Recently, Congress received reports from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) summarizing Health Insurance Portability and Accountability Act of 1996 (HIPAA) breaches and complaints reported to OCR in 2020 and the enforcement measures taken in response. Among other purposes, these reports help to better understand areas of noncompliance and increase awareness on opportunities for improvement of overall HIPAA compliance.

Background

The HIPAA privacy rule requires covered entities (i.e., health plans, health care clearinghouses, and health care providers) to safeguard individuals’ protected health information (PHI) and sets limits on the uses and disclosures of PHI. Similarly, the HIPAA security rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. Although employers are not considered covered entities under HIPAA, their self-insured health plans including medical plans, health reimbursement arrangements (HRAs), and flexible spending accounts (FSA) are subject to the law. In addition, employers with access to their employees’ PHI (e.g., self-insured plans and some fully insured plans) must comply with HIPAA privacy and security rules when handling employee PHI.

Highlights of the Reports

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires OCR to report to Congress regarding compliance with HIPAA privacy, security, and breach notification rules annually and make such reports publicly available. Of note, OCR’s breach report summarizes the most reported categories of breaches and includes best practices and recommendations to avoid such breaches. Further, OCR’s compliance report also details information helpful to support HIPAA compliance, such as summarizing common allegations and complaints received in 2020.

Highlights of the reports include:

  • Hacking of a network server was a leading cause of large breaches reported, with unauthorized access or disclosure of records containing PHI also a significant cause. Reported less, but still common included breaches involving thefts of electronic devices, loss of electronic media or paper records, and improper disposal of protected health information.
  • The top alleged in complaints were impermissible uses and disclosures, safeguards, right of access, administrative safeguards (for electronic PHI), and technical safeguards. Overall, OCR received fewer complaints in 2020 than in 2019.
  • While many investigations were resolved through technical assistance or corrective action, HHS resolved 19 investigations that totaled more than $13.5 million in collections.

While these reports do not impose any new requirements for employers, they serve as a good reminder for covered entities and employers with access to PHI of HIPAA privacy and security requirements generally, including breach notification requirements, and identifies common causes and complaints of HIPAA noncompliance. Employers should review the reports and apply OCR’s findings when developing and administering their HIPAA policies. 

Additional Resources

Diane Cross — Diane is a Client Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline benefits compliance. In her free time, Diane enjoys spending time with her family, live music, and cycling.