OCR’s Report to Congress Shows Increase in Complaints
The Office for Civil Rights’ (OCR’s) annual report to Congress showed “significant increases” in HIPAA complaints — 34,077 new complaints in 2021, a 25% increase from 2020. Complaints increased 39% from 2017 to 2021.1
OCR resolved 26,420 complaints in 2021, with most resolved at the intake and review stage. The top five issues in the complaints were impermissible uses and disclosures of protected health information (PHI), right of access to a patient’s own PHI, safeguards to protect PHI, administrative safeguards under the HIPAA Security Rule, and notice to individuals affected by a breach of unsecured PHI.
A small percentage of complaints prompted a formal investigation. In approximately half of those, OCR found a HIPAA violation and required corrective action.
It is not surprising to see the 39% increase in complaints and HIPAA violations since 2016, says Claude Mandy, chief data security evangelist at Symmetry Systems, a software company based in San Mateo, CA.
“The volume of private health information collected and stored by covered entities has been growing exponentially. The scale of and complexity of managing PHI in a compliant fashion continues to increase,” Mandy says. “This report indicates the challenge faced by organizations and the need for better ways to manage, govern, and secure PHI. Healthcare entities need to invest in better ways to obtain data visibility and observability so they better govern and secure PHI, including improved compliance with HIPAA.” Understanding where PHI is stored, who can access it, and what they are doing with it, as well as monitoring for credential compromise and unusual access attempts and activity is essential, he says.
OCR reported 75% of the incidents were attributed to hacking. “The definition in the report seems to indicate this includes malicious insiders, the use of malware, ransomware, phishing, and the posting of PHI to public websites,” Mandy says.
Seeking Compliance, Not Punishment
There is reason to be encouraged by OCR’s report, says Avery Dial, JD, partner with Kaufman Dolowich Voluck in Fort Lauderdale, FL.
“The agency’s goal is compliance, not punishment. Seventy-eight percent of complaints were resolved by OCR before initiating an investigation. Of those resolved pre-investigation complaints, 16% were resolved by OCR providing technical assistance,” Avery explains. “Of complaints leading to investigation, no violation was found for 50%, 6% were given technical assistance, and 44% were ordered to take corrective action.”
If a hospital detects a HIPAA breach or exposure, it is in its best interest to notify HHS immediately and cooperate with all the agency’s requirements and requests, Dial says.
Large breaches are becoming more common over time. While breaches involving fewer than 500 people only increased 5% between 2017 and 2021, breaches involving more than 500 people increased 58%. Although, year to year, large breaches decreased 7% from 2020 to 2021.
The report also underscored the need for covered entities to provide timely access to records, Dial says. Of the entities that paid larger fines, failing to provide timely access to records was the No. 1 cause. Failing to conduct enterprisewide risk analysis was second; failing to implement risk management, information system activity review, and access controls was third; and not responding to OCR requests or subpoenas was fourth.
“Of these, failing to provide timely access to records was certainly the most common violation in terms of frequency. Often times, these investigations are the product of a single patient complaining,” Dial says.
REFERENCE
- Office for Civil Rights. Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance. Feb. 17, 2023. https://www.hhs.gov/sites/defa...
The Office for Civil Rights’ annual report to Congress showed “significant increases” in HIPAA complaints — 34,077 new complaints in 2021, a 25% increase from 2020. Complaints increased 39% from 2017 to 2021.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.