Dive Brief:
- HIPAA complaints and breaches increased from 2017 to 2021, but the agency in charge of auditing compliance said it doesn’t have the resources to handle the uptick.
- The HHS Office for Civil Rights, or OCR, received 39% more HIPAA complaints in 2021 than in 2017, and large breaches affecting 500 people or more increased 58% in that period, according to the agency’s annual report to Congress.
- But, appropriations didn’t increase over that time, causing a “severe strain on OCR’s limited staff and resources” and hamstringing the agency’s HIPAA enforcement abilities, the report said. For example, the OCR wasn't able to conduct any audits in 2021.
Dive Insight:
The lack of funding to the OCR is a concern given the recent growth in cybersecurity attacks on hospitals and other healthcare companies. Healthcare is particularly vulnerable to cyberattacks, given its relatively low investments in cybersecurity, heavy use of interconnected medical devices and health IT systems, and preponderance of sensitive and valuable personal information, according to research.
Experts are particularly worried about cybersecurity in 2023 as new threats mount, including hacks stemming from Russia’s invasion of Ukraine. Earlier this year, the HHS warned hospitals about a pro-Russian hacktivist group called Killnet, which updated its target list to include hospitals and medical organizations in several countries.
Data breaches at a single facility can expose the information of millions of Americans, and shut down operations at medical facilities, threatening patient care. The HIPAA privacy law was passed in 1996 to create standards to prevent patients’ information from being disclosed without consent or knowledge, including breaches.
HIPAA regulates the privacy and security of health information held by covered entities, mostly health plans and providers that electronically transmit health information for purposes like billing or administration, along with their business associates.
The OCR is required to report to Congress annually on HIPAA compliance, including the number of complaints, compliance reviews and periodic audits completed by the OCR.
Compared to 2020, the OCR in 2021 received more complaints, but fewer breaches were reported. 2020 saw the most breaches overall since the earliest data available in 2017.
Breaches dipped in 2021, but complaints to the OCR went up
The OCR received more than 34,000 complaints alleging violations of HIPAA in 2021, up 25% from 2020. The agency resolved three-fourths of the complaints, with the majority settled without an investigation.
That year, the OCR completed more than 570 compliance reviews. Roughly 83% of those resulted in organizations having to take corrective action or pay a civil monetary penalty, according to the report.
But in addition to requiring covered entities and business associates to take corrective action on hundreds of cases, the OCR resolved 17 investigations in 2021 that totaled $6.1 million in collections. Organizations were penalized for a variety of alleged HIPAA violations, including failing to share patient medical records and dangerous cybersecurity vulnerabilities.
For example, in January 2021, New York health plan Excellus agreed to pay $5.1 million to the OCR after an investigation revealed poor cybersecurity practices that led to a data breach of the personal health information of more than 9.3 million patients.
That same month, Arizona-based nonprofit Banner Health agreed to pay $200,000 to settle allegations that it was violating HIPAA by not providing patients access to their medical records in a timely manner.
Meanwhile, in February 2021, Nevada-based nonprofit Renown agreed to pay $75,000 to settle allegations that it failed to send an electronic copy of a patient’s medical record to a third party at their request, a violation of HIPAA’s right of access standard.
