OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance

By | February 20, 2023

The Department of Health and Human Services’ Office for Civil Rights (OCR) has publicly released two reports that were submitted to Congress that provide insights into data breaches, HIPAA enforcement activity, and the state of HIPAA Privacy and Security Rule compliance for calendar year 2021.

According to OCR, in calendar year 2021, OCR received 609 reports of large data breaches – data breaches affecting 500 or more individuals – with those incidents affecting 37,182,558 individuals. OCR also received 63,571 reports of data breaches affecting fewer than 500 individuals – which are not publicly reported. 319,215 individuals were affected by those smaller data breaches. That’s 64,180 data breaches in total in 2021 affecting 37,501,772 individuals.

If you follow the breach reports and healthcare data breach statistics reported in the HIPAA Journal, you will notice a discrepancy with OCR’s official figures. That is because the statistics are based on the data breaches reported to OCR via the OCR HIPAA Breach Web Portal, which lists 714 data breaches for calendar year 2021. OCR investigates all of those breaches, but the report to Congress only includes data breaches that occurred in 2021 or continued into 2021. 105 of the data breaches reported to OCR in calendar year 2021 occurred and ended prior to 2021, but were reported in 2021.

OCR investigates all data breaches of 500 or more records and initiates HIPAA compliance reviews in all of those breaches to determine whether noncompliance with the HIPAA Rules was a contributory factor. In 2021, OCR launched investigations into all 609 data breaches plus 22 data breaches involving fewer than 500 individuals. 554 data breach investigations were completed in 2021 due to the investigations being closed with no further action as HIPAA violations were not determined to have occurred, or when HIPAA violations were discovered and were resolved through voluntary compliance, technical assistance, or resolution agreements and corrective action plans.

The adjusted data show there was a 7% annual reduction in data breaches of 500 or more records compared to 2020, and a 4% reduction in smaller data breaches. By comparison, there was a 61% increase in large data breaches in 2020 and a 6% increase in small data breaches. From 2017 to 2021, small data breaches increased by 5.4% and large data breaches increased by 58.2%.

In 2021, hacking/IT incidents accounted for 75% of large data breaches and 95% of the affected individuals, with the breached information most commonly stored on network servers. 19% of breaches and 4% of impacted individuals were affected by unauthorized access/disclosure incidents, 3% of reported breaches involved theft (<1% of affected individuals), 1% involved loss of PHI (<1% of affected individuals), and 1% involved improper disposal of PHI (1% of affected individuals). Unauthorized access/disclosure incidents accounted for the majority of small breaches, with those breaches typically involving paper records.

Healthcare providers reported 72% of the data breaches in 2021 (437 reports and 24,389,630 affected individuals), 15% of the breaches were reported by health plans (93 reports and 3,236,443 affected individuals), 13% by business associates (977 reports and 9,554,023 affected individuals), and <1% by healthcare clearinghouses (2 reports affecting 2,462 individuals).

Largest Data Breaches in 2021 in Each Breach Category

Breach Type Individuals Affected Cause
Hacking/IT Incident 3,253,822 Hacked Network Server
Unauthorized Access/Disclosure 326,417 Software Configuration Error Exposed ePHI
Improper Disposal 122,340 Improper disposal of hard drives containing ePHI
Theft 21,601 Theft of laptops and paper records in burglary
Loss of PHI 14,532 Loss of medical records

Lessons Learned from 2022 Data Breaches

OCR reports that the most common vulnerabilities identified during its investigations were failures to follow HIPAA Security Rule standards and implementation specifications. “There is a continued need for regulated entities to improve compliance with the HIPAA Rules,” explained OCR in the report. “In particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control were areas identified as needing improvement in 2021 OCR breach investigations.”

The most common remedial actions to breaches of 500 or more records were:

  • Implementing multi-factor authentication for remote access
  • Revising policies and procedures
  • Training or retraining workforce members who handle PHI
  • Providing free credit monitoring and identity theft protection services to customers
  • Adopting encryption technologies
  • Imposing sanctions on workforce members who violated policies and procedures for removing PHI from facilities or who improperly accessed PHI
  • Changing passwords
  • Performing a new risk assessment
  • Revising business associate contracts to include more detailed provisions for the protection of health information

When serious violations of HIPAA are identified and/or corrective action has not been proactively taken in response to data breaches, OCR will impose corrective action plans and financial penalties. In 2021, OCR resolved two investigations of data breaches with resolution agreements and corrective action plans, resulting in settlements totaling $5.1 million. One settlement was reached with Excellus Health Plan, which agreed to pay a financial penalty of $5,100,000 to resolve the HIPAA violations that contributed to its 2015 data breach affecting 9.3 million individuals, and a $25,000 penalty was paid by Peachstate Health Management (dba AEON Clinical Laboratories) to resolve HIPAA Security Rule violations.

“The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Click here to view OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF)

Click here to view a summary of OCR’s enforcement activity in 2021

The post OCR: HIPAA-Regulated Entities Need Continue to Improve HIPAA Security Rule Compliance appeared first on HIPAA Journal.