The 2021 calendar year reports from HHS OCR describe OCR’s efforts that calendar year and are instructive tools for all parties who need to comply with HIPAA to understand macro-level trends. 

​What You Need to Know:

• OCR continues to receive tens of thousands HIPAA complaints each year.
• “Large” breaches affecting more than 500 individuals often get the headlines but there are more than 10 times the number of “smaller” breaches affecting less than 500 individuals and these are just as important.
• HIPAA compliance remains important and breaches – large and small – have consequences for covered entities and business associates.

On February 17, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released two annual reports to Congress for the calendar year 2021 as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The first report relates to HIPAA Privacy, Security and Breach Notification compliance (the Compliance Report, which can be found here), and the second report relates to Breaches of Unsecured Protected Health Information (the Breach Report, which can be found here).

The Compliance Report noted the following:

• OCR received over 34,000 new complaints, a 25 percent increase from calendar year 2020.
• OCR resolved over 26,000 complaints, including 78 percent before initiating an investigation.
• OCR completed investigations in 1,620 complaints. 714 of these required the covered entity or business associate to take corrective action.
• The top five complaints that were resolved in 2021 related to: impermissible uses and disclosures; right of access; safeguards; administrative safeguards pursuant to the HIPAA Security Rule; and, Breach notices to individuals.
• OCR resolved 13 complaints with Resolution Agreements and Corrective Action Plans and monetary settlements totaling more than $815,000 and two complaints with civil money penalties totaling $150,000.
• Due to a lack of resources, OCR did not initiate any 2021 audits.

The Breach Report noted the following:

• OCR received 609 notifications of breaches affecting 500 or more individuals; these breaches affected more than 37 million individuals.
• Hacking/IT incidents was the most prevalent cause for these ‘large’ breaches. The next most common cause was the unauthorized access or disclosure of records containing PHI.
• OCR received almost 64,000 reports of breaches affecting fewer than 500 individuals; these breaches affected more than 319,000 individuals.
• Network servers was the most prevalent cause for these ‘smaller’ breaches. The second most common cause was email and paper records was third.
• Health care providers comprised 91 percent of the reports for these ‘smaller’ breaches. Health plans represented seven percent of these reports.
• OCR resolved two breach investigations with resolution agreements, corrective action plans, and monetary payments totaling $5,125,000.
• Compared to 2020, the number of ‘large’ breaches dropped by four percent and the number of ‘small’ breaches dropped by seven percent.

The Appendices for the Compliance Report and the Breach Report include helpful lists of the Resolution Agreements and summary of the settlement terms. 

HIPAA compliance remains an important compliance element for Covered Entities (e.g., health care providers and health plans) and Business Associates. These annual reports required by HITECH are an important reminder of the work done by OCR and the consequences of failing to comply with HIPAA or if your organization suffers a breach.