Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021; Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021
HHS’s Office for Civil Rights (OCR) has posted its 2021 reports to Congress on HIPAA privacy, security, and breach notification rule compliance and the HIPAA breach notification program. Below are highlights of both reports:
Compliance Report. This report summarizes key HIPAA enforcement activities undertaken by OCR during 2021, including the number of complaints received and the method by which those complaints were resolved. OCR received 34,077 complaints in 2021—25% more than in 2020. In addition to requiring covered entities (including health plans and most health care providers) and business associates (together, “regulated entities”) to take corrective action in hundreds of cases in 2021, OCR reports that 17 investigations (summarized in an appendix) were resolved with resolution agreements or the imposition of civil monetary penalties (see, e.g., our Checkpoint article). OCR did not initiate any audits in 2021. The top five issues alleged in the complaints resolved in 2021 involved (1) impermissible uses and disclosures; (2) right of access; (3) safeguards; (4) administrative safeguards (security rule); and (5) breach notice to individuals.
Breach Notification Report. This report identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to HHS during 2021 and the actions taken in response. OCR notes that it received 609 large breach notifications affecting more than 37 million individuals, with hacking/IT incidents the most frequent type of breach and network servers the most frequent breach location. More than 63,000 small breach notifications were reported affecting nearly 320,000 individuals, with unauthorized access or disclosure the most frequent type of breach and paper records the most frequent location.
EBIA Comment: The reports include important data from the HIPAA complaints investigated, highlight areas of noncompliance, and provide insights into trends such as cybersecurity readiness. OCR stresses the need for regulated entities to improve HIPAA compliance, particularly with the security requirements—including risk analysis, risk management, information system activity review, audit controls, and access controls. Regulated entities should be mindful that OCR opens compliance reviews to investigate all reported breaches affecting 500 or more individuals and may open compliance reviews into reported breaches affecting fewer than 500 individuals. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXV (“Breach Notification for Unsecured PHI”).
Contributing Editors: EBIA Staff.