05. 09. 23
Steady increases in health information privacy and cybersecurity violations have prompted the U.S. Department of Health and Human Services (HHS) to restructure its Office of Civil Rights (OCR). To address its ever-expanding caseload, OCR is rebranding one of its key divisions while also creating three new ones.
The law enforcement arm of HHS, OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among other statutes. OCR’s reorganization will bring it more in line with its federal peers, particularly the Department of Education’s Office for Civil Rights.
OCR’s Health Information Privacy Division (HIP) is now the Health Information Privacy, Data, and Cybersecurity Division (HIPDC). The change is intended to reaffirm the division’s focus on cybersecurity, which is a growing concern. OCR received a stunning 51,000 complaints in 2022, a 67% increase over the past five years, noted OCR Director Melanie Fontes Rainer. Fully 66% of those alleged violations concerned health information privacy and security laws, while 27% involved civil rights and 7% involved conscience/religious freedom.
Additionally, OCR revealed that it would be reorganizing the responsibilities of its Health Information Privacy, Operations and Resources, Civil Rights, and Conscience and Religious Freedom divisions into three new groups: the Enforcement, Policy and Strategic Planning Divisions. For the Enforcement and Policy Divisions, teams will be organized by skillset and focus on a plethora of legal issues, which OCR said would provide “a more integrated approach to case management” and allow for “direct engagement between policy, enforcement and investigations.” The Strategic Planning Division is responsible for public outreach around OCR’s authorities to protect civil rights, conscience, and health information privacy, while expanding data collection efforts at HHS.
The restructure follows OCR’s delivery of two reports to Congress that detailed HIPAA compliance and breaches of unsecured protected health information (PHI) reported to HHS in 2021. The HIPAA compliance report identifies the number of complaints received, how they were resolved and OCR’s reviews of the incidents. The breach report analyzes breaches and actions that were taken in response.
OCR received over 34,000 complaints of alleged HIPAA and HITECH violations in 2021, a 25% increase from the year before and a 39% increase from 2017. However, OCR resolved most of these complaints without an investigation or by providing technical assistance. The agency took corrective action and/or imposed monetary penalties on 714 of the complaints (3%).
OCR received reports of 64,180 data breaches of unsecured PHI in 2021. Of these breaches, 609 impacted 500 or more individuals, compromising more than 37 million people in total. From 2017 to 2021, large breaches increased 58% while breaches that affected less than 500 people rose 5%. Of the large breaches, 437 reports (72%) came from healthcare providers and affected more than 24 million people.
Most of the large breaches (75%) involved hacking of electronic equipment or a network server. In the largest incident, two former employees of a healthcare provider hacked the company’s server and compromised the electronic PHI (ePHI) of more than 3.2 million people.
Covered entities that experienced large breaches in 2021 took one or more of the following actions to address the issue:
After concluding its investigations, OCR advised covered entities and business associates to brush up on the following HIPAA Security Rule standards: