Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2022; Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
HHS’s Office for Civil Rights (OCR) has posted its 2022 reports to Congress on HIPAA privacy, security, and breach notification rule compliance and the HIPAA breach notification program. Below are highlights:
- Compliance Report. This report summarizes key HIPAA enforcement activities undertaken by OCR during 2022, including the number of complaints received and the method by which those complaints were resolved. OCR received 30,435 complaints in 2022—about 11% fewer than in 2021. In addition to requiring covered entities (including health plans and most health care providers) and business associates (together, “regulated entities”) to take corrective action in hundreds of cases in 2022, OCR reports that 17 complaint investigations (summarized in an appendix) were resolved with resolution agreements or the imposition of civil monetary penalties. OCR did not initiate any audits in 2022 due to a lack of financial resources.
- Breach Notification Report. This report identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to HHS during 2022 and the actions taken in response. OCR notes that it received 626 large breach notifications affecting approximately 41,747,613 individuals, with hacking incidents the most frequent type of breach and network servers the most frequent breach location. Almost 64,000 small breach notifications were reported affecting 257,105 individuals, with unauthorized access or disclosure the most frequent type of breach and paper records the most frequent breach location. The report concludes with a summary of security standards and implementation specifications that, based on OCR’s 2022 investigations, need improvement: (1) risk analysis/management; (2) information system activity review (e.g., audit logs, access reports, and security incident tracking reports); (3) audit controls; (4) response and reporting; and (5) person or entity authentication.
EBIA Comment: The reports include important data from the HIPAA complaints investigated, highlight areas of noncompliance, and provide insights into trends such as cybersecurity readiness. The breach notification report includes a helpful list of the most common post-breach remedial actions taken to mitigate harm and prevent future breaches. The reports can help covered entities and business associates target and strengthen their HIPAA compliance efforts. Regulated entities should be mindful that OCR opens compliance reviews to investigate all reported breaches affecting 500 or more individuals and may open compliance reviews into reported breaches affecting fewer than 500 individuals. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXV (“Breach Notification for Unsecured PHI”).
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
