Key Takeaways from OCR’s CY22 HIPAA Reports to Congress
On February 14, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued its annual reports to Congress detailing its actions to enforce the privacy, security, and breach notification requirements under the Health Insurance Portability and Accountability Act (HIPAA) in calendar year 2022.
The reports offer HIPAA-regulated covered entities and their business associates critical insight into the agency’s enforcement process and priorities from year to year.
Complaints Decreased 11% from 2021 to 2022
Much of OCR’s enforcement of the HIPAA rules is driven by complaints of alleged violations. As detailed in its latest annual HIPAA Privacy, Security, and Breach Notification Rule Compliance report, OCR received 30,435 new complaints of HIPAA violations in 2022 — about 11% fewer than in 2021. (For our coverage of OCR’s 2021 reports to Congress, click here.) However, the number of complaints was still relatively high compared to prior years, with a 17% increase from 2018 to 2022.
Among the new complaints received and the open complaints carried over from 2021, OCR resolved 87% (28,107) without opening a formal investigation. This represents a 27% increase in pre-investigation resolutions from 2021 (20,661).
By contrast, OCR completed about 20% fewer complaint investigations in 2022 (1,261) compared with 2021 (1,620). The outcomes of these investigations were similar year over year, split approximately in half between cases where OCR found no HIPAA violation and cases where OCR required corrective action.
As to compliance reviews (which OCR may conduct when it learns of a potential violation by an avenue other than a complaint), OCR initiated nearly the same number of reviews in 2022 (676) that it initiated in 2021 (674) but completed 32% more reviews year over year (846 in 2022 and 573 in 2021). Despite the increase in compliance reviews that resulted in corrective action or payment of a civil monetary penalty (CMP) in 2022, OCR collected less than half ($2,425,640) the dollar amount in settlement payments and CMPs that it collected from compliance reviews completed in 2021 ($5,125,000).
Breaches Continued to Rise and Hacking/IT Incidents Remained Most Common Cause
Covered entities are required to notify OCR of any breach of unsecured protected health information (PHI). A “breach” is an unpermitted acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the PHI. “Unsecured PHI” means PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons.
In its Breaches of Unsecured Protected Health Information report, OCR reported receiving 626 reports of breaches of unsecured PHI affecting 500 or more individuals in 2022. This is a 3% increase from 2021 (609) and a 107% increase from 2018 (302). In total, these breaches affected nearly 42 million individuals. OCR initiated compliance reviews of all 626 breaches.
As in previous years, hacking/IT incidents remained the largest category of breaches affecting 500 or more individuals (74%). The vast majority of these breaches involved a hack or IT incident impacting a network server, though there were also breaches impacting electronic medical records, emails, and other electronic equipment. In the largest hacking/IT incident breach in 2022, hackers deployed ransomware that compromised a health care provider’s servers and affected more than 3.3 million individuals. Other hacking/IT incidents involved malware, phishing, and posting of PHI on public websites.
OCR also received 63,966 reports of breaches affecting fewer than 500 individuals, representing a 1% increase from 2021 (63,571). These breaches altogether affected 257,105 individuals — a fraction of the millions of individuals whose PHI was compromised in the 626 larger breaches. Unauthorized access or disclosure of PHI was the most common cause of these smaller breaches. OCR opened investigations into two of these breaches.
Key Takeaways
OCR’s annual HIPAA reports to Congress illuminate for covered entities and their business associates the mechanisms OCR uses to enforce HIPAA and the challenges regulated parties face in their compliance efforts. Key takeaways from the calendar year 2022 reports include the following:
- Vulnerability to Cyberattacks: Health care organizations are increasingly the target of largescale and sophisticated cyberattacks. Although OCR has not yet released full calendar year 2023 breach reporting data, it noted in a March 13, 2024 press release about the Change Healthcare cyberattack that large breaches increased 141% in 2023, affecting 134 million individuals, with hacking accounting for 79% of those breaches. In the face of these threats, regulated parties should be vigilant in their compliance practices relating to risk analysis, risk management, information system activity review, audit controls, and access controls.
- Safeguarding Physical Records: OCR’s 2022 breach report notes significant breaches that occurred where physical records containing PHI were discarded in a dumpster, stolen during a burglary of a storage facility, or lost after a pipe broke and damaged the records. Although most organizations’ priorities are focused on privacy and security risks to electronic data, these breaches underscore that regulated parties must also take care to safeguard and properly dispose of physical records containing PHI.
- Continued Focus on Individual Access to PHI: In 2022, only one complaint investigation by OCR ended with the imposition of a CMP, totaling $100,000, in a case involving an allegation that a podiatry practice failed to provide timely access to medical records. This demonstrates the agency’s continued commitment to its Right of Access Initiative and is a reminder that regulated parties should regularly evaluate their practices for providing individuals with access to their PHI.
- Tracking Technologies and Reproductive Health Privacy: The proliferation of digital tracking technologies and heightened concerns about reproductive health privacy presents novel HIPAA compliance issues for regulated parties. In 2022, OCR signaled its enforcement interest in these areas with the publication of guidance about disclosing PHI relating to reproductive health care and using online tracking technologies. Regulated parties should look out for enforcement activity by OCR in 2024 and beyond with the recent finalization of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy and updating of the original 2022 tracking technologies bulletin.
If you have any questions about HIPAA compliance and regulatory issues, please contact Thomas E. Jeffry, Jr., Gayland O. Hethcoat II, M.H. Joshua Chiu, or the ArentFox Schiff attorney who usually handles your matters.
Contacts
- Related Industries
- Related Practices