On February 14, 2024, HHS-OCR delivered a set of reports to Congress regarding HIPAA compliance and breaches of unsecured protected health information (PHI) in 2022. These annual reports shed light on the agency’s enforcement priorities and contain helpful insights concerning HHS-OCR investigations and related risk areas. Of particular interest are the “lessons learned” that HHS-OCR offers to HIPAA covered entities and business associates (together “regulated entities”) in terms of practical tips for enhanced data security.

HIPAA Privacy, Security, and Breach Notification Rule Compliance 

HHS-OCR enforces the HIPAA rules by investigating written complaints filed with the agency and initiating its own compliance reviews. In practice, most of these compliance reviews arise from reported breaches of unsecured PHI involving 500 or more individuals (i.e., “large breaches”).

In its report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance, HHS-OCR summarized its key HIPAA enforcement activities during 2022, including the number of complaints resolved and compliance reviews conducted, as well as the enforcement actions taken.

Complaints

In 2022:

  • HHS-OCR resolved 32,250 complaints regarding alleged HIPAA violations.
  • The vast majority of these complaints were resolved by the agency before initiating an investigation (87%) or through the provision of technical assistance in lieu of an investigation (9%).
  • Only 4% of the complaints resolved in 2022 resulted in investigations. Of these, HHS-OCR: (a) found insufficient evidence that a violation of the HIPAA rules had occurred in approximately 54% of the cases; (b) required regulated entities to take corrective action in approximately 44% of the cases; and (c) resolved the remaining investigations by providing post-investigation technical assistance.
  • HHS-OCR resolved 17 of the complaints that were investigated (approximately 2% of all complaint investigations) with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500. One complaint investigation resulted in a civil monetary penalty (CMP) of $100,000.
  • Notably, almost 90% of complaint investigations that were resolved with RA/CAPs and monetary settlements or a CMP asserted violations of HIPAA’s “right of access” provision.

Compliance Reviews

In 2022:

  • HHS-OCR completed 846 compliance reviews. For 80% of these reviews, HHS-OCR required the regulated entity to take corrective action or pay a CMP. Three such compliance reviews were resolved with RA/CAPs and resulted in monetary payments totaling $2,425,640.
  • HHS-OCR (a) found insufficient evidence of a violation of HIPAA rules in 11% of the reviews completed; (b) provided the regulated entity with post-investigation technical assistance in 4% of the reviews completed; and (c) determined that it lacked jurisdiction to evaluate the allegations in 5% of the reviews.

Audits

Notably, HHS-OCR did not perform any audits in 2022 due to a lack of funding that has placed “severe strain on [HHS]-OCR’s limited staff and resources.” The agency stressed that it did not receive any appropriation increases from 2018 to 2022, despite the fact that there have been significant increases in HIPAA complaints received (i.e., a 17% increase from 2018 to 2022) and large data breaches reported (i.e., a 107% increase from 2018 to 2022). HHS-OCR indicated that it is actively developing criteria for implementing future audits should financial resources become available.

Breaches of Unsecured PHI

HHS-OCR’s report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured PHI that were reported to, and resolved by, HHS-OCR during 2022 and the actions HHS-OCR took in response to those breaches. Of note, in 2022:

  • HHS-OCR received 626 notifications of large breaches, representing an increase of 3% from the number of large breaches reported in 2021. The large breaches reported in 2022 affected a total of almost 42 million individuals.
  • As in previous years, the most commonly reported category of large breaches was hacking/IT incidents (representing 74% of large breaches reported in 2022),1 followed by the unauthorized access or disclosure of records containing PHI (representing 19% of large breaches reported in 2022).
  • Most large breaches were reported by health care providers. While business associates made up only 19% of the large breaches reported in 2022, those breaches affected 35% of impacted individuals.
  • HHS-OCR also received 63,966 reports of breaches affecting fewer than 500 individuals (i.e., “smaller breaches”), with unauthorized access or disclosure representing, by far, the most frequent type of breach reported (representing 93% of smaller breaches reported in 2022). These smaller breaches affected a total of 257,105 individuals.
  • HHS-OCR initiated investigations into all 626 large breaches, as well as two smaller breaches. The agency resolved three of these breach investigations with RA/CAPs and monetary penalties (with less than 1% of investigations being resolved in this manner), totaling $2,425,640.
  • Although the number of reported data breaches (both large and smaller) increased last year (i.e., by 3% and 6%, respectively), the number of compliance reviews initiated by HHS-OCR (most of which involve breaches of unsecured PHI) grew by less than 1%.

