OCR delivers annual reports to Congress

On February 17, 2023, the Office for Civil Rights (OCR) submitted two reports to Congress, revealing the state of HIPAA compliance and unsecured protected health information (PHI) breaches in 2021.

Why it matters:

These two reports emphasize the importance of safeguarding individuals’ health information privacy and highlight the OCR’s enforcement efforts to address PHI breaches and ensure compliance. They also provide valuable insights into the challenges healthcare organizations face in securing PHI and the OCR’s efforts to enforce compliance and protect individuals’ health information privacy.

What they’re saying:

Melanie Fontes Rainer, the OCR Director, stated in the press release, “The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information. We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

By the numbers:

Between 2017 and 2021, the number of breaches affecting fewer than 500 individuals increased by 5%, and the number of breaches affecting 500 or more individuals rose by 58%.

Other key numbers reported include:

• In 2021, the OCR reported a whopping 63,571 “under-500” breaches and 609 breaches affecting over 500 individuals. 
• 72% of breaches were from healthcare providers affecting 24,389,630 individuals.
• 15% of breaches were from health plans affecting 3,236,443 individuals.
• Hacking/IT incidents continue to be the largest category of breaches, affecting 500 or more individuals and comprising 75% of reported breaches.
• Network servers represent the largest category by location for breaches involving 500 or more individuals.

Go deeper:

• OCR’s 2021 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance
• OCR’s 2021 Report to Congress on Breaches of Unsecured Protected Health Information

Lessons Learned:

Regulated entities must improve compliance with HIPAA Security Rule requirements remains crucial, including:

• Risk analysis and risk management
• Information system activity review
• Audit controls
• Access controls

Related: HIPAA’s transmission security requirement: Use encrypted email for compliance

Big picture:

As cyber threats evolve and technology advances, securing PHI and ensuring HIPAA compliance are crucial for protecting individuals’ health information privacy. The OCR’s ongoing efforts to enforce compliance, provide guidance, and educate stakeholders are essential in helping organizations navigate the challenges of safeguarding PHI. The annual reports serve as an informative tool to understand the current landscape of HIPAA compliance and the efforts to address PHI breaches.

As cyber threats and technology evolve, organizations must prioritize safeguarding PHI and adhering to regulatory standards. The insights in these reports serve as a valuable resource for understanding the current landscape and challenges in securing PHI and maintaining compliance.

Related: HIPAA Compliant Email: The Definitive Guide