HIPAA enforcement weakened by lack of funding, OCR tells Congress

HIPAA complaints are on the rise, and the Office of Civil Right (OCR) is running out of staff and financial resources to adequately investigate and address all potential issues, the government agency says in a new report to Congress. 

“There have been significant increases in HIPAA complaints received (39% increase from 2017 to 2021) and large breaches reported (58% increase from 2017 to 2021), without any increases in appropriations during that same time period,” OCR wrote in its annual report. “Further, in April 2019, as a part of HHS’s review of existing regulations, HHS issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties that significantly reduced the maximum annual cap for three of the four penalty tiers.” 

“These factors have combined to cause a severe strain on OCR’s limited staff and resources. This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector.” 

OCR is responsible for investigating complaints made to the office about suspected violations of HIPAA rules. It also conducts routine compliance reviews and audits of entities subject to the HIPAA rules, including business associates. 

If the office determines non-compliance, the offending entity may be subject to a variety of next steps, including voluntary corrective action, resolution agreements, and/or civil monetary penalties. 

All of these activities require significant staffing resources and the funding to back them. OCR receives Congressional appropriations to support its work and may also use funds collected through civil monetary penalties to continue fulfilling its mission. 

However, with only minimal increases in appropriations to account for inflation and restrictions on the civil penalties it can collect from non-compliant entities, OCR may struggle to protect the industry adequately in the near future. 

That’s a major problem for the healthcare industry, which saw 34,077 HIPAA complaints in 2021 and experienced more than 64,000 data breaches. The vast majority of complaints were settled prior to the start of an investigation. 

OCR also initiated 674 compliance reviews in 2021, a ten percent decrease from the previous year. More than 600 of these reviews were prompted by the report of a data breach. The office did not initiate any audits in 2021 due to a lack of financial resources to support such activities. 

OCR isn’t the only federal agency overseeing the security of the healthcare industry. The FTC and FBI also play a role in monitoring the exposure of personal health information and investigating breaches, particularly those caused by cybercriminals. But the OCR plays a unique part in protecting healthcare consumers from the actions of healthcare providers themselves, whether intentional or otherwise.   

A toothless OCR would be very problematic for consumers with complaints about how healthcare entities are handling their information, especially as new rules around patient data access take effect for payers, vendors, and providers.   

Staff misinterpretations about what is permissible, or even required, under HIPAA are a common source of consumer complaints. Covered entities will need to make sure they have a full and accurate understanding of the HIPAA rules when implementing new technologies, such as APIs, to give patients access to their personal information.   

Ensuring that OCR has the tools required to conduct its routine activities and manage the increase in breaches and complaints will be essential going forward. 

“The health care industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA Rules to support greater privacy and security of individuals’ protected health information,” said OCR Director Melanie Fontes Rainer in a press release. “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.