The advice is loud and clear. HIPAA regulators have published two annual reports summarizing the state of HIPAA compliance and healthcare data breaches, with guidance for regulated entities on how to do better. The Office for Civil Rights (OCR) delivered the reports to Congress on February 17, 2023. The reports detail compliance, breaches and investigations during 2021.
Priorities Recommended by OCR
The key focus areas OCR recommends for covered entities and business associates include:
- risk analysis and risk management;
- information system activity review;
- audit controls; and
- access controls.
HIPAA Privacy, Security and Breach Notification Rule Compliance
The 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR, and the outcome of each review.
OCR received more than 34,000 complaints regarding alleged violations of HIPAA in 2021, a 25 percent increase over 2020. OCR resolved 78 percent of those complaints without an investigation.
The report details the thirteen resolution agreements OCR entered during 2021, ranging from sole practitioners to large health plans. Two examples include:
- Excellus Health Plan agreed to pay $5,100,000 and take corrective action to resolve potential violations of the HIPAA Privacy and Security Rules. Excellus is a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York.
- OCR imposed a civil money penalty of $100,000 against the Office of Dr. Robert Glaser for violations of the HIPAA Privacy Rule’s right of access provision. Dr. Glaser is a solo practitioner based in New Hyde Park, New York specializing in cardiovascular diseases and disorders.
Breaches of Unsecured Protected Health Information
The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches.
OCR received 609 breach notices that impacted more than 500 individuals, a 7 percent decrease from 2020. Although large breach incidents were fewer in number, a whopping 37 million individuals were affected by these breaches. OCR also received more than 63,000 notices of breaches that affected fewer than 500 individuals.
Hacking continued to be the most common breach type, comprising 75 percent of all reported breaches. OCR resolved two breach investigations and totaled $5,125,000 in monetary payments. Nearly three-quarters of the breaches reported to OCR in 2021 impacted healthcare providers.
To prevent breaches, OCR notes that regulated entities can improve compliance with the HIPAA Security Rule requirements by focusing on: risk analysis and risk management; information system activity review; audit controls; and access controls.
Help with HIPAA Security Rule Standards
HIPAA compliance does not need to be mysterious or difficult. In fact, compliance is easy step-by-step, once you know the steps.
An annual HIPAA Risk Analysis builds your Risk Management plan, and you can use the Security Rule Checklist to make sure you’ve met the Security Rule Standards.
And if you ever have a question, The HIPAA E-Tool® has answers – for every type of regulated entity, large and small.