HIPAA complaints are up

HIPAA Enforcement Stronger with New OCR Structure

Enforcing HIPAA is going to get easier for the regulators. The Office for Civil Rights (OCR) within HHS, the enforcement agency for HIPAA, has announced a new structure to help them manage increasing numbers of complaints.

OCR’s new Enforcement Division, Policy Division, and Strategic Planning Division will all play roles in providing “a more integrated operational structure for civil rights, conscience protections and privacy protections and cybersecurity protection,” HHS stated. About 2/3 of the complaints OCR receives are for alleged HIPAA violations.

OCR’s Director Melanie Fontes Rainer said:

“OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws.”

OCR Investigates Complaints and Large Breaches

In addition to complaints, OCR is required to investigate all breaches that affect 500 or more individuals (large breaches). As the number of these breaches increases year-over-year, the breach investigation caseload goes up. OCR also plans to focus more on issues of cybersecurity as it relates to HIPAA.

OCR is renaming the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better describe its work and role in cybersecurity.

OCR noted for example, that large breaches of unsecured protected health information (PHI), including electronic PHI, increased from 663 reported in 2020 to 714 reported in 2021. As this trend is continuing into 2023, hacking accounts for 80 percent of the large breaches OCR has received. The new HIPDC is expected to meet the growing demand to address health information privacy and cybersecurity concerns.

Prepare for HIPAA Investigations with Strong Compliance

Your checklist to strengthen compliance and prevent or respond to an investigation includes:

  1. Are your HIPAA policies up-to-date?
  2. Have you done a HIPAA Risk Analysis in the last year? Does it need to be updated?
  3. Has your staff received basic HIPAA training and cybersecurity awareness training?
  4. Do you have business associates – or if you are a BA, do you have subcontractors? Do the due diligence HIPAA requires for each one.

Not all investigations can be prevented, but all investigations can be managed, defended, and the results can be less severe if you prepare with strong compliance now.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU