Two reports published by the Department of Health and Human Services’ Office for Civil Rights (OCR) had been submitted to Congress. The reports offer information about data breaches, the status of HIPAA Privacy and Security Regulation compliance, and HIPAA enforcement activity for 2021.
As per OCR, in 2021, OCR got 609 reports of big data breaches involving 500 or more persons and those data breach incidents impacted 37,182,558 persons. OCR likewise got 63,571 data breach reports involving less than 500 persons, which are not reported to the public. These smaller breaches affected 319,215 persons. So, there were a total 64,180 data breaches in 2021 impacting 37,501,772 persons.
The number of data breaches reported to OCR using the OCR HIPAA Breach Web Site is just 714 data breaches for 2021. This number is very different from the abovementioned data breach statistics. That is because eventhough OCR investigates all reported breaches, it only reported to Congress the data breaches that happened in 2021 and went on into 2021. There were 105 data breaches reported to OCR in 2021 that happened and ended in 2021.
All data breaches involving at least 500 records are investigated by OCR. HIPAA compliance audits are done on all of the breaches to find out if there was noncompliance with the HIPAA Rules that resulted in the breach. In 2021, OCR started investigating all 609 data breaches and the 22 data breaches affecting less than 500 persons. OCR marked 554 data breach investigations as completed in 2021 because the investigations were closed without additional action since OCR did not find any HIPAA violations, or if there were HIPAA violations found, they were settled by means of voluntary compliance, technical support, or corrective action plans and resolution agreements.
The tweaked information indicate there was a 7% yearly decrease in data breaches involving at least 500 records in 2021 when compared with 2020, and a 4% decrease in smaller data breaches. In contrast, large data breaches increased by 61% in 2020 while small data breachesa increased by 6%. From 2017 to 2021, there was a 5.4% increase in small data breaches and 58.2% increase in large data breaches.
In 2021, 75% of big data breaches were due to hacking/IT incidents with 95% of the impacted persons had their breached data mostly saved on network servers. 19% of breaches and 4% of affected persons were due to unauthorized access/disclosure cases, 3% of breaches were due to theft (with less than 1% of impacted persons), 1% were due to loss of PHI (with less than 1% of impacted persons), and 1% were due to improper disposal of PHI (with 1% of impacted persons). Unauthorized access/disclosure cases caused almost all small breaches and those breaches usually concern paper documents.
Healthcare providers submitted 72% (437) of the data breach reports in 2021 with 24,389,630 impacted persons. Health plans submitted 15% (93) of the breach reports with 3,236,443 impacted persons. Business associates submitted 13% (977) of the breach reports with 9,554,023 impacted persons. Healthcare clearinghouses submitted less than 1% (2) of the breach reports impacting 2,462 persons.
Biggest Data Breaches in 2021 Per Breach Category
Hacking/IT Incident (Hacked Network Server) – 3,253,822 individuals affected
Unauthorized Access/Disclosure (Software Misconfiguration Exposed ePHI) – 326,417 individuals affected
Improper Disposal (of hard drives with ePHI) – 122,340 individuals affected
Theft (of laptops and paper documents in burglary) – 21,601 individuals affected
Loss of PHI (missing medical records) – 14,532 individuals affected
Lessons Realized from 2022 Data Breaches
According to OCR reports, its investigations found that the most prevalent vulnerabilities were noncompliance with the HIPAA Security Rule standards and enforcement requirements. Regulated entities need to reinforce their compliance with the HIPAA Rules, particularly, the Security Rule requirements. OCR’s 2021 breach investigations identified the implementation guidelines of risk management, risk analysis, information system activity assessment, audit management, and access control as requiring improvements.
The most typical remedial steps to breaches involving at least 500 records were:
- Employing multi-factor authentication for remote access
- Modifying guidelines and procedures
- Training or retraining employees with access to PHI
- Giving complimentary credit monitoring and identity theft protection services to clients
- Using encryption technologies
- Imposing sanctions on employees who violated guidelines and procedures for getting PHI from facilities or who wrongly viewed PHI
- Altering passwords
- Carrying out a new risk analysis
- Changing business associate agreements to add more specific terms for the safety of health data
Whenever serious HIPAA violations are discovered and/or corrective action was not proactively taken to address data breaches, OCR will enforce corrective action plans and issue financial penalties. In 2021, OCR had two data breaches resolved with a total of $5.1 million of financial penalties paid and corrective action plans implemented. The settlement with Excellus Health Plan resulted in the payment of a $5,100,000 financial penalty to settle the HIPAA violations that caused a data breach in 2015 impacting 9.3 million persons. Peachstate Health Management (dba AEON Clinical Laboratories) paid $25,000 in penalties to settle HIPAA Security Rule violations.
