The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently submitted two annual reports to Congress setting forth a summary of complaints and breaches reported to the OCR during calendar year 2021, as well as the enforcement actions taken by the OCR in response. Covered entities and business associates should be aware of the trends identified in these reports and examine how to improve their HIPAA compliance program in these areas.
Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance
The Annual Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance ("Compliance Report") provides some interesting statistics on complaints filed with the OCR and resulting investigation and enforcement trends by the OCR in 2021. According to the Report, the OCR resolved 17 investigations with resolution agreements and correction action plans (CAPs) and imposed civil monetary penalties (CMPs) totaling $6.1M in collections.
Although there was a slight decrease in breaches reported in 2021, resulting in less OCR compliance reviews initiated, complaints to the OCR rose in 2021. Specifically, the Compliance Report shows that between 2017 and 2021 the number of complaints received by OCR increased 39% and the number of compliance reviews initiated by the OCR grew by 44%. During this same time period, breaches affecting 500 or more individuals rose 58%. However, despite these increases, the OCR did not initiate any proactive audits of covered entities and business associates in 2021 due to the lack of financial resources. The OCR also continued its outreach and education efforts by conducting 218 outreach events and conference to various stakeholders focusing on OCR actions related to the pandemic, including telehealth guidance, launching a HIPAA and COVID-19 website, and hosting a series of webinars with the Office of the National Coordinator for Health Information Technology (ONC) regarding updates to the HIPAA Security Risk Assessment (SRA) Tool.
Report on Breaches of Unsecured Protected Health Information
Some notable findings also came out of the OCR's Report on Breaches of Unsecured Protected Health Information. For instance, in2021 the OCR commenced investigations into 631 total breaches (609 of which affected > 500 individuals). Of that total, the OCR completed 554 investigations and resolved two of them with resolution agreements/CAPs and collected CMPs totaling over $5.1M. The OCR summarized some of the lessons learned and the areas needing improvement as follows:
- Risk Analysis. The Security Rule requires
organizations to complete a risk analysis that is an accurate and
thorough assessment of the potential risks and vulnerabilities to
the electronic PHI (ePHI) held by the covered entity or business
associate. The OCR's investigations found evidence of
non-compliance with this requirement, such as through failing to
conduct these requires risk analyses.
To assist small and medium-sized health care practices and business associates in complying with the HIPAA Security Rule, the ONC and OCR have jointly launched a HIPAA SRA Tool. It is also helpful when conducting risk assessments to map each administrative, physical, and technical safeguard standard and implementation specification required by the Security Rule to a relevant NIST Cybersecurity Framework Subcategory using the HIPAA Security Crosswalk to the NIST Cybersecurity Framework. A risk analysis can be carried out by qualified internal personnel or third-party vendors.
- Risk Management. The Security Rule also requires
covered entities and business associates to implement risk
management practices such as implementing sufficient security
measures to reduce potential risks and vulnerabilities to a
reasonable and appropriate level. Once HIPAA-regulated
entities identify these vulnerabilities, they must develop a plan
designed to show how they will remediate them.
- Information System Activity Review. HIPAA-regulated
entities must also regularly review records of information system
activity, such as audit logs, access reports, and security incident
tracking reports. These processes not only enable such entities to
determine if any ePHI is used or disclosed in an inappropriate
manner, but can play a crucial role in detecting and potentially
eliminating or mitigating internal and external malicious activity.
Through its investigations, the OCR found non-existent or deficient
processes, such as reviews that were ad hoc and reactive.
Although these procedures may be different for each
HIPAA-regulated entity, they must be implemented pursuant to the
Security Rule and should be customized to meet their respective
risk management strategies and take into account the capabilities
of all information systems with ePHI.
- Audit Controls Standard. The Security Rule obligates
covered entities and business associates to implement hardware,
software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use ePHI. Most
information systems provide some level of audit controls with a
reporting method, such as audit reports, which are useful for
recording and examining information system activity, especially
when determining if a security violation occurred. With that said,
the OCR's investigations continued to find regulated entities
lacking such mechanisms entirely or maintaining audit control
mechanisms for only a narrow subset of its systems containing or
using ePHI. Covered entities and business associates
must consider their risk analysis and organizational factors, such
as current technical infrastructure, hardware, and software
security capabilities, to determine reasonable and appropriate
audit controls for information systems that contain or use
ePHI.
- Access Control Standard. A covered entity must implement technical policies and procedures that allow only authorized persons to access ePHI. The OCR's investigations revealed noncompliance with this standard, such as through ineffective access controls – which the OCR identified as a frequently contributing factor to breaches of unsecured ePHI. Covered entities and business associates should work with their HR and business team leads to clearly define role-based access for their workforce members. They should also assign separate user accounts to each user in their organization, configure systems and endpoints to automatically lock out and log off users after a predetermined period of inactivity, and establish procedures for terminating a user's access (as soon as that user leaves your organization) to prevent these former users (who may have improper motives) from accessing ePHI.
For more information about how to address these common HIPAA compliance gaps, please contact the authors or any Partner or Senior Counsel in Foley's Cybersecurity and Data Privacy team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.