HHS Issues Two Annual Reports to Congress on HIPAA Privacy and Security Enforcement Activities

On February 17, 2023, the HHS Office for Civil Rights (OCR) released two annual reports to Congress summarizing the agency’s key HIPAA enforcement activities during the 2021 calendar year as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The first report, HIPAA Privacy, Security, and Breach Notification Rule Compliance, identifies the number of complaints received, the method by which those complaints were resolved, and other OCR HIPAA compliance enforcement activities. The second report, Breaches of Unsecured Protected Health Information, identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the HHS and the actions taken in response to the breaches.

Due to a lack of financial resources, OCR did not conduct any audits in 2021. Further, OCR requested that the HITECH civil penalty caps be increased in the HHS Fiscal Year 2023 Legislative Supplement sent to Congress to secure enough staff and resources to carry out OCR’s enforcement activities.

The highlights of these two reports are as follows:

• New complaints alleging violations of HIPAA Rules and the HITECH Act in 2021 were 34,077, a 25% increase from calendar year 2020.
• Of those new complaints, OCR resolved 20,661 (78%) before initiating an investigation.
• The top five complaints resolved were: impermissible uses and disclosures, right of access, safeguards, administrative safeguards under the HIPAA Security Rule, and breach notice to individuals.
• OCR resolved 13 complaint cases in 2021 through resolution agreements and/or corrective action plans and monetary settlements totaling $815,150. Two complaint investigations resulted in the assessment of civil money penalties totaling $150,000.
• OCR received 609 notifications of breaches affecting 500 or more individuals, a decrease of 7% from the calendar year 2020.
• Hacking/IT incidents remained the largest category of breaches among incidences affecting 500 or more individuals in 2021. The largest category of breaches of 500 or more individuals by location involved network servers.
• For breaches affecting fewer than 500 individuals, the largest category by type of breach report was unauthorized access or disclosures, and the largest category by location was paper records.

The appendices sections of both reports include:

• The actual cases of the Resolution Agreements.
• A summary of the settlement terms that provide helpful insights to employers.
• Other covered entities (e.g., insurers) for the potential consequences of failing to comply with HIPAA rules.

These annual reports are an important reminder of the agency’s HIPAA compliance enforcement activities. So it is crucial that employers are educated in overall HIPAA rules and review their HIPAA compliance.

HHS: Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021 »
HHS: Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021 »