To help regulated entities better comply with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules, the US Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is sharing two 2021 reports: HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. According to OCR, these reports, delivered to Congress on February 17, 2023, may assist regulated entities in their HIPAA compliance efforts. The reports also share steps taken by OCR to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules. The reports include important data on the numbers of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.
The 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR, and the outcome of each review.
The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:
- risk analysis and risk management;
- information system activity review;
- audit controls; and
- access controls.
These compliance concerns were identified as areas needing improvement in 2021 OCR breach investigations. As it was the previous three years, hacking/IT incidents remain the largest category of breaches occurring in 2021 affecting 500 or more individuals, and affected the most individuals, comprising 75% of the reported breaches. Network servers is the largest category by location for breaches involving 500 or more individuals.
HIPAA Privacy, Security, and Breach Notification Rule Compliance is available here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html.
Breaches of Unsecured Protected Health Information is available here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html.
Compliance Perspective
Issue
In 2021, OCR received 34,077 new complaints alleging violations of the HIPAA Rules and the HITECH Act, representing an increase of 25 percent from the number of complaints received in calendar year 2020. OCR received 609 notifications of breaches affecting 500 or more individuals. The most commonly reported category of breaches was hacking. OCR also received 63,571 reports of breaches affecting fewer than 500 individuals, with unauthorized access or disclosure reported as the most frequent type of breach reported.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
