HHS Highlights HIPAA Violations and Breaches in Annual Reports

The Department of Health and Human Services (HHS) recently shared two reports on compliance with HIPAA’s privacy, security and breach notification requirements for 2022. According to HHS, these reports highlight where HIPAA-regulated entities (including health plans and business associates) should focus their HIPAA compliance efforts.

The reports identify steps taken by HHS’ Office for Civil Rights (OCR) to investigate complaints, breach reports and compliance reviews regarding potential violations of the HIPAA Rules. The reports also include important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.  

HIPAA Compliance

The first report, HIPAA Privacy, Security and Breach Notification Compliance, identifies the number of HIPAA complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR and the outcome of each review. The report highlights the following enforcement actions during the 2022 calendar year:

• OCR received 30,435 new complaints alleging HIPAA violations, a 17% increase from 2018 to 2022. OCR also initiated 676 compliance reviews to investigate allegations of HIPAA violations that did not arise from complaints;
• OCR required hundreds of regulated entities to take corrective action and resolved 17 complaint investigations with monetary settlements or the imposition of civil penalties; and
• OCR completed 846 compliance reviews and required regulated entities to take corrective action or pay a civil penalty in 80% of these investigations. 

HIPAA Breach Notification

The second report, Breaches of Unsecured Protected Health Information (PHI), identifies the number and nature of breaches of unsecured PHI that were reported to HHS in 2022 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements. Such compliance improvement measures include risk analysis and risk management, information system activity review, audit controls and access controls.

As in previous years, hacking/IT incidents remained the most prominent type of breach affecting 500 or more individuals and comprising 74% of the reported breaches. The location with the most breaches affecting 500 or more individuals was network servers. For breaches affecting fewer than 500 individuals, the most prominent category of breaches was unauthorized access or disclosures, and the most prevalent location was paper records.  

HIGHLIGHTS

• HHS provided two annual reports on HIPAA compliance covering the 2022 calendar year.
• These reports are intended to help covered entities and business associates (regulated entities) comply with the HIPAA Privacy, Security and Breach Notification Rules. 
•  The reports emphasize the need for regulated entities to continue working on improving HIPAA compliance, particularly with respect to security requirements for PHI. 

This Legal Update is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. ©2024 Zywave, Inc. All rights reserved.