Enforcing HIPAA is going to get easier for the regulators. The Office for Civil Rights (OCR) within HHS, the enforcement agency for HIPAA, has announced a new structure to help them manage increasing numbers of complaints.

OCR’s new Enforcement Division, Policy Division, and Strategic Planning Division will all play roles in providing “a more integrated operational structure for civil rights, conscience protections and privacy protections and cybersecurity protection,” HHS stated. About 2/3 of the complaints OCR receives are for alleged HIPAA violations.

OCR’s Director Melanie Fontes Rainer said:

“OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws.”

OCR Investigates Complaints and Large Breaches

In addition to complaints, OCR is required to investigate all breaches that affect 500 or more individuals (large breaches). As the number of these breaches increases year-over-year, the breach investigation caseload goes up. OCR also plans to focus more on issues of cybersecurity as it relates to HIPAA.

OCR is renaming the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to better describe its work and role in cybersecurity.

OCR noted for example, that large breaches of unsecured protected health information (PHI), including electronic PHI, increased from 663 reported in 2020 to 714 reported in 2021. As this trend is continuing into 2023, hacking accounts for 80 percent of the large breaches OCR has received. The new HIPDC is expected to meet the growing demand to address health information privacy and cybersecurity concerns.

Prepare for HIPAA Investigations with Strong Compliance

Your checklist to strengthen compliance and prevent or respond to an investigation includes:

1. Are your HIPAA policies up-to-date?
2. Have you done a HIPAA Risk Analysis in the last year? Does it need to be updated?
3. Has your staff received basic HIPAA training and cybersecurity awareness training?
4. Do you have business associates – or if you are a BA, do you have subcontractors? Do the due diligence HIPAA requires for each one.

Not all investigations can be prevented, but all investigations can be managed, defended, and the results can be less severe if you prepare with strong compliance now.