Lessons Learned

In connection with its investigations, HHS-OCR identified common deficiencies and vulnerabilities in protecting the privacy and security of PHI, including the following:

  • Failure to conduct accurate and thorough risk analyses. HHS-OCR found that HIPAA security risk analyses, if conducted, were often based on incomplete inventories of where PHI is created, received, maintained, or transmitted, resulting in an incomplete assessment of risks and vulnerabilities.
  • Failure to implement risk management. HHS-OCR found that regulated entities failed to implement security measures to reduce the same risks identified repeatedly over a protracted period of time, leaving them vulnerable to breaches of unsecured PHI.
  • Insufficient or non-existent information system activity review processes. HHS-OCR identified examples where regulated entities (a) failed to review information system activity through standard system tools, such as audit logs, access reports, and security incident tracking reports; or (b) conducted reviews that were ad hoc, reactive, or deficient in scope that left access to some PHI unmonitored.
  • Failure to comply with the HIPAA Security Rule’s audit controls requirement. HHS-OCR found regulated entities that either had no audit controls in place or implemented audit control mechanisms for only a narrow subset of their systems containing or using electronic PHI. In other cases, HHS-OCR found regulated entities that had deficient logging practices or failed to maintain access or activity logs for a practicable amount of time.
  • Deficient or non-existent security incident response and reporting processes. HHS-OCR found that regulated entities frequently are not documenting security incidents and their outcomes. The agency emphasized that it is crucial for covered entities and business associates to maintain a record of the details of any security incident and the responsive steps taken for future reference, including relevant dates, staff members involved, systems affected, and any technical changes employed.
  • Use of compromised credentials. HHS-OCR found that the use of compromised credentials is one of the leading methods attackers leverage to gain unauthorized access to an organization’s network and information systems. Specifically, HHS-OCR noted instances of ineffective authentication procedures, including weak password rules, using user IDs as passwords, sharing login credentials, and not changing application default passwords.

Conclusion

HHS-OCR’s annual reports to Congress illuminate the agency’s enforcement priorities and offer insights into common deficiencies and vulnerabilities in safeguards for the privacy and security of PHI. Covered entities and business associates should be mindful of the trends identified in these reports and assess how they might improve their HIPAA compliance programs in the areas highlighted in the reports.  For instance, given HHS-OIG’s focus on enforcing compliance with the individual right of access provision, covered entities should take care that their policies and procedures are carefully followed to ensure that individuals have timely access to their health records.

  1. HHS-OCR recently announced an upward trend in 2023, where hacking accounted for 79% of the large breaches reported to HHS-OCR. The large breaches reported in 2023 affected over 134 million individuals and reflected a 141% increase from 2022. Id. ↩︎
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Stephanie Murtagh

About Stephanie Murtagh

Stephanie Murtagh is a member of Dentons' Health Care practice, resident in the Los Angeles office. Hardworking, thoughtful, and dedicated to her clients, Stephanie routinely counsels for-profit and nonprofit hospitals, health systems, and large physician groups on a variety of regulatory and compliance matters.

Full bio

Janice Ziegler

About Janice Ziegler

Janice Ziegler is a partner in Dentons’ Life Sciences and Health Care sector team. She focuses on providing strategic, regulatory, transactional and legislative counseling to clients regarding the Medicare Secondary Payer (MSP) laws, government managed care programs, and federal and state health care privacy matters.

Full bio

RELATED POSTS