Read OCR’s Annual Report to Congress on Breaches of Unsecured Protected Health Information (PDF) here
Insufficient Funding Impede OCR’s Capability to Implement HIPAA
The HHS’ Office for Civil Rights (OCR) has sent a report to Congress detailing its 2021 HIPAA enforcement activities, which gives information into the status of compliance with the HIPAA Security, Privacy, and Breach Notification Regulations. The report states that the resources of OCR are under strain, and if Congress does not increase its funding, OCR will have difficulty fulfilling its task to implement HIPAA compliance, considering the rise in reported data breaches and HIPAA problems.
OCR reports substantial growth in data breach reports and HIPAA complaints, with data breaches involving 500 and up records escalating by over 58% from 2017 to 2021. HIPAA complaints grew by 25% from 2020 to 2021, though from 2017 to 2021, OCR did not get higher appropriations, with Congress merely adding funding consistent with inflation.
In case Congress cannot increase OCR’s funds, the financial strain can be eased by means of enforcement actions; nevertheless, OCR has seen funding by way of a drop in enforcement after re-evaluating the terms of the HITECH Act and identifying its being misinterpreted in 2009, leading to the highest penalty amounts in three of the four penalty tiers being considerably lowered. To deal with this and raise funding, OCR requested Congress last September 2021 (HHS FY 2023 Discretionary A-19 Legislative Supplement) to increase HITECH civil monetary penalty limits, because, without such a raise, OCR’s employees and resources will be seriously strained, particularly in a time of considerable increase in cyberattacks on the healthcare industry.
25% Yearly Increase in Complaints Regarding HIPAA Violations
Complaints on potential violations of the HIPAA and HITECH Act grew by 25% year-over-year in 2021. 26,420 of the 34,077 complaints or 77.5% were settled in 2021. 20,611 of the complaints or 78% were closed even without starting an investigation. OCR mentioned that action on complaints can only be taken
- when the HIPAA violation happened following the deadline of compliance
- when the complaint involves a HIPAA-covered entity, where a HIPAA violation seems to have happened
- when the complaint is filed within 180 days after the complainant knew about the violation (except if the complainant shows good faith in not reporting the violation within 180 days).
The following are typical reasons for closing complaints without conducting any investigation:
- the complainee is not a HIPAA-regulated entity
- allegations didn’t involve HIPAA violations (3%)
- due to untimely complaints (1%)
OCR stated that complaints against HIPAA-regulated entities were settled through
- offering technical support instead of an investigation – 4,139 complaints
- taking corrective action – 714 complaints
- taking technical support after starting an investigation – 789 complaints
Initiated compliance investigations decreased by 10% year-over-year. There were only 1,620 compliance investigations begun due to complaints. 50% of the complaints were resolved because there was no violation found. 44% of the complaints were settled by taking corrective action, 6% of the complaints were settled by getting technical support after investigation. 13 complaints were settled after paying a total of $815,150 in penalties and taking a corrective action plan. Two complaints were settled by paying civil monetary penalties of $150,000.
There were 674 compliance investigations started that did not have any complaints involved. 609 were because of big data breaches, 22 were because of small data breaches, and 43 were because of incidents that caught OCR’s attention through other means, for example, media reports.
In 2021, OCR resolved 573 (83% of the) compliance investigations by means of corrective actions or paying civil monetary penalties. Two compliance investigations led to a resolution settlement after issuing $5,125,000 in financial penalties and imposing corrective action plans. The other 17% of compliance investigations were resolved by means of technical assistance (3%), lacking proof of HIPAA violations (11%), or jurisdiction to investigate was lacking (3%). OCR stated its HIPAA compliance review program has stalled because of insufficient financial sources.