Annual Report back to Congress on HIPAA Privateness, Safety, and Breach Notification Rule Compliance for Calendar 12 months 2020; Annual Report back to Congress on Breaches of Unsecured Protected Well being Data for Calendar 12 months 2020
HHS’s Workplace for Civil Rights (OCR) has posted its 2020 calendar-year reviews to Congress on HIPAA privateness, safety, and breach notification rule compliance and the HIPAA breach notification program. Highlights of the reviews embrace the next:
Compliance Report. This report gives an outline of HIPAA’s privateness, safety, and breach notification guidelines, adopted by a extra detailed dialogue of OCR’s enforcement course of and a abstract of 2020 complaints and compliance critiques. OCR didn’t assess any civil financial penalties or provoke any audits in 2020. OCR obtained 4% fewer complaints in 2020 than in 2019. The highest 5 violations alleged in complaints resolved by OCR in 2020 concerned (1) makes use of and disclosures of PHI; (2) unspecified safeguards; (3) entry rights; (4) administrative safeguards for digital PHI; and (5) technical safeguards. Technical help or corrective motion resolved 59% of the complaints. Of the compliance critiques opened in 2020, 88% resulted from giant breach notifications, and a pair of% resulted from small breach notifications. The remaining compliance critiques stemmed from incidents dropped at OCR’s consideration by different means, together with media reviews. An appendix summarizes the decision agreements signed in 2020, most ensuing from OCR’s proper of entry initiative.
Breach Notification Report. This report begins with an outline of the notification necessities for lined entities and enterprise associates following discovery of a breach of unsecured PHI. OCR notes that, in 2020, it obtained 656 giant breach notifications—a 61% enhance over 2019—affecting greater than 37 million people, and 66,509 small breach notifications affecting greater than 312,000 people. Breaches at well being plans and enterprise associates represented 23% of enormous breach reviews. Most giant breaches had been brought on by hacking of digital gear or community servers, which concerned use of malware, ransomware, phishing, and posting PHI on public web sites. A few quarter had been brought on by unauthorized entry or disclosure, and fewer than 10% of the whole was attributable to theft, loss, or improper disposal of PHI. The report concludes with a abstract of safety requirements and implementation specs that, based mostly on OCR’s 2020 investigations, want enchancment: threat evaluation/administration; data system exercise assessment; audit controls; safety consciousness and coaching; and authentication.
EBIA Remark: The reviews present a helpful synopsis of enforcement exercise and provide some extra insights—together with the reminder that OCR opens compliance critiques for all breaches affecting 500 or extra people. The breach notification report features a useful record of the most typical post-breach remedial actions taken to mitigate hurt and forestall potential future breaches. The reviews may also help lined entities and enterprise associates goal and strengthen their HIPAA compliance efforts. For extra data, see EBIA’s HIPAA Portability, Privateness & Safety guide at Sections XX (“Enforcement of Privateness, Safety, and EDI Guidelines”) and XXV (“Breach Notification for Unsecured PHI”). You additionally could also be taken with our webinar, “HIPAA Breaches: Preparation and Response” (recorded on 1/26/22).
Contributing Editors: EBIA Employees.
