HHS’s Workplace for Civil Rights (OCR) has posted its 2021 experiences to Congress on HIPAA privateness, safety, and breach notification rule compliance and the HIPAA breach notification program. Under are highlights of each experiences:

• Compliance Report. This report summarizes key HIPAA enforcement actions undertaken by OCR throughout 2021, together with the variety of complaints acquired and the tactic by which these complaints have been resolved. OCR acquired 34,077 complaints in 2021—25% greater than in 2020. Along with requiring coated entities (together with well being plans and most well being care suppliers) and enterprise associates (collectively, “regulated entities”) to take corrective motion in a whole bunch of instances in 2021, OCR experiences that 17 investigations (summarized in an appendix) have been resolved with decision agreements or the imposition of civil financial penalties (see, e.g., our Checkpoint article). OCR didn’t provoke any audits in 2021. The highest 5 points alleged within the complaints resolved in 2021 concerned (1) impermissible makes use of and disclosures; (2) proper of entry; (3) safeguards; (4) administrative safeguards (safety rule); and (5) breach discover to people.

• Breach Notification Report. This report identifies the quantity and nature of breaches of unsecured protected well being info (PHI) that have been reported to HHS throughout 2021 and the actions taken in response. OCR notes that it acquired 609 massive breach notifications affecting greater than 37 million people, with hacking/IT incidents essentially the most frequent sort of breach and community servers essentially the most frequent breach location. Greater than 63,000 small breach notifications have been reported affecting almost 320,000 people, with unauthorized entry or disclosure essentially the most frequent sort of breach and paper information essentially the most frequent location.

EBIA Remark: The experiences embody essential information from the HIPAA complaints investigated, spotlight areas of noncompliance, and supply insights into developments equivalent to cybersecurity readiness. OCR stresses the necessity for regulated entities to enhance HIPAA compliance, significantly with the safety necessities—together with danger evaluation, danger administration, info system exercise overview, audit controls, and entry controls. Regulated entities ought to be aware that OCR opens compliance critiques to research all reported breaches affecting 500 or extra people and should open compliance critiques into reported breaches affecting fewer than 500 people. For extra info, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XX (“Enforcement of Privateness, Safety, and EDI Guidelines”) and XXV (“Breach Notification for Unsecured PHI”).

Contributing Editors: EBIA Workers.