On Feb. 16, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published its 2022 Annual Report to Congress. The report details the department’s enforcement activities around the HIPAA Privacy, Security, and Breach Notification Rule, including the number of complaints received, how those complaints were resolved, the number and outcome of compliance reviews and audits initiated by OCR, and the compliance and enforcement initiatives OCR plans to pursue in the following year.

The report does not contain any significant surprises, but it does provide some interesting statistics:

• After a high-water mark of 656 “over 500” breaches reported in 2020 and a subsequent dip in 2021 to 609 such breaches reported, OCR received reports of 626 breaches impacting 500 or more individuals’ protected health information (PHI) in 2022.
• In a similar pattern, breaches impacting under 500 individuals’ PHI peaked in 2020, with 66,509 such incidents reported, followed by 63,571 and 63,966 reported in 2021 and 2022, respectively.
• OCR “received 30,435 new HIPAA complaints and carried over 11,465 open complaints from 2021.” The report indicates that 32,250 of those complaints were resolved in calendar year 2022, with 28,107 of those complaints being dismissed before OCR initiated an investigation. An additional 2,882 were resolved with OCR providing technical assistance in lieu of an investigation. This activity may be significantly contributing to the resource strain highlighted in the first paragraphs of the report.
• OCR closed 846 compliance reviews in 2022, 799 of which were initiated as a result of breach reports and 47 of which were initiated through or originated from “other means.” OCR explains in the report that non-breach report compliance reviews can be initiated “based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity.”

OCR does not explicitly state the enforcement and compliance initiatives it plans to pursue, instead recounting the outreach and guidance it provided in 2022. The activities listed in the report that appear to most accurately reflect OCR’s enforcement focus in 2023 and beyond are:

• Issuing a request for information regarding the “recognized security practices” standard set forth in the Jan. 5, 2021 amendment to the HITECH Act. OCR also released a YouTube video on the subject.
• Hosting webinars about the revamped HHS Security Risk Assessment Tool. We continue to see significant focus on Security Risk Assessments in OCR investigations.
• Issuing guidance on online privacy, first on the use of personal devices and then on the use of tracking technology by covered entities. This guidance resulted in significant criticism, and HHS OCR was sued late last year by the American Hospital Association and several healthcare providers over whether the guidance exceeds OCR’s authority.
• Relatedly, OCR worked with several other federal agencies, including the Federal Trade Commission (FTC), the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, to update the Mobile Health App Interactive Tool. The purpose of the tool is to assist health app developers in understanding the federal laws and regulations that may apply to the app, including the FTC’s Health Breach Notification Rule and HIPAA, among others. This was not the only time OCR and the FTC teamed up; in late summer 2023, the agencies sent a joint letter to 130 healthcare providers warning them about their use of website tracking technologies.

Key Takeaways:

It is clear that OCR will continue with its enforcement activities on emerging issues and the tried-and-true or security risk analyses in the coming year. Covered entities and business associates alike should continue to prioritize these assessments before OCR comes calling.

[View source.]