HHS reports: Compliance reviews, health data breaches up

Reviews initiated by the HHS Office of Civil Rights grew 44 percent over the four-year period, the OCR said in its report covering privacy, security, and breach notification compliance under the Health Insurance Portability and Accountability Act (HIPAA). The report, published Friday, focused on the enforcement activities of the OCR, including the number of complaints it received, how they were resolved, and the number of compliance reviews and audits spawned by those complaints.

From 2017-21, the number of complaints received by the OCR increased 39 percent, according to the report. In 2021, the OCR received 34,077 new complaints alleging violations of HIPAA rules, an increase of 25 percent over 2020.

Of the 26,420 complaints the OCR resolved within the year, 20,661 were wrapped up without an investigation.

Among investigations, the OCR completed 573 compliance reviews and required 475 organizations to take corrective action or pay a civil money penalty. Two compliance reviews resulted in payments totaling $5,125,000.

More than 37 million people were impacted by health data breaches in 2021, according to the OCR’s separate report to Congress on breaches of unsecured protected health information.

The number of large breaches, those affecting 500 people or more, grew dramatically—58 percent—from 2017-21, according to the report. The number of breaches affecting fewer than 500 people increased 5 percent, the report said.

In the report, the OCR pointed to four compliance areas health organizations need to improve: risk analysis and risk management, information system activity review, audit controls, and access controls.

“The healthcare industry is one of the most diverse industries in our economy, and OCR is responsible for enforcing the HIPAA rules to support greater privacy and security of individuals’ protected health information,” OCR Director Melanie Fontes Rainer said in a press release.