OCR Releases Annual HIPAA Compliance Reports

February 24, 2023
OCR-Annual-Report

Believe it or not, the Office for Civil Rights kicked off NBA All-Star Weekend with their very own showcase of HIPAA enforcement’s latest and greatest. Last Friday the government released not one but two annual reports starring key HIPAA enforcement activities from 2021.

While you probably won’t be seeing these reports featured on the next SportsCenter Top 10, the insights that they provide into recent healthcare data breaches and HIPAA noncompliance cases are certainly worthy of a highlight reel. So to give your practice some helpful pointers on how your compliance efforts should be focused, let’s break down the most important stats from each report: 

OCR’s 2021 Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance  

  • Total complaints received in 2021: 34,077 (25% increase from 2020)
    • Total number of open complaints carried over from the previous year: 3,814
    • Total number of investigations completed: 1,620
      • 44% of these investigations required the covered entity or business associate to take corrective action
    • Top two issues alleged in complaints: 
      • Impermissible Use and Disclosure (702 complaints)
      • Right of Access (667)

The biggest takeaway? Between 2017 and 2021, the OCR has seen a 39% increase in the number of HIPAA complaints received and in turn, has initiated 44% more compliance reviews. Meaning that not only are your patients paying more attention to non-compliance, but the government is too. 

OCR’s 2021 Report to Congress on Breaches of Unsecured Protected Health Information 

  • Large Breaches (incidents affecting 500 or more individuals) have increased by 58% from 2017 to 2021
    • Total number of large breaches reported: 609
    • Total number of breach investigations initiated: 609
    • Total number of individuals affected by the breaches: ~37,182,558
    • The most commonly reported cause of breach: Hacking/IT Incident (75%)
    • The most commonly reported location of the unsecured PHI: Network Servers (57%) 
  • Small Breaches (incidents affecting less than 500 individuals) have increased by 5% from 2017 to 2021
    • Total number of small breaches reported: 63,571
    • Total number of breach investigations initiated: 22
    • Total number of individuals affected by the breaches: 319,215
    • The most commonly reported cause of breach: Unauthorized Access or Disclosure (94%)
    • The most commonly reported location of the unsecured PHI: Paper (70%) 

Now, what does all this data really mean? OCR Director, Melanie Fontes Rainer, made the intentions of these reports clear in her statement saying, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.” Meaning that not only do each of those statistics provide eye-opening insight into what’s going on in the healthcare industry, but they help identify exactly what areas of compliance are too commonly overlooked. And when it comes to ensuring your practice has an all-star compliance line-up, here’s what the OCR identified as the top areas for needing improvement:

  • Implementing a comprehensive Security Risk Analysis and ongoing risk management practices.
  • Conducting information system activity reviews including audit logs, access reports, and security incident tracking reports.
  • Having audit controls in place to record and examine activity in information systems that contain or use ePHI.
  • Ensuring the proper technical policies and procedures are in place to provide only authorized individuals with access to ePHI.

So knowing what common compliance gaps exist and what a winning HIPAA program looks like, the ball is in your court. You wouldn’t put a rookie up against LeBron, and the findings from these reports are perfect examples of why you can’t go head-to-head with an evolving healthcare industry without having both compliance AND cybersecurity on your team.