HHS Reports to Congress on HIPAA Compliance and Breach Notifications

HHS’s Office for Civil Rights (OCR) has posted its 2020 calendar-year reports to Congress on HIPAA privacy, security, and breach notification rule compliance and the HIPAA breach notification program. Highlights of the reports include the following:

• Compliance Report. This report provides an overview of HIPAA’s privacy, security, and breach notification rules, followed by a more detailed discussion of OCR’s enforcement process and a summary of 2020 complaints and compliance reviews. OCR did not assess any civil monetary penalties or initiate any audits in 2020. OCR received 4% fewer complaints in 2020 than in 2019. The top five violations alleged in complaints resolved by OCR in 2020 involved (1) uses and disclosures of PHI; (2) unspecified safeguards; (3) access rights; (4) administrative safeguards for electronic PHI; and (5) technical safeguards. Technical assistance or corrective action resolved 59% of the complaints. Of the compliance reviews opened in 2020, 88% resulted from large breach notifications, and 2% resulted from small breach notifications. The remaining compliance reviews stemmed from incidents brought to OCR’s attention by other means, including media reports. An appendix summarizes the resolution agreements signed in 2020, most resulting from OCR’s right of access initiative.
• Breach Notification Report. This report begins with an overview of the notification requirements for covered entities and business associates following discovery of a breach of unsecured PHI. OCR notes that, in 2020, it received 656 large breach notifications—a 61% increase over 2019—affecting more than 37 million individuals, and 66,509 small breach notifications affecting more than 312,000 individuals. Breaches at health plans and business associates represented 23% of large breach reports. Most large breaches were caused by hacking of electronic equipment or network servers, which involved use of malware, ransomware, phishing, and posting PHI on public websites. About a quarter were caused by unauthorized access or disclosure, and less than 10% of the total was attributable to theft, loss, or improper disposal of PHI. The report concludes with a summary of security standards and implementation specifications that, based on OCR’s 2020 investigations, need improvement: risk analysis/management; information system activity review; audit controls; security awareness and training; and authentication.

EBIA Comment: The reports provide a useful synopsis of enforcement activity and offer some additional insights—including the reminder that OCR opens compliance reviews for all breaches affecting 500 or more individuals. The breach notification report includes a helpful list of the most common post-breach remedial actions taken to mitigate harm and prevent potential future breaches. The reports can help covered entities and business associates target and strengthen their HIPAA compliance efforts. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXV (“Breach Notification for Unsecured PHI”). You also may be interested in our webinar, “HIPAA Breaches: Preparation and Response” (recorded on 1/26/22).

Contributing Editors: EBIA Staff.