Key Takeaways from OCR’s Latest Annual HIPAA Reports to Congress

The reports offer HIPAA-regulated covered entities and their business associates critical insight into the agency’s enforcement priorities and challenges during a period of increased complaints of HIPAA violations and concerns about cybersecurity threats targeting individuals’ health information.

Complaints of HIPAA Violations Increased Significantly in 2021

In its Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021, OCR reported receiving “significant increases” in HIPAA complaints in 2021. In total, the agency received 34,077 new complaints in 2021—a 25% increase in the number of complaints it received in 2020. Moreover, from 2017 to 2021, complaints increased 39%.

After OCR receives a complaint, it may launch an investigation, which may extend into one or more later years. Accordingly, OCR distinguishes between the number of complaints it receives and the number of complaints it resolves in a calendar year. As to the latter category, OCR resolved 26,420 complaints in 2021. The top five issues raised in these complaints were:

1. impermissible uses and disclosures of protected health information (PHI);
2. right of access to one’s own PHI;
3. safeguards to protect PHI;
4. administrative safeguards under the HIPAA Security Rule; and
5. notice to individuals affected by a breach of unsecured PHI.

As in past years, OCR resolved the vast majority of the 26,420 complaints in 2021 at the intake and review stage. At this stage, OCR may dispose of complaints over which the agency has no enforcement jurisdiction because, for example, the party complained about is not a covered entity or business associate or the complaint is not timely filed within 180 days of the incident. 

Only a small percentage of complaints that OCR resolved in 2021 prompted a formal investigation. In approximately half of the investigated cases, OCR found a HIPAA violation and required corrective action. In the other approximate half of investigated cases, OCR concluded that no HIPAA violation occurred. Table 1 below shows a more detailed breakdown of the 26,420 complaints that OCR resolved in 2021.

Among the investigated cases in which OCR found noncompliance with HIPAA requirements, OCR settled 13 cases for $815,150. In only two cases, the agency imposed civil money penalties (CMPs), totaling $150,000. In one of those cases, which we examined in a prior alert, OCR concluded that a dentist improperly disclosed a patient’s PHI in response to an online review. In the other case, the agency determined that a physician practice did not provide a patient with access to his PHI, despite the patient’s multiple requests—an area of continued enforcement priority with OCR’s Right of Access Initiative.

Other HIPAA enforcement highlights from OCR’s 2021 compliance report:

• Compliance Reviews: OCR initiated 674 new compliance reviews and completed 573 compliance reviews, some of which began before 2021. These are reviews of a party’s practices that OCR may initiate in circumstances other than in response to a complaint. A breach triggered the overwhelming majority of both newly initiated and completed compliance reviews in 2021.
• Subpoenas: OCR issued only one subpoena to compel cooperation with an investigation.
• Audits: OCR did not conduct any randomized audits, citing a “lack of financial resources.” However, the report notes that the agency is currently developing the criteria for implementing future audits.

Hacking and IT Incidents Main Cause of Largescale Information Breaches in 2021  

In its other report, the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021, OCR reported that in 2021 it received 609 notifications of breaches affecting 500 or more individuals and 63,571 notifications of breaches affecting fewer than 500 individuals. A “breach” refers to an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the PHI. In general, a HIPAA covered entity must report a discovered breach to OCR, any individual whose PHI is compromised, and, in some cases, the media. The specific reporting requirements depend on whether the breach affects 500 or more individuals.

From 2020 to 2021, the number of breaches affecting 500 or more individuals and the number of breaches affecting fewer than 500 individuals both decreased. Despite this year-over-year decrease, OCR observed that the number of reported breaches “continues to increase.” Between 2017 and 2021, the number of breaches affecting 500 or more individuals increased by 58% and the number of breaches affecting fewer than 500 individuals increased by 5%.

As in past years, hacking and IT incidents were the main type of breach affecting 500 or more individuals in 2021. Collectively, hacking and IT-related breaches affected more than 35 million individuals. With most of these breaches, a network server was the location of the compromised PHI. As shown in Table 2 below, other types of breaches affecting 500 or more individuals included acts of theft, loss, improper disposal, or unauthorized access to or disclosure of PHI or equipment, media, or records containing PHI.   

While OCR received many more notifications of breaches affecting fewer than 500 individuals, those 63,571 breaches altogether affected 319,215 individuals — a fraction of the millions of individuals whose PHI was compromised in the 609 larger breaches. Unauthorized access to or disclosure of PHI was the most common cause of these smaller breaches.

OCR Restructures and Seeks Increased Funding to Support Enforcement Activities

To better respond to the increases in complaints regarding HIPAA and other regulations it enforces, OCR announced on February 27, 2023, that it will reorganize into several new divisions. Among the changes, OCR will rename its Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to emphasize its role in addressing cybersecurity concerns.

To further improve its enforcement capabilities, OCR is also asking Congress to nearly double its budget for fiscal year 2024. As the agency stressed in its 2021 HIPAA compliance report, Congress did not increase appropriations between 2017 and 2021, despite the double-digit increases in complaints and large breaches reported to the agency during that period. Moreover, an enforcement policy that OCR adopted in 2019 regarding the calculation of CMPs for HIPAA violations has limited the amount of CMPs that OCR can collect from HIPAA violators. As a result, OCR claimed it faces a “severe strain” on staff and resources, limiting “HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector.”    

Navigating the Enforcement Landscape 

OCR’s annual HIPAA reports to Congress are useful to covered entities and their business associates in illuminating the agency’s enforcement priorities as well as the challenges regulated parties face in their compliance efforts. As OCR concluded in its latest report on HIPAA breaches, “[t]here is a continued need for regulated entities to improve compliance with the HIPAA Rules,” particularly in risk analysis, risk management, information system activity review, audit controls, and access controls. Covered entities and their business associates should consider how their privacy and security practices compare to the trends outlined in OCR’s latest reports. They should also assess whether their compliance programs adequately respond to the risks and vulnerabilities highlighted in OCR’s data.

If you have any questions about HIPAA compliance and regulatory issues, please contact Gayland Hethcoat or the ArentFox Schiff attorney who usually handles your matters.