The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently submitted two annual reports to Congress setting forth a summary of complaints and breaches reported to the OCR during calendar year 2021, as well as the enforcement actions taken by the OCR in response. Covered entities and business associates should be aware of the trends identified in these reports and examine how to improve their HIPAA compliance program in these areas.

Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance

The Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance (“Compliance Report”) provides some interesting statistics on complaints filed with the OCR and resulting investigation and enforcement trends by the OCR in 2021. According to the Report, the OCR resolved 17 investigations with resolution agreements and correction action plans (CAPs) and imposed civil monetary penalties (CMPs) totaling $6.1M in collections.

Although there was a slight decrease in breaches reported in 2021, resulting in less OCR compliance reviews initiated, complaints to the OCR rose in 2021. Specifically, the Compliance Report shows that between 2017 and 2021 the number of complaints received by OCR increased 39% and the number of compliance reviews initiated by the OCR grew by 44%. During this same time period, breaches affecting 500 or more individuals rose 58%. However, despite these increases, the OCR did not initiate any proactive audits of covered entities and business associates in 2021 due to the lack of financial resources. The OCR also continued its outreach and education efforts by conducting 218 outreach events and conference to various stakeholders focusing on OCR actions related to the pandemic, including telehealth guidance, launching a HIPAA and COVID-19 website, and hosting a series of webinars with the Office of the National Coordinator for Health Information Technology (ONC) regarding updates to the HIPAA Security Risk Assessment (SRA) Tool.

Report on Breaches of Unsecured Protected Health Information

Some notable findings also came out of the OCR’s Report on Breaches of Unsecured Protected Health Information. For instance, in 2021 the OCR commenced investigations into 631 total breaches (609 of which affected > 500 individuals). Of that total, the OCR completed 554 investigations and resolved two of them with resolution agreements/CAPs and collected CMPs totaling over $5.1M. The OCR summarized some of the lessons learned and the areas needing improvement as follows:

  • Risk Analysis. The Security Rule requires organizations to complete a risk analysis that is an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic PHI (ePHI) held by the covered entity or business associate. The OCR’s investigations found evidence of non-compliance with this requirement, such as through failing to conduct these requires risk analyses. To assist small and medium-sized health care practices and business associates in complying with the HIPAA Security Rule, the ONC and OCR have jointly launched a HIPAA SRA Tool. It is also helpful when conducting risk assessments to map each administrative, physical, and technical safeguard standard and implementation specification required by the Security Rule to a relevant NIST Cybersecurity Framework Subcategory using the HIPAA Security Crosswalk to the NIST Cybersecurity Framework. A risk analysis can be carried out by qualified internal personnel or third-party vendors.
  • Risk Management. The Security Rule also requires covered entities and business associates to implement risk management practices such as implementing sufficient security measures to reduce potential risks and vulnerabilities to a reasonable and appropriate level. Once HIPAA-regulated entities identify these vulnerabilities, they must develop a plan designed to show how they will remediate them.
  • Information System Activity Review. HIPAA-regulated entities must also regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These processes not only enable such entities to determine if any ePHI is used or disclosed in an inappropriate manner, but can play a crucial role in detecting and potentially eliminating or mitigating internal and external malicious activity. Through its investigations, the OCR found non-existent or deficient processes, such as reviews that were ad hoc and reactive. Although these procedures may be different for each HIPAA-regulated entity, they must be implemented pursuant to the Security Rule and should be customized to meet their respective risk management strategies and take into account the capabilities of all information systems with ePHI.
  • Audit Controls Standard. The Security Rule obligates covered entities and business associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Most information systems provide some level of audit controls with a reporting method, such as audit reports, which are useful for recording and examining information system activity, especially when determining if a security violation occurred. With that said, the OCR’s investigations continued to find regulated entities lacking such mechanisms entirely or maintaining audit control mechanisms for only a narrow subset of its systems containing or using ePHI. Covered entities and business associates must consider their risk analysis and organizational factors, such as current technical infrastructure, hardware, and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use ePHI.
  • Access Control Standard. A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. The OCR’s investigations revealed noncompliance with this standard, such as through ineffective access controls – which the OCR identified as a frequently contributing factor to breaches of unsecured ePHI. Covered entities and business associates should work with their HR and business team leads to clearly define role-based access for their workforce members. They should also assign separate user accounts to each user in their organization, configure systems and endpoints to automatically lock out and log off users after a predetermined period of inactivity, and establish procedures for terminating a user’s access (as soon as that user leaves your organization) to prevent these former users (who may have improper motives) from accessing ePHI.

For more information about how to address these common HIPAA compliance gaps, please contact the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.