Federal Health & Welfare Updates

HHS Delivers Annual Reports to Congress on HIPAA Compliance and Breaches

On February 14, 2024, the HHS Office for Civil Rights (OCR) released two annual reports to Congress summarizing the agency's key HIPAA enforcement activities during the 2022 calendar year as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The first report, HIPAA Privacy, Security, and Breach Notification Rule Compliance, identifies the number of complaints received, the method by which those complaints were resolved, and other OCR HIPAA compliance enforcement activities. The second report, Breaches of Unsecured Protected Health Information, identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the HHS and the actions taken in response to the breaches.

Highlights from the HIPAA Privacy, Security, and Breach Notification Rule Compliance report are as follows:

  • OCR received 30,435 new complaints alleging violations of the HIPAA Rules.
  • OCR resolved 32,250 complaints alleging violations of the HIPAA Rules.
  • OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one with a civil money penalty of $100,000.
  • OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

The Breaches of Unsecured Protected Health Information report noted that 77% of the reported breaches that occurred in 2022 and affected 500 or more individuals were hacking/IT incidents — 58% of the reported large breaches involving 500 or more individuals involved network servers. Accordingly, the report emphasized a continued need for increased compliance with the HIPAA Security Rule in such areas as risk analysis and risk management, audit controls, and information system activity review.

These annual reports are an important reminder of the agency's HIPAA compliance enforcement activities. So, it is crucial that employers are educated in overall HIPAA rules and review their HIPAA policies and procedures, as well as their security policies and procedures for handling electronic PHI.

Press Release »
Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for CY 2022 »
Annual Report to Congress on Breaches of Unsecured Protected Health Information for CY 2022 »

PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.

Never miss an issue.

Sign up to have it delivered straight to your inbox.

Sign up