Reports spotlight for regulated entities the place to focus HIPAA compliance efforts

On February 14, 2024, the U.S. Department of Health & Human Services Office for Civil Rights issued two Reports to Congress on Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance and enforcement, particularly, on HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information. These studies are required to be submitted to Congress yearly by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HIPAA Rules present the minimal required privateness and safety safeguards for protected well being data, and provides people rights with respect to that data, equivalent to the correct to entry their well being data. These studies, delivered to Congress, assist regulated entities (equivalent to most well being care suppliers, well being plans, and healthcare clearinghouses) and their enterprise associates of their HIPAA compliance efforts by sharing steps taken by OCR to research complaints, breach studies, and compliance critiques relating to potential violations of the HIPAA Rules. The studies embrace necessary information on the variety of HIPAA circumstances investigated, areas of noncompliance, and insights into traits equivalent to cybersecurity readiness. 

The motion is the most recent step by HHS in supporting the privateness and safety of well being data. In December 2023, HHS launched a Department-wide Cybersecurity technique for the well being care sector and in January 2024, HHS launched voluntary cybersecurity efficiency targets to boost cybersecurity throughout the well being sector.

“OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” stated OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the variety of complaints acquired, the tactic by which these complaints had been resolved, the variety of compliance critiques initiated by OCR, and the end result of every assessment. Some highlights embrace:

• OCR acquired 30,435 new complaints alleging violations of the HIPAA Rules
• OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
• OCR resolved 17 grievance investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and financial settlements totaling $802,500, and one grievance investigation with a civil cash penalty within the quantity of $100,000
• OCR accomplished 846 compliance critiques and required topic entities to take corrective motion or pay a civil cash penalty in 80% (674) of those investigations. Three compliance critiques had been resolved with RA/CAPs and financial funds totaling $2,425,640.

The 2022 Report to Congress on Breaches of Unsecured Protected Health Information identifies the quantity and nature of breaches of unsecured protected well being data (PHI) that had been reported to the Secretary of HHS throughout calendar 12 months 2022 and the actions taken in response to these breaches. It additionally highlights the continued want for regulated entities to enhance compliance with the HIPAA Security Rule necessities, together with:

• danger evaluation and danger administration;
• data system exercise assessment;
• audit controls;
• response and reporting; and
• individual or entity authentication.

As in earlier years, hacking/IT incidents stay the biggest class of breaches occurring in 2022 affecting 500 or extra people, and affected probably the most people, comprising 77% of the reported breaches. Network servers continued as the biggest class by location for breaches involving 500 or extra people at 58% of reported giant breaches.

OCR’s 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance could also be discovered at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html

OCR’s 2022 Report to Congress on Breaches of Unsecured Protected Health Information could also be discovered at:  https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html

OCR is dedicated to implementing the HIPAA Rules and supporting the privateness and safety of peoples’ well being data. If you imagine that your or one other individual’s well being data privateness or civil rights have been violated, you may file a grievance with OCR at: https://www.hhs.gov/ocr/complaints/index.html.