The Department of Health and Human Services (HHS) recently issued two reports to Congress regarding HIPAA compliance, breach notifications and enforcement actions for the calendar year 2020. Annually, HHS is required to submit HIPAA reports to Congress and post this information on the HHS website.
The first report focuses on compliance with the HIPAA privacy and security requirements. According to the report, in 2020, HHS received 27,182 new complaints alleging HIPAA violations. The top five alleged violations involved uses and disclosures of protected health information (PHI), unspecified safeguards, access rights, administrative safeguards for electronic PHI and technical safeguards.
HHS resolved 26,530 of these complaints; the majority were resolved before an investigation was initiated. Of the investigations that were conducted, 54% resulted in the covered entity or business associate taking corrective action. Eleven complaint investigations were resolved with resolution agreements/corrective action plans (RA/CAPs) and monetary payments totaling $2,537,500; the details are provided in the appendix to the report. These complaints included situations in which the investigated entities failed to perform a risk analysis, erroneously misdirected electronic PHI, denied patients access to their own PHI or failed to terminate staff access to PHI upon employment termination.
Notably, HHS initiated 60.7% more compliance reviews in 2020 than in 2019. Of the 566 completed compliance reviews, 86% resulted in the subject entity being required to take corrective action or pay a civil monetary penalty. Eight compliance reviews were resolved with RA/CAPs and monetary payments totaling $13,017,400. No audits were initiated in 2020.
The second report identifies the number and nature of breaches of unsecured PHI that were reported to HHS during 2020. HHS received 656 notifications of large breaches (i.e., those affecting 500 or more individuals), which represented a significant increase of 61% from 2019. These reported breaches affected a total of approximately 37,641,403 individuals. The most reported category of breaches was hacking of electronic equipment or network servers, which involved the use of malware, ransomware, phishing and posting PHI on public websites. The largest breach of this type involved approximately 3,500,000 individuals.
HHS initiated investigations into all 656 large breaches, as well as 22 smaller breaches. HHS completed 547 investigations, achieving voluntary compliance through corrective action and technical assistance, and resolution agreements. HHS resolved eight breach investigations with RA/CAPs or the imposition of civil monetary penalties, which resulted in more than $13 million in collections. Based on the 2020 investigations, HHS also identified the following security standards and implementation specifications requiring improvement: risk analysis/management, information system activity review, audit controls, security awareness and training, and authentication. The report also explains actions that can be taken to prevent potential breaches.
Employers that sponsor group health plans may find these reports helpful in focusing and improving their HIPAA compliance efforts.
CY 2020 Annual Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance » CY 2020 Annual Report to Congress on Breaches of Unsecured Protected Health Information »
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up