On February 17, 2023, the HHS Office for Civil Rights (OCR) released its Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021 (“HIPAA Breach Report”) and its Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021 (“HIPAA Compliance Report”). The reports summarize key HIPAA enforcement activities undertaken by OCR and are intended to highlight where regulated entities (including both covered entities and business associates) should focus their HIPAA compliance efforts. Below, we provide a summary of each report.

HIPAA Breach Report

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires OCR to report annually on the number and nature of reported breaches and the actions taken in response to those breaches.

Over the five-year reporting period (2017-2021), OCR reported that the number of breaches affecting 500+ individuals increased by 58% and the number of breaches affecting fewer than 500 individuals increased by 5%. Between 2020 and 2021, there was a 7% decrease in the number of breaches affecting 500 or more individuals and a 4% decrease in the number of breaches affecting fewer than 500 individuals.

OCR received 609 reports of breaches affecting 500 or more individuals in 2021. The large breaches impacted approximately 37 million individuals. The most common type/cause of large breaches was hacking or other IT-related incidents that impacted electronic equipment or network servers (75% of all large breaches). Other top types/causes of large breaches included: unauthorized access or disclosure of records containing protected health information (“PHI”), theft of electronic equipment/portable devices or paper containing PHI, loss of electronic media or paper records containing PHI, and improper disposal of PHI. OCR opened investigations into all 609 large breaches reported in 2021.

In 2021, OCR received approximately 63,500 reports of breaches affecting fewer than 500 individuals. The smaller breaches impacted approximately 319,000 individuals. The most common cause of the smaller breaches was unauthorized access or disclosures (94% of all smaller breaches). The most common location of the affected PHI was paper records (70% of all smaller breaches). OCR completed 22 investigations into smaller breaches in 2021.

HIPAA Compliance Report

The HITECH Act requires OCR to report annually to Congress on the number of complaints received from the public and the methods used to resolve the complaints; the number of compliance reviews conducted by OCR and the outcome of each review; the number of subpoenas or inquiries issued; the number of audits performed and a summary of audit findings; and anticipated compliance and enforcement initiatives for the following year.

For the 2021 calendar year, OCR reported the following:

Complaints: OCR received 34,077 complaints from the public alleging violations of the HIPAA Rules and the HITECH Act. Over the five-year reporting period, the number of complaints increased 39%. Between 2020 and 2021, the number of complaints increased 25%. The top issues identified in the complaints were impermissible use and disclosure of PHI, right of access, safeguards, administrative safeguards under the Security Rule, and breach notifications to individuals.

OCR resolved 26,420 complaints. Most complaints were resolved before OCR initiated an investigation (78%) or with OCR providing technical assistance (16%). Thirteen complaint investigations were resolved with Resolution Agreements and Corrective Action Plans (CAP) and monetary settlements totaling $815,150, and two complaint investigations were resolved with civil money penalties totaling $150,000.

Compliance Reviews: OCR initiated 674 compliance reviews to investigate allegations of violations of the HIPAA Rules, including the 609 large breach investigations and 22 small breach investigations included in the HIPAA Breach Report. The remaining 43 compliance reviews were based on incidents brought to OCR’s attention through multiple complaints regarding an entity or practice, media reports, or other means.

OCR completed 573 compliance reviews. In 83% of the closed compliance reviews, the covered entity or business associate was required to implement corrective action or paying a civil monetary penalty. OCR resolved two compliance reviews with resolution agreements, CAPs and monetary settlements totaling $5,125,000. Both cases involved potential violations with the Security Rule including failures to conduct a thorough risk analysis, to implement risk management, and to implement audit controls.

Audits: OCR reported that it did not perform any audits in 2021 due to a lack of financial resources.

Subpoenas: OCR reported that it issued one subpoena in 2021.

Anticipated Compliance and Enforcement Activities: According to the HIPAA Compliance Report, OCR is currently developing criteria for future audits.

OCR’s Recommendations

In the HIPAA Breach Report, OCR recommended covered entities and business associates improve compliance with the HIPAA Security Rule, especially related to the following standards and implementation specifications:

• Security management process standard (45 CFR 164.308(a)(1)(i)) and the implementation specifications related to risk analysis, risk management, and information system activity review;
• Access control standard (45 CFR 164.312(a)(1)) and the implementation specification; and
• Audit control standard (45 CFR 164.312(b)).