The Office for Civil Rights (OCR), pursuant to the HITECH Act, issues annual reports to Congress regarding HIPAA complaints and breaches received for the previous year. Additionally, OCR reports enforcement actions taken.

As this article summarized, compliance with the HIPAA Security Rule should not be ignored by entities required to follow its rules: health plans, healthcare clearinghouses, healthcare providers (Covered Entities or CEs), and to an extent, business associates of CEs. OCR’s 2020 findings:

  • OCR received 656 notifications of breaches affecting 500 or more individuals;
  • 66,509 notifications of breaches affecting fewer than 500 individuals; and
  • 27,182 complaints alleging violations of HIPAA and the HITECH Act.
  • What’s more alarming is that the number of “500+” breaches increased by 61%  from 2019 (the 656 breaches in 2020 affected over 37 million individuals).

Perhaps the most exhausting aspect of HIPAA Security Rule compliance for CEs is conducting – and maintaining – the security risk assessment. It’s an exhaustive process (by design I posit) and once complete, must become a “living” process, nimble to business and cyberworld shifts. What prompted the 656 breach notifications?

  • 68% – hacking/IT incidents of electronic equipment or a network server (of the “500+” breaches in 2020)
  • 23% – unauthorized access or disclosure of records containing protected health information (PHI)
  • 5% – thefts of electronic equipment/devices
  • 2% – loss of electronic media or paper records
  • 2% – improper disposal of PHI

OCR’s report shined a light on common themes within their resolution agreements for such breaches; these require CEs to:

  • conduct an enterprise-wide risk analysis;
  • develop and implement risk management processes;
  • develop “right of access” policies; and
  • train the workforce regarding policies

“Risk analysis and management and the right of access have been areas of focus for OCR for several years, and this report makes clear that both remain high on OCR’s list of enforcement priorities. At the conclusion of the report, OCR urged all covered entities to focus on their risk analysis and risk management processes, information system activity reviews, audit controls, security awareness and training, and authentication processes.”

Here at ComplianceDashboard, we take compliance seriously…but not too seriously. We know, however, that HIPAA Security Rule implementation for CEs isn’t a walk in the park. That’s why we created HIPAA10 – to assist CEs with HIPAA compliance. To learn more about our HIPAA10 solution, browse our website. 

The bottom line: CEs who fail to implement and maintain HIPAA Security requirements could pay penalties, or worse yet, suffer ramifications from a breach of PHI.