Lessons Learned from OCR Reports to Congress on HIPAA Compliance and Data Breaches

To assist HIPAA-regulated entities to improve their compliance with HIPAA and their safeguarding of health information, the Department of Health and Human Services' Office for Civil Rights (OCR) delivered to Congress two reports on the state of HIPAA compliance and data breaches as required by the HITECH Act. The reports – HIPAA Privacy, Security, and Breach Notification Rule Compliance and Breaches of Unsecured Protected Health Information – provide some insights into the nature of data breaches as well as OCR's enforcement priorities. A few thoughts:

• Protecting the Right of Access continues to be a priority: A while back, OCR announced an enforcement initiative focused on protecting the right of access. That continues to be the case, with some 14 settlements and enforcement actions in 2021 centered on timely access to medical records.
• HIPAA complaints have continued to rise: OCR noted a significant increase in HIPAA complaints, up 37% from 2017 to 2021. A broad spectrum of entities – from solo practitioners to large health systems to health plans – received resolution/settlement agreements and civil money penalties.
• Smaller the better: OCR investigated every large breach – those breaches affecting 500 or more individuals. Only a handful of smaller breaches resulted in a compliance review.
• Hacking remains the top cause of breaches: The largest category of breaches involved hacking, with threats coming from both inside and outside the organization. In the largest breach of 2021, two former employees hacked the server of a health care provider. Other hacking breaches involved malware, ransomware, and phishing.
• But don't forget paper: Paper records were the largest category by location for smaller breaches.
• Mitigation is important: When given OCR guidance, regulated entities should implement the guidance and mitigate the issue that triggered a complaint. In at least three resolutions in 2021, a complaint alleged a failure of the covered entity to timely respond to an access request; however, after the initial complaint was closed and guidance given, the same individuals complained again that they still hadn't received copies of the medical records they had requested. In response to the renewed complaint, OCR reopened its investigation, which resulted in OCR forcing settlements, corrective action plans, and monetary payments that all could have been avoided if the covered entity had addressed the access complaint and followed OCR guidance initially.
• Don't ignore OCR: Along these same lines, the two civil money penalty cases in 2021 resulted from the covered entity's failure to respond to OCR's data requests, inquiries, opportunities to resolve the matter, and, in one case, an administrative subpoena.

Save the Date for Davis Wright Tremaine's annual healthcare regulatory and compliance seminar on Thursday March 30, 2023, in Culver City, California. For more information on the seminar, please contact McKenzie Conte at mckenzieconte@dwt.com.