Annual HIPAA reports show increase in breaches, security complaints

OCR’s annual reports to Congress show a rise in major breaches and HIPAA complaints, but no corresponding increase in funding to manage them.

By admin

Mar 5, 2024, 4:07 PM

The Office of Civil Rights (OCR) has sent its pair of annual HIPAA reports to Congress, informing lawmakers of a continued rise in major data breaches and HIPAA-related complaints.

The agency states that it received 30,435 new complaints alleging violations of the HIPAA Rules in 2022, representing a 17% increase since 2018, and has also seen a 107% rise in the number of large data breaches during that time. In 2022, OCR received 626 notifications of breaches affecting 500 or more individuals. The reported large breaches affected a total of more than 41.7 million individuals nationwide.

The reports point out, however, that OCR has not received additional appropriations funding to keep pace with the quickly rising rate of security and data privacy incidents, limiting the agency’s ability to address the industry’s protection needs in a timely and comprehensive manner.

“OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our healthcare systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

Key stats on HIPAA-related incidents in 2022

Cybercriminals are becoming more sophisticated than ever, leading to bigger, more serious breaches coming from a variety of threat vectors.

In 2022, OCR resolved a total of 32,250 complaints alleging violations of the HIPAA rules and HITECH Act. Eighty-seven percent of those complaints were resolved without the need for an investigation. A further 9% were resolved by providing technical assistance before initiating an investigation. In 560 cases, the covered entity or business associate took appropriate corrective action.

Of those complaints, 17 required a combination of Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements, which totaled $802,500. One investigation ended with a civil money penalty in the amount of $100,000.

Hacking and/or IT incidents remained the largest cause of breaches affecting 500 or more individuals, with 74% of the reported large breaches being traced back to these causes. Healthcare providers were the target of these large incidents 59% of the time, while business associates were at the root of the event 35% of the time.

In 58% of large breaches, the affected PHI was located on a network server. Email was at fault 22% of the time, while the EHR was implicated in 6% of attacks.

OCR received 63,966 reports of breaches affecting fewer than 500 individuals in addition to the 626 larger breach reports. Unauthorized access or disclosure was the most frequent reason behind these smaller incidents, which affected a total of 257,105 individuals. These events occurred at healthcare providers 91% of the time and mostly involved paper records (62%).

799 breach investigations were completed through the delivery of technical assistance, resolution agreements and corrective action, or after determining that no violation had occurred.

Three breach investigations involved a total of more than $2.4 million in monetary payments alongside corrective action plans and resolution agreements.

Recommendations for preventing future security incidents

OCR urges covered entities to take all appropriate action to protect their data assets and infrastructure, including conducting regular risk analysis and risk management activities, reviewing information system activity, implementing audit controls, planning for incident response, and reporting, and monitoring credentials and authentication protocols.

The agency has taken steps to increase outreach and education to the public about their HIPAA rights, and has also worked with regulated entities to raise awareness of breach trends, HIPAA requirements, and penalties for failing to adhere to regulations.

In 2022, OCR also released a video presentation on the categories of recognized security practices, which includes advice on how to demonstrate implementation of important safeguards and protocols. The video has been viewed more than 12,000 times since its release.

As breaches and violations continue to plague the healthcare industry, cybersecurity leaders will need to regularly monitor their existing infrastructure and commit to making ongoing improvements to counter the latest that cybercriminals have to offer. Working closely with federal agencies like OCR and internal security experts, as well as developers of cybersecurity products, will be essential for safeguarding patient data and avoiding reportable incidents.

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system. She can be reached at jennifer@inklesscreative.com.