New HIPAA Reports to Congress Shed Light on OCR Enforcement

by Davis Wright Tremaine LLP

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals.


OCR’s Compliance Report for 2011-2012

OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter.

OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide information regarding the number of compliance reviews it has closed. Notably, OCR’s recent enforcement action against New York Presbyterian Hospital and Columbia University resulting in a $4.8 million settlement stemmed from a breach reported in 2010. In light of the three-year time lapse between the breach and the settlement, the industry may expect to see more enforcement action from breaches reported in earlier years.

This compliance report also highlights OCR’s audit program. While not new information, OCR again emphasizes that 89% of the 115 entities audited in the pilot audits were not fully compliant with HIPAA. OCR also noted that audit findings relating to security accounted for a disproportionately high number of total findings. To date, most OCR settlement cases involve security incidents.

OCR’s Breach Report for 2011-2012

OCR’s breach report confirms that it received more than 200 large breach reports for both 2011 and 2012 – only a slight increase from 2010. There was a huge jump in the number of individuals affected by breaches in 2011, but this was mostly attributable to a couple of particularly large breach incidents (impacting approximately 4.9 million and 1.9 million individuals, respectively). As of today, OCR has not posted a summary on its website for either of these breaches, potentially indicating that these breaches are still being investigated.

While theft and loss remain the top causes of large breaches, there appears to be an uptick of the impact of breaches related to hacking or IT incidents. In 2011 these breaches affected only 1% of individuals affected by large breaches. By 2012, this number jumps up to 27%. This report is also the first time in which OCR referenced a “ransom” attack, in which a malicious outsider makes electronic protected health information inaccessible until a ransom is paid.

The breach report also highlights breaches by business associates. In 2011 in particular, most large breach incidents were attributable to health care providers, but more individuals were affected by large breaches attributable to business associates (because the business associate breach incidents were disproportionately large). OCR also has indicated that it will include business associates in future audits.

Much of the information on large breaches already is made publicly available through OCR’s website, and Davis Wright now maintains more up to date summary information of such large breaches on its Privacy & Security Law Blog. The breach report, however, sheds new light on the breaches affecting fewer than 500 individuals. The number of reports OCR received in 2011 and 2012 (25,705 and 21,194, respectively) do not deviate much from the number of reports received in 2010 (2009 only accounted for a little more than the last quarter of the calendar year); however, the number of individuals affected by small breaches spiked in 2011 and 2012. The number of individuals affected more than tripled from 2010 to 2011, and increased further in 2012. This comes just a year after OCR announced its first settlement against a covered entity for a small breach.

Additionally, there are some clear trends in the small breaches reported to OCR:

The vast majority (84% for 2011; 83% for 2012) of these small breaches are happening at the health care provider level. More small breach incidents involve paper records than electronic protected health information (62% for 2011; 61% for 2012).

The number one cause of small breaches for both years was unauthorized access or disclosure (84% for 2011; 74% for 2012), which may include misdirected communications, such as records or bills mailed to the wrong patient or an old address.

Although theft and loss did not account for a large number of the small breach reports, together they affected a disproportionate number of individuals (46% for 2011; 42% for 2012).

Key Takeaways for Covered Entities and Business Associates

OCR is ramping up enforcement. OCR indicates in the compliance report that it is “realign[ing] its enforcement efforts.” OCR has completed six settlements in the past four months with settlement amounts totaling approximately $7.79 million, doubling the total settlement amounts obtained in 2013. An OCR attorney also recently indicated that the settlements to date in 2014 “pale in comparison” to what is to come.

OCR is focused on Security Rule enforcement. OCR recommends covered entities and business associates pay particular attention to compliance regarding key aspects of the Security Rule. According to OCR, better compliance in these areas may reduce common breaches. This includes:

  • Risk analysis and risk management. Conducting a thorough security risk analysis and risk management plan, identifying and addressing the potential risks and vulnerabilities to all electronic protected health information. The risk analysis and risk management plan also should be updated from time to time.
  • Security evaluation. Conducting periodic security evaluations and ensuring that appropriate physical and technical safeguards remain in place during operational changes, including facility or office moves or renovations, and conducting appropriate technical evaluations for software, hardware, and websites upgrades that may impact protected health information.
  • Portable electronic devices. Safeguarding protected health information stored and transported on portable electronic devices, including through encryption and policies and procedures.
  • Physical Access Controls. Verifying physical safeguards limit access to facilities and workstations used to maintain or access protected health information.
  • Proper Disposal. Ensuring policies and procedures account for the proper disposal of protected health information in both paper and electronic forms. Electronic devices and media that may contain protected health information should be purged or wiped before they are recycled, discarded, or returned to a third party, such as a leasing agent.

These are important areas for covered entities and business associates to address, but a compliance program is only as good as its weakest link. With HIPAA audits in the near future, covered entities and business associates should ensure they have appropriate safeguards in place and have updated all policies and procedures, training materials and business associate agreements in light of the Omnibus Final Rule changes. The OCR audit protocol is a good place for covered entities to start: OCR used this protocol to assess covered entities’ compliance in the pilot audits. We caution that OCR has not updated this protocol to reflect changes made by the Omnibus Final Rule. This protocol also does not identify provisions applicable to business associates. Additional resources on HIPAA audits are available through Davis Wright Tremaine, including our Audit Toolkits:

Business associates may represent a particularly high risk, as their breaches often affect more individuals.

  • From September 2009 to June 28, 2014, business associates accounted for approximately 26% of large breaches. However, large breaches involving business associates have affected 48% of all individuals affected by large HIPAA breaches.
  • As with covered entity breaches, theft was the number one cause of large business associate breaches from September 2009 to June 28, 2014.
  • While paper records accounted for the highest number of large business associate breach incidents (24%) for the same time period, less than 6% of individuals affected by large business associate breaches were affected by breaches of paper records.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.