Listen to this post

In February, when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) delivered two annual reports to Congress for the 2021 calendar year as mandated by the HITECH Act, several notable takeaways were exposed. By providing data on enforcement actions and insight into areas of noncompliance, the reports assist HIPAA entities to mitigate risk, prioritize compliance efforts, and promote industry accountability.

The first report summarized HIPAA enforcement actions undertaken by OCR in 2021 as well as the outcomes of the investigations (the “Compliance Report”). The second report provided insight into breaches of unsecured protected health information (PHI) and actions taken in response to those breaches (the “Breach Report”).

Key Takeaways from The Compliance Report:

  • In 2021, OCR received over 34,000 new complaints: a 25% increase from 2020
  • Over three-quarters of these complaints were resolved before initiating an investigation
  • Despite the increase, only 13 resulted in Resolution Agreements/Corrective Action Plans
  • Numerous outreach activities were used to educate entities, focusing on pandemic initiatives, like telehealth
  • The top five issues alleged were related to (1) Impermissible Uses and Disclosures; (2) Right of Access; (3) Safeguards; (4) Administrative Safeguards pursuant to the HIPAA Security Rule; and (5) Breach-Notice to Individuals
  • Due to a lack of resources, OCR did not initiate any 2021 audits.

Key Takeaways from The Breach Report:

  • OCR received 609 notifications of breaches that impacted 500 or more individuals
  • This was a 7% decrease from 2020, but affected more than 37 million individuals
  • Hacking remained the most prevalent cause for these types of breaches, comprising 75% of the reported breaches
  • There were more than 63,000 reports of breaches affecting fewer than 500 individuals
  • OCR resolved two breach investigations with resolution agreements, corrective action plans, and monetary payments totaling $5,125,000.

Both reports included case analyses and summaries of settlement terms, revealing macro-level trends. Healthcare is a complex, diverse, and rapidly evolving industry, with 2022 and 2023 already seeing new priorities related to AI and web-tracking and virtual care matters on the rise.