HHS OCR Tells Congress It Needs More Funding for HIPAA Work
Healthcare , HIPAA/HITECH , Industry Specific
Breaches and Complaints Continue to Soar as Regulatory Duties Increase
As the volume of major health data breaches rises, the federal agency charged with investigating those incidents told Congress this week that it lacks the needed funding to keep up with its mounting workload.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
The Department of Health and Human Services’ Office for Civil Rights in two annually mandated reports to Congress on Thursday said the number of breaches and HIPAA complaints reported for the agency to investigate and resolve in 2022 is continuing on an upward trajectory as the agency’s related regulatory duties also expand.
One report details activities and trends involving compliance with the HIPAA rules, and the other details HIPAA breach trends.
“OCR’s reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said Melanie Fontes Rainer, OCR director, in a statement Thursday.
“Our healthcare systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation,” she said. “My staff and I stand ready to continue to work with Congress and the healthcare industry to drive compliance and protect against security threats.”
HHS OCR highlighted the significant increases in HIPAA complaints received by the agency, which include a 17% increase from 2018 to 2022 as well as large breaches reported – a 107% increase from 2018 to 2022 – “without any increases in appropriations during that same time period.”
In 2022, OCR received 30,435 new complaints alleging violations of the HIPAA rules. During that same period, OCR received 626 notifications of breaches affecting 500 or more individuals, representing an increase of 3% from the number of reports received in calendar year 2021. These reported breaches affected a total of approximately 41.7 million individuals, and hacking incidents were the most commonly reported type of breach.
OCR also received 63,966 reports of breaches affecting fewer than 500 individuals, and unauthorized access or disclosure was the most frequently reported breach type. These smaller breaches affected 257,105 individuals.
The breach figures for 2023, which will be reported to Congress next year, paint an even grimmer picture.
As of Friday morning, the HHS OCR HIPAA Breach Reporting Tool website showed 739 major breaches reported in 2023 that affected more than 136 million individuals. That’s an all-time record for the number of breaches reported, as well as the total number of people affected in one year (see: How 2023 Broke Long-Running Records for Health Data Breaches).
More Resources Needed
Despite HHS OCR’s requests to Congress for additional discretionary funding nearly every year, the agency’s annual authorized budget has remained flat over the last several years, at about $39 million (see: What’s in Biden’s Proposed FY2022 HHS Budget?).
While HHS OCR is authorized under the HITECH Act to reinvest the money it collects through its HIPAA settlements and civil monetary penalties into its enforcement programs, those collections have been reduced by an action taken by HHS in 2019 during the Trump administration to “significantly” lower the maximum civil monetary penalty caps for three of four penalty tiers, HHS OCR told Congress.
OCR reported that it has also asked that the HITECH civil monetary penalty caps be increased in a discretionary supplemental budget request for fiscal 2023 that was submitted to Congress in 2021.
During 2022, OCR resolved only three breach investigations with resolution agreements and corrective action plans, collecting settlements totaling about $2.4 million, HHS OCR said.
This week, HHS OCR announced its most recent HIPAA enforcement action in a five-year-old case. It was the agency’s second settlement ever in a breach involving a ransomware attack. Green Ridge Behavioral Health paid just $40,000 in a financial settlement and agreed to a corrective action plan. The settlement resolved potential HIPAA violations that HHS OCR had found during its investigation into a 2019 ransomware and data exfiltration attack on the Gaithersburg, Maryland-based mental health provider. The incident compromised the protected health information of about 14,000 individuals.
One of the big challenges in resolving cases in a timely fashion, according to HHS, is that the process of investigating HIPAA breaches and negotiating settlements has become much more time-intensive.
That’s because under an amendment to the HITECH Act in 2021, OCR in its breach investigations and compliance reviews is required to consider whether a HIPAA-regulated entity has adequately demonstrated that it has put in place, for at least the previous 12 months, “recognized security practices” that may lessen a financial penalty or settlement to resolve potential violations of the HIPAA Security Rule (see: How ‘Recognized Security Practices’ Fit With HIPAA Actions).
“These efforts have significantly increased OCR’s workload and the length of time to complete HIPAA Security Rule investigations,” HHS OCR told Congress. “These factors have combined to cause a severe strain on OCR’s limited staff and resources. This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the healthcare sector.”
HHS OCR told Congress that the lack of adequate funding also has inhibited the agency’s ability to carry out another mandate of the HITECH Act – performing periodic audits of covered entities and business associates to assess compliance with HIPAA rules.
“OCR did not perform any audits in 2022 due to a lack of financial resources,” the agency told Congress. While OCR did not initiate any audits in 2022, it is currently developing the criteria for implementing future audits “should financial resources become available,” HHS OCR said.
Earlier this month, HHS OCR published a notice in the Federal Register detailing its plans to resume the audits (see: They’re Back: HHS OCR Plans to Resurrect Random HIPAA Audits).
“It is hard to read OCR’s 2022 reports to Congress without feeling the agency’s frustration,” said regulatory attorney Paul Hales of the Hales Law Group. “Breaches that could be prevented by HIPAA compliance continue growing, affecting tens of millions of people yearly.”
And inadequate resources prevent OCR from enforcing HIPAA effectively – including its failure to conduct audits required by law, Hales said. “I don’t think Congress will solve OCR’s frustration by appropriations. However, Congress could revise HIPAA’s civil money penalties so OCR’s enforcement activities would provide the agency with adequate resources.”
In addition to its ongoing HIPAA enforcement and compliance duties, HHS OCR is immersed in other regulatory efforts, including its plans to issue a proposed update to the HIPAA Security Rule this spring.
HHS OCR is also collaborating with other HHS agencies to support the Biden administration’s healthcare sector cybersecurity strategy, which was unveiled in December (see: Biden Administration Issues Cyber Strategy for Health Sector).
Last month, HHS released new guidance detailing voluntary cybersecurity performance goals for healthcare sector entities (see: HHS Details New Cyber Performance Goals for Health Sector).