Group health plan sponsors should take note of the most recent annual report submitted by HHS and OCR on HIPAA and Breach Notification Rule Compliance. Congressional reporting to Congress from agencies can be incredibly helpful in understanding where the agencies have been focusing enforcement, including having a complete list of enforcement actions and settlements.
Reported HIPAA Complaint Trends and Resolutions:
- There have been significant increases in HIPAA complaints received (17% increase from 2018 to 2022).
- Increase in large breaches reported (107% increase from 2018 to 2022).
- In 2022, OCR received 30,435 new complaints alleging violations of the HIPAA Rules and the HITECH Act and resolved 32,250 complaints.
- Of those, OCR resolved 28,107 (87%) before initiating an investigation.
- OCR resolved 2,882 (9%) complaints by providing technical assistance in lieu of an investigation (pre-investigational technical assistance).
- In 560 (2%) of the investigations, a covered entity or business associate took corrective action, and in 15 (1%) of these complaints, OCR provided technical assistance after initiating an investigation (post-investigated technical assistance).
- OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000.
- OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations.
Report Takeaways for Group Health Plan Sponsors
- Review, Maintain, and Strengthen HIPAA Security Practices
- Understand and Invest in Cybersecurity
- Report HIPAA Breaches Quickly. Ensure that have processes, such as a Cyber-Attack Checklist, that are able to identify and report breaches promptly (i.e. Cyber-Attack Quick Response).
- Utilize Technical Assistance If Needed. Consider utilizing technical assistance from OCR to resolve possible compliance issues, prior to them escalating into formal investigations that may require corrective action.
- Train, Train, and Re-Train Workforce
- Regularly Engage with Business Associates. Ensure that Business Associate Agreements are compliant, up to date, and executed.
If you’re a group health sponsor, take note of your HIPAA compliance. Can you identify areas for improved security and cybersecurity processes and training initiatives? If so, learn more about our upcoming HIPAA solution to keep you on a secure compliance path: HIPAA10.