Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

A Breakdown of Recent HIPAA Compliance Issues and Breaches

Healthcare Assessments

You’ve likely heard the phrase “those who cannot remember the past are condemned to repeat it”—or at least something like it, and the sentiment is true. It’s incredibly helpful to understand what pitfalls or stumbles occurred in the past so that the same traps aren’t fallen into, and it’s even more helpful when someone compiles a list of those pitfalls that more easily lay them all out.

That’s exactly what the HHS Office for Civil Rights (OCR) recently did when it delivered its Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information (PHI) on February 17, 2023. The reports—found here and here—summarize key HIPAA activities during the 2021 calendar year.

These reports could benefit regulated entities, as the details provide insight as to where organizations previously fell short—among other useful data—giving you specific places to look to ensure your continued HIPAA compliance. As a HIPAA assessor, we’re going to break down what was a lot of information provided so that you can take away important insight you can use to maintain compliance and further your understanding of this law.

How Does HIPAA Enforcement Work?

 

Before we get into the details, you may be wondering how all this information is gathered in the first place.

OCR enforces the HIPAA Rules by investigating the written complaints filed to them on paper, by e-mail, or through its complaint portal, but they also conduct compliance reviews and audits themselves to determine if covered entities or business associates are in compliance with the HIPAA Rules. That being said, the OCR did not perform any audits in 2021 due to a lack of financial resources.

Despite that, the data reflects some troubling trends:

  • There’s been a significant increase in HIPAA complaints received (39% increase from 2017 to 2021) as well as in large breaches reported (58% increase from 2017 to 2021).
  • OCR received 34,077 new complaints alleging violations of the HIPAA Rules and the HITECH Act, representing an increase of 25% from the number of complaints received in the calendar year 2020.

But it doesn’t have to take a submitted grievance to trigger an investigation—the OCR also initiated 674 compliance reviews to investigate allegations of violations of the HIPAA Rules that did not arise from complaints:

  • Of these, 609 were initiated as a result of a breach report affecting 500 or more individuals and 22 were a result of a breach report affecting fewer than 500 individuals.
  • The remaining 43 compliance reviews were opened based on incidents brought to OCR’s attention through multiple complaints regarding an entity or practice, media reports, or other means. 

Key Initial Takeaways From the OCR’s 2021 Annual Report to Congress

So, what did the OCR find and then report to Congress?

  • Steps that were taken by the OCR to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules—that includes the OCR’s enforcement activities.
  • Important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.
  • A need for improved compliance among regulated organizations regarding the HIPAA Security Rule requirements, including:
  • Information system activity review;
  • Risk analysis and risk management;
  • Audit controls; and
  • Access controls, as these were all areas identified as needing improvement after 2021 OCR breach investigations.

 Other important, more specific findings include:

  • Hacking/IT incidents remain the largest category of breaches that occurred in 2021—those breaches affecting 500 or more individuals comprised 75% of the reported breaches—this follows the trend established in the previous three years.
  • Network servers were found to be the most common location for those breaches involving 500 or more individuals. 

Detailed Summary of the 2021 Annual Report to Congress on Breaches of Protected Health Information

 

Now, let’s delve a little deeper into the reported findings as they pertain to unauthorized access to PHI.

Major PHI Breaches in 2021 by Type of Breach

OCR received 609 notifications of breaches affecting 500 or more individuals, a decrease of 7% from the number of reports received in the calendar year 2020—that’s the good news. The bad news is that these reported breaches affected a total of more than 37 million individuals.

The majority of these breaches were due to hacking, with the largest of those involving more than 3 million individuals. Other categories of breaches included the following from most to least:

  • Hacking/IT Incident (75%)
  • Unauthorized access/disclosure (19%)
  • Theft (3%)
  • Loss (1%)
  • Improper Disposal (1%)

Picture2Major PHI Breaches in 2021 by Entity Type

The OCR also broke down the major incidents by entity type—those who suffered the most breaches to those who suffered the least shakes out like this:

  • Healthcare providers (72%)
  • Health plans (15%)
  • Business associates (13%)
  • Healthcare clearinghouses (less than 1%)
Picture1-2

Minor PHI Breaches in 2021

OCR also received 63,571 reports of breaches affecting fewer than 500 individuals, with unauthorized access or disclosure reported as the most frequent type of breach reported. These smaller breaches affected a total of more than 300,000 individuals.

OCR Enforcement Actions and Resolution Agreements in 2021

As part of their enforcement efforts against these breaches, the OCR resolved two breach investigations in 2021—the agreed-upon resolution agreements included corrective action plans and collected settlements totaling over $5.1 million:

Entity Involved

What Happened?

Resolution Agreement

Excellus Health Plan

Excellus filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems, installed malware, and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the PHI of more than 9.3 million individuals.

OCR’s investigation found potential violations of the HIPAA Rules, including:

  • Failure to conduct an accurate and thorough risk analysis
  • Failures to implement risk management, information system activity review, and access controls

Excellus agreed to pay $5,100,000 and to implement a corrective action plan.

In addition to the monetary settlement, Excellus agreed to settle their potential violations of the HIPAA Privacy and Security Rules by:

  • Completing a comprehensive risk analysis;
  • Developing an enterprise-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the risk analysis; and
  • Revising or developing policies and procedures to comply with the HIPAA Rules.

Peachstate Health Management

dba AEON Clinical Laboratories

In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules.

Their investigation discovered indicia of Peachstate’s systemic noncompliance with the HIPAA Security Rule, including failures to:

  • Conduct a comprehensive and thorough risk analysis;
  • Implement risk management and audit controls; and
  • Maintain documentation of HIPAA Security Rule policies and procedures.

Peachstate agreed to pay $25,000 and to implement a corrective action plan.

In addition to the monetary settlement, Peachstate agreed to settle potential violations of the HIPAA Security Rule by:

  • Completing a comprehensive, enterprise-wide risk analysis;
  • Developing a Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the risk analysis;
  • Developing and distributing policies and procedures to comply with HIPAA Rules; and
  • Training all workforce members who have access to PHI on the HIPAA policies and procedures.

 For more on HIPAA violations and both civil and criminal penalties, check out our in-depth article here. 

Ensuring Your Continued HIPAA Compliance

Recaps like this are important for overarching bodies like Congress, which can work to improve and adapt regulations, but they’re also useful for other organizations that can understand the recent issues discovered elsewhere and take any necessary steps to avoid ending up on the next year’s report—to avoid repeating history.

With this breakdown, you now have a starting point for your internal evaluation of your HIPAA compliance. For those particularly concerned with the risk management elements of HIPAA, you may be interested in learning more about our specialized service—HIPAA Express—that specifically addresses those requirements in an abbreviated assessment designed for healthcare providers.

If not, we offer other resources that can answer other pressing questions regarding HIPAA:

 And, if you’re interested in a full HIPAA assessment—or if you just have lingering, more specific concerns—please feel free to contact us so that our experts can set your mind at ease.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.