With the number of HIPAA violations continuing to rise, the Office for Civil Rights (OCR) has released its annual report to Congress on HIPAA privacy, security, and breach notification rule compliance, providing critical insights into the state of HIPAA enforcement in 2021. The report reveals a significant increase of 25% in the number of complaints received by the OCR, underscoring the need for continued efforts to improve compliance with HIPAA regulations and safeguard the privacy and security of patient health information.
Established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to safeguard the confidentiality of patients’ protected health information (PHI). As the regulatory body responsible for enforcing HIPAA, the OCR plays a critical role in ensuring compliance with these regulations and investigating any potential violations. As mandated by the HITECH Act, the OCR must provide a report with important details about the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by the OCR, the outcome of each review, and the number of subpoenas or inquiries issued. The report also includes OCR’s anticipated compliance and enforcement initiatives for the following year. Notably, the report states that OCR did not perform any audits in 2021 due to a lack of financial resources, but provides information on other enforcement actions taken to protect the privacy and security of individuals’ health information.
The report’s findings reveal a sharp increase in the number of complaints received by the OCR in 2021. The report states that OCR received a total of 34,077 new complaints alleging violations of the HIPAA Rules and the HITECH Act, a 25% increase from the previous year. Despite the rise in complaints, the OCR was able to resolve 26,420 of them. Of those, 78% were resolved before initiating an investigation, while 16% of the complaints were resolved by providing technical assistance in lieu of an investigation. In 3% of the investigations, a covered entity or business associate took corrective action, and in less than 1% of the complaints, OCR provided technical assistance after initiating an investigation.
During its investigations, OCR resolved 13 complaints with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $815,150. OCR also resolved two complaints with civil money penalties totaling $150,000. The OCR completed 573 compliance reviews, with 83% of these investigations requiring subject entities to take corrective action or pay a civil money penalty. In the remaining 17% of completed compliance reviews, OCR provided the covered entity or business associate with post-investigation technical assistance (3%), found insufficient evidence of a violation of the HIPAA Rules (11%), or lacked jurisdiction to investigate the allegations (3%). Moreover, the report identified that OCR’s outreach initiatives and education of the public and regulated industry included conducting 218 outreach events to the healthcare community, with a focus on pandemic initiatives, including HIPAA enforcement discretion and providing guidance on telehealth.
Most notably, the report highlights the financial strain on OCR due to a lack of resources, which resulted in no audits being performed in 2021. The report notes that if Congress cannot increase funding for OCR, financial strain could be eased through enforcement actions. However, OCR has seen funding through enforcement decline, resulting in the maximum penalty amounts in three of the four penalty tiers being significantly reduced. To address this issue and increase funding, OCR sent a request to Congress in September 2021 calling for an increase in HITECH civil monetary penalty caps. Without such an increase, OCR’s staff and resources will continue to be severely strained, especially during a time of substantial growth in cyberattacks on the healthcare sector.
The report’s findings underscore the importance of continued efforts by healthcare organizations to improve their compliance with HIPAA regulations and safeguard the confidentiality of patients’ protected health information. In a time of substantial growth in cyberattacks on the healthcare sector, organizations must prioritize data security and ensure they have the necessary safeguards in place to protect patient information.