Lack of Funding Hampering OCR’s Ability to Enforce HIPAA

By | February 20, 2023

The HHS’ Office for Civil Rights (OCR) has published a report it sent to Congress that details its HIPAA enforcement activities in 2021, which provides insights into the state of compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The report makes it clear that OCR’s resources are under considerable strain, and without an increase in funding from Congress, OCR will struggle to fulfill its mission to enforce HIPAA compliance, especially considering the large increase in reported data breaches and HIPAA complaints.

OCR reports significant increases in reported data breaches and HIPAA complaints, with large data breaches – 500 or more records – increasing by more than 58% between 2017 and 2021, and HIPAA complaints increasing by 25% between 2020 and 2021, yet between 2017 and 2021, OCR has not had any increases in appropriations, with Congress only increasing funding in line with inflation.

If Congress is unable to increase funding for OCR, the financial strain could be eased through enforcement actions; however, OCR has seen funding through enforcement decline after reassessing the language of the HITECH Act and determining it had been misinterpreted in 2009, resulting in the maximum penalty amounts in three of the four penalty tiers being significantly reduced. To address this and increase funding, OCR sent a request to Congress in September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) calling for an increase in HITECH civil monetary penalty caps), as without such an increase, OCR’s staff and resources will continue to be severely strained, especially during a time of substantial growth in cyberattacks on the healthcare sector.

25% Annual Increase in HIPAA Violation Complaints

There was a sizeable rise in complaints about potential HIPAA and HITECH Act violations in 2021, which increased by 25% year-over-year to 34,077 complaints, 77.5% of which (26,420) were resolved in 2021, 78% of which (20,611 complaints) were resolved without having to initiate an investigation. OCR explained that action can only be taken in response to complaints where the HIPAA violation occurred after the compliance deadline, where the complaint is against a HIPAA-regulated entity, where a HIPAA violation appears to have occurred, and when the complaint is submitted within 180 days of the complainant becoming aware of the violation (unless the complainant shows good cause why the violation was not reported within 180 days).

The most common reasons for closing complaints without an investigation were the complaint was made against a non-HIPAA-regulated entity or allegations were made about conduct that did not violate HIPAA (3%), and due to untimely complaints (1%). OCR said 4,139 complaints were resolved by providing technical assistance in lieu of an investigation, 714 complaints were resolved by the HIPAA-regulated entity taking corrective action, and 789 complaints were resolved through technical assistance taken after an investigation was initiated. There was a 10% year-over-year reduction in initiated compliance investigations, with 1,620 compliance investigations initiated in response to complaints. 50% were resolved as no violation was discovered, 44% were resolved through corrective action, and 6% were resolved through technical assistance after investigation. 13 complaints were resolved through settlements and corrective action plans with penalties totaling $815,150, and 2 were resolved through civil monetary penalties totaling $150,000.

674 compliance reviews were initiated for reasons other than complaints, 609 were initiated in response to large data breaches, 22 due to small data breaches, and a further 43 were initiated in response to incidents brought to OCR’s attention by other means, such as reports in the media. In 2021, OCR closed 573 compliance reviews, resulting in corrective actions or civil monetary penalties in 83% of the investigations. Two compliance reviews resulted in resolution agreements that included $5,125,000 in financial penalties and corrective action plans. The remaining 17% of compliance reviews were resolved through technical assistance (3%), insufficient evidence of HIPAA violations (11%), or where there was a lack of jurisdiction to investigate (3%). OCR said its HIPAA compliance audit program has stalled due to a lack of financial resources.

Click here to view OCR’s Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

Click here to view a summary of OCR’s Report on Breaches of Unsecured PHI in 2021

The post Lack of Funding Hampering OCR’s Ability to Enforce HIPAA appeared first on HIPAA Journal.