The Department of Health and Human Services (HHS) Office for Civil Rights has filed its annual report to Congress about compliance with the HIPAA Privacy, Security, and Breach Notification Rule and breaches of unsecured protected health information (PHI) for the year 2022.
HIPAA Compliance in 2022
OCR talks about in the yearly report that large data breaches have grown by 107% from 2018 to 2022. Complaints regarding possible HIPAA violations have grown by 17% in the same period. OCR now is required to evaluate whether an entity has carried out known security strategies when determining penalties. Consequently, OCR’s workload has considerably increased though OCR has not been given additional appropriations. OCR likewise re-evaluated the language of the HITECH Act in 2019 and lowered the penalty amounts in three penalty tiers, allowing them to pay smaller fines. The higher workload and cutting down of the penalty amounts have placed a serious strain on OCR’s limited personnel and resources. The lack of funds is blocking its capability to check out complaints and data breaches at this time of considerable growth in cyberattacks on the healthcare industry. OCR is needed by the HITECH Act to perform annual audits to assess HIPAA compliance, though no such audits were performed in 2022 because of lacking financial resources.
Summary of HIPAA Complaints
In 2022, complaints decreased by 11% year-over-year and compliance reviews increased by <1%. There were 30,435 new complaints received alleging HIPAA Rules and the HITECH Act violations. 11,465 complaints remained open from previous years. 32,250 complaints were solved even before starting an investigation. 2,882 complaints were resolved through technical support and 560 settled complaints were through voluntary corrective action. 686 complaints did not have adequate evidence of HIPAA violations. 15 complaints were investigated and led to OCR providing technical help. 17 complaints were settled employing resolution agreements, corrective action plans, and monetary settlements ($802,500). One resolved complaint was issued a $100,000 civil monetary fine.
OCR started 676 compliance reviews and accomplished 846 compliance reviews with 674 requiring corrective measures or payment of a civil monetary penalty. Three compliance reviews were settled through settlement agreements and monetary payments totaling $2,425,640. The remaining 172 (20%) were solved with technical support (4%), inadequate proof was determined to suggest a HIPAA Rules violation (11%), or because of OCR lacking jurisdiction to look into the allegations (5%). A copy of the OCR HIPAA compliance report submitted to Congress can be viewed here.
Healthcare Data Breaches in Calendar Year 2022
In 2022, OCR got 626 notifications of breaches affecting at least 500 records, which presents a 3% increase from 2021. Across those incidents, the PHI of 41,747,613 persons was exposed. The primary reason for those data breaches was hacking. OCR additionally acquired 63,966 reports of breaches affecting fewer than 500 people impacting 257,105 people. This indicates that small breaches grew by 1% from 2021.
OCR looked into all of the big data breaches and two of the smaller breaches and performed 799 breach investigations in 2022. Investigations that determined probable HIPAA violations were settled with technical help, voluntary compliance, corrective action plans (CAPs), and monetary payments. In 2022, OCR settled three investigations via monetary payments/CAPs – New England Dermatology & Laser Center; Oklahoma State University – Center for Health Sciences; Banner Health – and gathered $2,425,640 from these negotiations.
OCR stated that 74% of the reported big data breaches were caused by hacking/IT incidents, which affected 32,255,597 persons, with the breached data most frequently found on network servers. 22% of breaches were due to unauthorized access/disclosure incidents, and less than 1% of breaches were caused by loss, theft, or improper PHI disposal. The smaller breaches were primarily (93%) because of the unauthorized access or PHI disclosure, most often paper documents. 4% were because of loss, 1% were hacking/IT incidents, and fewer than 1% were inappropriate disposal incidents.
The biggest healthcare data breach in 2022 involved a ransomware attack on a healthcare organization that impacted 3,388,856 persons. Ransomware attacks were prevalent in 2022, just as the use of malware, phishing, and the exposure of PHI on public websites. The largest unauthorized access/disclosure incident happened when a medical care provider utilized tracking technologies on its website, which impermissibly shared the PHI of 3 million people with technology companies.
Loss and theft incidents have been dropping as a result of using encryption. The biggest theft incident affected 149,940 paper files which were stolen from a storage area employed by a healthcare company. The largest loss incident concerned the destruction of 2,500 data because a pipe broke. The biggest improper disposal incident affected the information of 7,500 people, which were thrown in a regular dumpster, rather than being sent for shredding.
OCR’s investigations confirmed the continued need for HIPAA-regulated entities to enhance HIPAA compliance, particularly in risk analysis, risk management, audit controls, response and reporting, information system activity assessment, and person or entity verification.
The measures most frequently considered to address data breaches were:
- Employing multi-factor authentication
- Changing policies and procedures
- Training or retraining employees who handle PHI
- Giving complimentary credit monitoring and identity theft protection services to customers
- Implementing encryption technologies
- Imposing sanctions on workforce members
- Altering passwords
- Conducting a new risk evaluation
- Changing business associate contracts
OCR’s yearly report to Congress about data breaches can be read here.