HHS delivers annual report on HIPAA compliance and breaches

What happened

On February 14th, the HHS OCR issued two reports to Congress regarding HIPAA compliance and enforcement. By issuing these reports and sharing how the OCR investigates complaints and compliance reviews, the OCR hopes to help regulated industries in their compliance efforts.

Both reports focus on 2022 and are part of the HHS’s ongoing focus on supporting the privacy and security of health information.

Going deeper

The first report, titled HIPAA Privacy, Security, and Breach Notification Rule Compliance, focused on complaints received and how they were resolved. It included the following results: 

• The OCR received 30,435 complaints of possible HIPAA violations.
• The OCR resolved 32,250 complaints. Some of these may have been from before 2022. 
• 17 complaints were resolved with Resolution Agreements, Corrective Action Plans, and monetary settlements. Settlements totaled $802,500. The OCR also received a civil money penalty of $100,000. 
• 846 compliance reviews were completed, requiring certain entities to take corrective action or pay a monetary penalty. Three reviews were resolved with Resolution Agreements and Corrective Action Plans. Monetary payments totaled $2,425,640. 

The second report, titled Breaches of Unsecured Protected Health Information, focused on the number and nature of breaches that were reported in 2022. The results included:

• The OCR received 626 notifications of breaches impacting 500 or more individuals. This showed a 3% increase from 2021. 
• In total, it’s estimated that 41,747,613 individuals were impacted by large breaches.
• Hacking was the most common cause of a large breach. 
• The OCR received 63,966 reports of breaches impacting fewer than 500 individuals. 
• For smaller breaches, unauthorized access or disclosures was the most frequent cause. 

In this report, the HHS also provided recommendations to prevent breaches, including suggesting companies conduct risk analysis, risk management, information system activity review, audits, and more. 

HHS also specifically advised companies to immediately respond, document, and report incidents. Documentation is required by the Security Rule and is also crucial for accurately and effectively responding to breaches. 

What was said

OCR Director Melanie Fontes Rainer said, “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting…Our healthcare systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the healthcare industry to drive compliance and protect against security threats.” 

Why it matters

Reports such as these reveal the harsh impact of data breaches. Even smaller breaches can have devastating effects on individuals.

Breaches continue to increase and are frequently a result of hacking, and more healthcare organizations are being found partially responsible for data breaches. For companies that fail to remain HIPAA compliant, the report is a reminder that these organizations will be held responsible for violations and could face costly penalties among other consequences.  

Read more: HIPAA Compliant Email: The Definitive Guide