A Breakdown of Recent HIPAA Compliance Issues and Breaches
You’ve likely heard the phrase “those who cannot remember the past are condemned to repeat it”—or at least something like it, and the sentiment is true. It’s incredibly helpful to understand what pitfalls or stumbles occurred in the past so that the same traps aren’t fallen into, and it’s even more helpful when someone compiles a list of those pitfalls that more easily lay them all out.
That’s exactly what the HHS Office for Civil Rights (OCR) recently did when it delivered its Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information (PHI) on February 17, 2023. The reports—found here and here—summarize key HIPAA activities during the 2021 calendar year.
These reports could benefit regulated entities, as the details provide insight as to where organizations previously fell short—among other useful data—giving you specific places to look to ensure your continued HIPAA compliance. As a HIPAA assessor, we’re going to break down what was a lot of information provided so that you can take away important insight you can use to maintain compliance and further your understanding of this law.
How Does HIPAA Enforcement Work?
Before we get into the details, you may be wondering how all this information is gathered in the first place.
OCR enforces the HIPAA Rules by investigating the written complaints filed to them on paper, by e-mail, or through its complaint portal, but they also conduct compliance reviews and audits themselves to determine if covered entities or business associates are in compliance with the HIPAA Rules. That being said, the OCR did not perform any audits in 2021 due to a lack of financial resources.
Despite that, the data reflects some troubling trends:
- There’s been a significant increase in HIPAA complaints received (39% increase from 2017 to 2021) as well as in large breaches reported (58% increase from 2017 to 2021).
- OCR received 34,077 new complaints alleging violations of the HIPAA Rules and the HITECH Act, representing an increase of 25% from the number of complaints received in the calendar year 2020.
But it doesn’t have to take a submitted grievance to trigger an investigation—the OCR also initiated 674 compliance reviews to investigate allegations of violations of the HIPAA Rules that did not arise from complaints:
- Of these, 609 were initiated as a result of a breach report affecting 500 or more individuals and 22 were a result of a breach report affecting fewer than 500 individuals.
- The remaining 43 compliance reviews were opened based on incidents brought to OCR’s attention through multiple complaints regarding an entity or practice, media reports, or other means.
Key Initial Takeaways From the OCR’s 2021 Annual Report to Congress
So, what did the OCR find and then report to Congress?
- Steps that were taken by the OCR to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules—that includes the OCR’s enforcement activities.
- Important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.
- A need for improved compliance among regulated organizations regarding the HIPAA Security Rule requirements, including:
- Information system activity review;
- Risk analysis and risk management;
- Audit controls; and
- Access controls, as these were all areas identified as needing improvement after 2021 OCR breach investigations.
Other important, more specific findings include:
- Hacking/IT incidents remain the largest category of breaches that occurred in 2021—those breaches affecting 500 or more individuals comprised 75% of the reported breaches—this follows the trend established in the previous three years.
- Network servers were found to be the most common location for those breaches involving 500 or more individuals.
Detailed Summary of the 2021 Annual Report to Congress on Breaches of Protected Health Information
Now, let’s delve a little deeper into the reported findings as they pertain to unauthorized access to PHI.
Major PHI Breaches in 2021 by Type of Breach
OCR received 609 notifications of breaches affecting 500 or more individuals, a decrease of 7% from the number of reports received in the calendar year 2020—that’s the good news. The bad news is that these reported breaches affected a total of more than 37 million individuals.
The majority of these breaches were due to hacking, with the largest of those involving more than 3 million individuals. Other categories of breaches included the following from most to least:
- Hacking/IT Incident (75%)
- Unauthorized access/disclosure (19%)
- Theft (3%)
- Loss (1%)
- Improper Disposal (1%)
Major PHI Breaches in 2021 by Entity Type
The OCR also broke down the major incidents by entity type—those who suffered the most breaches to those who suffered the least shakes out like this:
- Healthcare providers (72%)
- Health plans (15%)
- Business associates (13%)
- Healthcare clearinghouses (less than 1%)
Minor PHI Breaches in 2021
OCR also received 63,571 reports of breaches affecting fewer than 500 individuals, with unauthorized access or disclosure reported as the most frequent type of breach reported. These smaller breaches affected a total of more than 300,000 individuals.
OCR Enforcement Actions and Resolution Agreements in 2021
As part of their enforcement efforts against these breaches, the OCR resolved two breach investigations in 2021—the agreed-upon resolution agreements included corrective action plans and collected settlements totaling over $5.1 million:
Excellus Health Plan
Excellus filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems, installed malware, and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the PHI of more than 9.3 million individuals.
OCR’s investigation found potential violations of the HIPAA Rules, including:
Excellus agreed to pay $5,100,000 and to implement a corrective action plan.
In addition to the monetary settlement, Excellus agreed to settle their potential violations of the HIPAA Privacy and Security Rules by:
Peachstate Health Management
In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules.
Their investigation discovered indicia of Peachstate’s systemic noncompliance with the HIPAA Security Rule, including failures to:
Peachstate agreed to pay $25,000 and to implement a corrective action plan.
In addition to the monetary settlement, Peachstate agreed to settle potential violations of the HIPAA Security Rule by:
For more on HIPAA violations and both civil and criminal penalties, check out our in-depth article here.
Ensuring Your Continued HIPAA Compliance
Recaps like this are important for overarching bodies like Congress, which can work to improve and adapt regulations, but they’re also useful for other organizations that can understand the recent issues discovered elsewhere and take any necessary steps to avoid ending up on the next year’s report—to avoid repeating history.
With this breakdown, you now have a starting point for your internal evaluation of your HIPAA compliance. For those particularly concerned with the risk management elements of HIPAA, you may be interested in learning more about our specialized service—HIPAA Express—that specifically addresses those requirements in an abbreviated assessment designed for healthcare providers.
If not, we offer other resources that can answer other pressing questions regarding HIPAA:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.