resolution agreements, corrective measures, and financial settlements ($802,500). One settled complaint required a $100,000 civil monetary penalty.

OCR began 676 compliance reviews and finished 846 compliance reviews with 674 needing corrective measures or payment of a civil monetary fine. Three compliance reviews were settled through settlement agreements and payments up to $2,425,640. The other 172 (20%) were solved with technical support (4%), lack of proof was identified to show a HIPAA Rules violation (11%), or caused by OCR missing jurisdiction to inspect the accusations (5%). A copy of the OCR HIPAA compliance report sent to Congress is available in this pdf.

Healthcare Data Breaches in Calendar Year 2022

In 2022, OCR got 626 reports of breaches involving at least 500 data, which signifies a 3% growth from 2021. Throughout those occurrences, the PHI of 41,747,613 persons was compromised. The principal cause of those security breaches was hacking. OCR additionally acquired 63,966 reports of breaches affecting less than 500 persons impacting 257,105 people. This shows that small breaches grew by 1% from 2021.

OCR inspected all of the sizeable data breaches as well as two of the small breaches and carried out 799 breach inspections in 2022. Investigations that found probable HIPAA violations were settled by way of technical help, voluntary compliance, corrective action plans (CAPs), and monetary repayments. In 2022, OCR closed three investigations through monetary payments/CAPs – New England Dermatology & Laser Center; Banner Health Oklahoma State University – Center For Health Sciences – and obtained $2,425,640 from these deals.

OCR mentioned that 74% of the reported big data breaches were because of hacking/IT incidents, which impacted 32,255,597 persons, with the exposed data most frequently located on network servers. 22% of breaches were because of unauthorized access/disclosure incidents, and fewer than 1% of breaches were because of theft, loss, or inappropriate disposal of PHI. The smaller breaches were largely (93%) a result of the PHI disclosure or unauthorized access, most often paper documents. 4% were caused by loss, 1% were hacking/IT incidents, and less than 1% were improper disposal incidents.

The major healthcare data breach in 2022 involved a ransomware attack on a medical organization that affected 3,388,856 people. Ransomware attacks were usual in 2022, like the usage of phishing, malware and the compromise of PHI on public sites. The largest disclosure incident/unauthorized access took place when a healthcare company utilized monitoring technologies on its site, which impermissibly exposed the PHI of 3 million people to technology vendors.

Theft and loss incidents are decreasing as a result of encryption. The biggest theft incident impacted 149,940 paper files which were taken from a storage center employed by a healthcare company. The largest loss incident concerned the destruction of 2,500 documents due to a broken pipe. The biggest inappropriate disposal incident concerned the information of 7,500 persons, which were dumped in a typical dumpster, instead of being shredded.

OCR’s investigations affirmed the continuing requirement for HIPAA-covered entities to boost HIPAA compliance, specifically in risk analysis, risk control, audit management, reply and reporting, data system activity analysis, and the person or entity validation.

The measures most often undertaken in reply to data breaches include:

  • Using multi-factor authentication
  • Updating guidelines and procedures
  • Training or retraining staff members who manage PHI
  • Offering no-cost credit monitoring and identity theft protection services to clients
  • Using encryption systems
  • Enforcing sanctions on employee members
  • Modifying passwords
  • Executing a new risk examination
  • Modifying business associate agreements

OCR’s yearly report to Congress on data breaches is available on this page.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA