HHS Eyes HIPAA, Cybersecurity Enforcement with OCR Overhaul

Steady increases in health information privacy and cybersecurity violations have prompted the U.S. Department of Health and Human Services (HHS) to restructure its Office of Civil Rights (OCR). To address its ever-expanding caseload, OCR is rebranding one of its key divisions while also creating three new ones.

OCR Rebrand and Restructure

The law enforcement arm of HHS, OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among other statutes. OCR’s reorganization will bring it more in line with its federal peers, particularly the Department of Education’s Office for Civil Rights.

OCR’s Health Information Privacy Division (HIP) is now the Health Information Privacy, Data, and Cybersecurity Division (HIPDC). The change is intended to reaffirm the division’s focus on cybersecurity, which is a growing concern. OCR received a stunning 51,000 complaints in 2022, a 67% increase over the past five years, noted OCR Director Melanie Fontes Rainer. Fully 66% of those alleged violations concerned health information privacy and security laws, while 27% involved civil rights and 7% involved conscience/religious freedom.

Additionally, OCR revealed that it would be reorganizing the responsibilities of its Health Information Privacy, Operations and Resources, Civil Rights, and Conscience and Religious Freedom divisions into three new groups: the Enforcement, Policy and Strategic Planning Divisions. For the Enforcement and Policy Divisions, teams will be organized by skillset and focus on a plethora of legal issues, which OCR said would provide “a more integrated approach to case management” and allow for “direct engagement between policy, enforcement and investigations.” The Strategic Planning Division is responsible for public outreach around OCR’s authorities to protect civil rights, conscience, and health information privacy, while expanding data collection efforts at HHS.

PHI Breaches Surge

The restructure follows OCR’s delivery of two reports to Congress that detailed HIPAA compliance and breaches of unsecured protected health information (PHI) reported to HHS in 2021. The HIPAA compliance report identifies the number of complaints received, how they were resolved and OCR’s reviews of the incidents. The breach report analyzes breaches and actions that were taken in response.

OCR received over 34,000 complaints of alleged HIPAA and HITECH violations in 2021, a 25% increase from the year before and a 39% increase from 2017. However, OCR resolved most of these complaints without an investigation or by providing technical assistance. The agency took corrective action and/or imposed monetary penalties on 714 of the complaints (3%).

OCR received reports of 64,180 data breaches of unsecured PHI in 2021. Of these breaches, 609 impacted 500 or more individuals, compromising more than 37 million people in total. From 2017 to 2021, large breaches increased 58% while breaches that affected less than 500 people rose 5%. Of the large breaches, 437 reports (72%) came from healthcare providers and affected more than 24 million people.

Most of the large breaches (75%) involved hacking of electronic equipment or a network server. In the largest incident, two former employees of a healthcare provider hacked the company’s server and compromised the electronic PHI (ePHI) of more than 3.2 million people.

Covered entities that experienced large breaches in 2021 took one or more of the following actions to address the issue:

• Adopt multifactor authentication for remote access
• Revise policies and procedures
• Retrain employees who handle PHI
• Provide customers with free credit monitoring and identity theft protection
• Adopt encryption technologies
• Impose sanctions on employees who violated policies around PHI
• Change passwords
• Perform risk assessments
• Revise business associate contracts to include stricter provisions for handling PHI.

Preventing Further Breaches

After concluding its investigations, OCR advised covered entities and business associates to brush up on the following HIPAA Security Rule standards:

• Security Management Process Standard: Regulated entities are required to implement policies and procedures to prevent, detect, contain, and correct security violations. OCR identified several specifications within this standard as needing improvement.
• Risk Analysis: Regulated entities should conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI held by the entities or business associates. With cyberattacks increasing, failure to conduct risk analyses leaves ePHI vulnerable.
• Risk Management: Regulated entities must implement security measures capable of reducing risks and vulnerabilities to a manageable level. OCR identified multiple incidents of noncompliance with this requirement.
• Information System Activity Review: Regulated entities are required to regularly review records of information system activity, such as audit logs and security incident tracking reports. OCR found “deficient or nonexistent” review processes at some entities.
• Audit Controls Standard: Regulated entities must implement mechanisms that record and evaluate activity in information systems that contain or use ePHI. OCR identified entities that either had no audit control mechanisms in place or had only implemented them for a small subset of systems.
• Access Controls Standard: Regulated entities must implement technical policies and procedures for information systems that maintain ePHI so that only appropriate people or software programs can access these systems. OCR found evidence of noncompliance with this standard, which often contributed to breaches of ePHI.

Have further questions? HIPAA compliance requirements are always changing. Take a free HIPAA Risk Assessment and uncover the compliance vulnerabilities at your practice.

References

1. (2023, Feb. 27). HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years. U.S. Department of Health and Human Services. https://www.hhs.gov/about/news/2023/02/27/hhs-announces-new-divisions-within-office-civil-rights-better-address-growing-need-enforcement-recent-years.html
2. (2023, Feb. 17).Report to Congress on Privacy Rule and Security Rule Compliance. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
3. (2023, Feb. 17).Reports to Congress on Breach Notification Program. U.S. Department of Health and Human Services.  https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html
4. (2022, Oct. 20). The Security Rule. U.S. Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/security/index.html

Andrew Deichler

Andrew Deichler is the Senior Content Manager for Rectangle Health's Marketing Team. An experienced multimedia communications professional and award-winning journalist, Andrew develops and produces a multitude of content, including blogs, case studies, eBooks, whitepapers, executive reports, videos, and more. Prior to joining Rectangle Health, Andrew served as the Content Manager for Kyriba's Strategic Marketing team. Other previous roles include Editor, Students and Emerging Professionals for SHRM, and Multimedia Content Manager for the Association for Financial Professionals.