The law enforcement arm of HHS, OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, among other statutes. OCR’s reorganization will bring it more in line with its federal peers, particularly the Department of Education’s Office for Civil Rights.
OCR’s Health Information Privacy Division (HIP) is now the Health Information Privacy, Data, and Cybersecurity Division (HIPDC). The change is intended to reaffirm the division’s focus on cybersecurity, which is a growing concern. OCR received a stunning 51,000 complaints in 2022, a 67% increase over the past five years, noted OCR Director Melanie Fontes Rainer. Fully 66% of those alleged violations concerned health information privacy and security laws, while 27% involved civil rights and 7% involved conscience/religious freedom.
Additionally, OCR revealed that it would be reorganizing the responsibilities of its Health Information Privacy, Operations and Resources, Civil Rights, and Conscience and Religious Freedom divisions into three new groups: the Enforcement, Policy and Strategic Planning Divisions. For the Enforcement and Policy Divisions, teams will be organized by skillset and focus on a plethora of legal issues, which OCR said would provide “a more integrated approach to case management” and allow for “direct engagement between policy, enforcement and investigations.” The Strategic Planning Division is responsible for public outreach around OCR’s authorities to protect civil rights, conscience, and health information privacy, while expanding data collection efforts at HHS.
PHI Breaches Surge
The restructure follows OCR’s delivery of two reports to Congress that detailed HIPAA compliance and breaches of unsecured protected health information (PHI) reported to HHS in 2021. The HIPAA compliance report identifies the number of complaints received, how they were resolved and OCR’s reviews of the incidents. The breach report analyzes breaches and actions that were taken in response.
OCR received over 34,000 complaints of alleged HIPAA and HITECH violations in 2021, a 25% increase from the year before and a 39% increase from 2017. However, OCR resolved most of these complaints without an investigation or by providing technical assistance. The agency took corrective action and/or imposed monetary penalties on 714 of the complaints (3%).
OCR received reports of 64,180 data breaches of unsecured PHI in 2021. Of these breaches, 609 impacted 500 or more individuals, compromising more than 37 million people in total. From 2017 to 2021, large breaches increased 58% while breaches that affected less than 500 people rose 5%. Of the large breaches, 437 reports (72%) came from healthcare providers and affected more than 24 million people.
Most of the large breaches (75%) involved hacking of electronic equipment or a network server. In the largest incident, two former employees of a healthcare provider hacked the company’s server and compromised the electronic PHI (ePHI) of more than 3.2 million people.
Covered entities that experienced large breaches in 2021 took one or more of the following actions to address the issue:
Adopt multifactor authentication for remote access
Revise policies and procedures
Retrain employees who handle PHI
Provide customers with free credit monitoring and identity theft protection
Adopt encryption technologies
Impose sanctions on employees who violated policies around PHI
Perform risk assessments
Revise business associate contracts to include stricter provisions for handling PHI.
Preventing Further Breaches
After concluding its investigations, OCR advised covered entities and business associates to brush up on the following HIPAA Security Rule standards:
Security Management Process Standard: Regulated entities are required to implement policies and procedures to prevent, detect, contain, and correct security violations. OCR identified several specifications within this standard as needing improvement.
Risk Analysis: Regulated entities should conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI held by the entities or business associates. With cyberattacks increasing, failure to conduct risk analyses leaves ePHI vulnerable.
Risk Management: Regulated entities must implement security measures capable of reducing risks and vulnerabilities to a manageable level. OCR identified multiple incidents of noncompliance with this requirement.
Information System Activity Review: Regulated entities are required to regularly review records of information system activity, such as audit logs and security incident tracking reports. OCR found “deficient or nonexistent” review processes at some entities.
Audit Controls Standard: Regulated entities must implement mechanisms that record and evaluate activity in information systems that contain or use ePHI. OCR identified entities that either had no audit control mechanisms in place or had only implemented them for a small subset of systems.
Access Controls Standard: Regulated entities must implement technical policies and procedures for information systems that maintain ePHI so that only appropriate people or software programs can access these systems. OCR found evidence of noncompliance with this standard, which often contributed to breaches of ePHI.
Rectangle Health, a leading healthcare technology company, empowers medical, dental, and specialty practices with seamless and secure technology to drive revenue by increasing patient payments and streamlining practice management and payment processing. Since 1993, the company’s innovative solutions have reduced administrative burden and rebalanced the ledger for its thousands of healthcare providers in the U.S., reliably processing billions of dollars in payments annually.
Rectangle Health focuses on keeping practices financially healthy so they can prioritize care. The company’s flagship product, Practice Management Bridge®, interfaces with all existing practice management systems. This innovative platform includes features like contactless capabilities, customizable messages, online payments, patient financing, and Text to Pay that digitize payments and engagement for ease.
Headquartered in Valhalla, New York, Rectangle Health has been repeatedly named to the Inc. 5000 list of fastest growing companies.
Rectangle Health securely stores healthcare payment information, protecting both your practice and patients with today’s highest standards for compliance and PCI.