HHS OCR Delivered Annual Reports to Congress

Elizabeth Nevins, Sara Helene Shanti
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

In February, when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) delivered two annual reports to Congress for the 2021 calendar year as mandated by the HITECH Act, several notable takeaways were exposed. By providing data on enforcement actions and insight into areas of noncompliance, the reports assist HIPAA entities to mitigate risk, prioritize compliance efforts, and promote industry accountability.

The first report summarized HIPAA enforcement actions undertaken by OCR in 2021 as well as the outcomes of the investigations (the “Compliance Report”). The second report provided insight into breaches of unsecured protected health information (PHI) and actions taken in response to those breaches (the “Breach Report”).

Key Takeaways from The Compliance Report:

  • In 2021, OCR received over 34,000 new complaints: a 25% increase from 2020
  • Over three-quarters of these complaints were resolved before initiating an investigation
  • Despite the increase, only 13 resulted in Resolution Agreements/Corrective Action Plans
  • Numerous outreach activities were used to educate entities, focusing on pandemic initiatives, like telehealth
  • The top five issues alleged were related to (1) Impermissible Uses and Disclosures; (2) Right of Access; (3) Safeguards; (4) Administrative Safeguards pursuant to the HIPAA Security Rule; and (5) Breach-Notice to Individuals
  • Due to a lack of resources, OCR did not initiate any 2021 audits.

Key Takeaways from The Breach Report:

  • OCR received 609 notifications of breaches that impacted 500 or more individuals
  • This was a 7% decrease from 2020, but affected more than 37 million individuals
  • Hacking remained the most prevalent cause for these types of breaches, comprising 75% of the reported breaches
  • There were more than 63,000 reports of breaches affecting fewer than 500 individuals
  • OCR resolved two breach investigations with resolution agreements, corrective action plans, and monetary payments totaling $5,125,000.

Both reports included case analyses and summaries of settlement terms, revealing macro-level trends. Healthcare is a complex, diverse, and rapidly evolving industry, with 2022 and 2023 already seeing new priorities related to AI and web-tracking and virtual care matters on the rise.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide