HHS OCR Annual Report to Congress on HIPAA Compliance and Breaches of Patient Information

BACK TO INSIGHTS     Articles

3/31/2024

On February 14, 2024, the OCR issued two reports to Congress for calendar year 2022, Annual Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance and Annual Report to Congress on Breaches of Unsecured Protected Health Information.

Highlights of the first report include:
• OCR received 30,435 new complaints alleging violations of the HIPAA Rules
• OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
• OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
• OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

The second report highlights the fact that, with respect to breach events affecting more than 500 individuals that were reported to OCR in 2022, a total of approximately 41,747,613 individuals were affected. The most commonly reported category of breaches was hacking/IT incidents, with the largest of this type of breach affecting 3,300,638 individuals. The largest category by location for breaches involving 500 or more individuals was network servers.

Common deficiencies and vulnerabilities in protections noted by the OCR as areas needing improvement include:
• Conducting security risk analyses and using the results to develop and implement risk management plans
• Regularly conducting information system activity reviews
• Implementing audit controls—hardware, software and/or procedural mechanisms that record and examine system activity in information systems that contain protected health information
• Identifying and responding to suspected or known security incidents and mitigating, to the extent practicable, harmful effects of security incidents
• Implementing person or entity authentication—procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Click Here to read the entire March 2024 Healthcare Law Update now!

If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare