.st0{fill:#FFFFFF;}

Podcast

How busy is OCR? – Ep 396 

 March 3, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Today you’re going to get a twofer. We’re going to discuss the two recent reports that OCR submitted to Congress on the state of compliance with Privacy and Security and the other on Report Breaches and Notifications. Let’s start by saying that OCR is really busy… I mean really busy.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

How busy is OCR? – Ep 396

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

How busy is OCR?

[04:26] The Office for Civil Rights recently submitted two reports to Congress. One on the state of compliance with Privacy and Security and the other on Report Breaches and Notifications.

Report to Congress on Breach Notification Program | HHS.gov

Report to Congress on Privacy Rule and Security Rule Compliance | HHS.gov

An important note is these reports reflect data from 2021. Why not 2022 you may ask. We did. Because that is what they are supposed to do according to the HITECH law. Submit a report at some point, but some years, like in 2019, they reported 2015, 2016, and 2017 all at the same time. Here is what they say the law requires just to cover that base:

The HITECH Act requires OCR to produce an Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance that identifies the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR, the outcome of each review, the number of audits performed, a summary of audit findings, the number of subpoenas or inquiries issued, and OCR’s anticipated compliance and enforcement initiatives for the following year.

The actual report on compliance

Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance

Let’s just start with the last sentence of the first paragraph.

OCR did not perform any audits in 2021 due to a lack of financial resources.

These reports certainly explain that they are really busy. Like really busy.

  • 39% increase in complaints 2017 to 2021.
  • Large breaches (500+) increased 58% in the same period.

On top of all of that they did the reduction in how they calculated some CMPs. That is where they are supposed to get the money to fund more enforcement. In theory, if the industry needs more enforcement due to lack of compliance then it would fund that enforcement activity on its own.

We know for a fact that hasn’t been happening. We often point out the statistical likelihood that a given entity will pay a massive fine or settlement amount is very low, at least historically. They have requested help with the funding by asking those limits be increased:

OCR requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress in September 2021. These factors have combined to cause a severe strain on OCR’s limited staff and resources. This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector.

Here are some numbers:

[14:08] Complaints increased 25% year over year for 2021 to 34,077. Of those 26,420 were resolved. Not surprisingly 78% of those or 20,661 were resolved without an investigation. So many people think they understand HIPAA and file a complaint that doesn’t even apply.

4,139 of the remaining number were resolved by “providing technical assistance in lieu of an investigation (pre-investigational technical assistance)”.

714 of them took corrective action on their own.

That gets us down to the bottom of the list where in 89 (<1%) OCR provided technical assistance after initiating an investigation (post-investigated technical assistance). Plus, 13 complaint investigations actually ended up in the news with Resolution Agreements and Corrective Action Plans (RA/CAPs) plus settlements totaling $815,150. The very end is where those scary fines were actually applied but not for a lot of cash 2, yes two, complaint investigations were ended with civil money penalties totaling $150,000. So much for the scary fines and penalties, huh.

573 total compliance reviews were completed in 2021. 554 originated from breach reports and 19 originated from other means.

475 of those cases included corrective actions or paid a penalty. They had 2 others with RA/CAPs with some real cash totaling $5,125,000. The other closed ones either weren’t under HIPAA or didn’t amount to more than what they call technical assistance.

Breaches under 500 is one we don’t get a lot of information on regularly but here we can see 63,571 came in that year. That number is likely way under reported since so many people still think you only have to report 500+. I have already heard that confusion and cleared it up in 2023.

Audits are not a thing

As we have explained many times, audits are not happening. You get caught up in the investigations and compliance reviews or nothing. We don’t just make this stuff up.

OCR did not initiate any audits in 2021 due to a lack of financial resources

The next time you hear so and so never failed an audit. Yes. Can confirm. Because they ARE NOT doing them. It is really hard to fail at something that doesn’t happen.

The actual report on breaches

[27:06] Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2021

We always like to point out that reported breaches do not represent the total number of healthcare breaches. Unfortunately, we both know of plenty of reportable breaches that did not get reported.

That said, OCR received 609 breach notifications affecting 500 or more individuals, which represented an actual decrease of 7% from the 2020 reports. Even so, this represents 37.1M individuals.

The most common breach type, making up 75% of reported breaches in this category was… you guessed it… hacking! We talked about this numerous times in previous episodes. Specifically, network servers were the most common.

Not only did Hacking / IT Incident make up 75% of reported breaches, it also made up 95% of affected individuals.

OCR also received 63,571 reports of breaches affecting fewer than 500 individuals. For these, the most frequent type of breach was due to unauthorized access or disclosure. The largest portion of this category involved paper records. These smaller breaches only accounted for a total of 319,215 individuals. If you average that out, it is 5 individuals per reported breach. So yes, all breaches, no matter how small, must be reported.

We did see some weird things in the report that we can’t figure out. For example, this chart clearly shows the reported breaches decreased from 2020 to 2021, Yet the report says more than once that the reported breaches have increased.

OCR investigated all 609 of the reported breaches over 500, and 22 of the reported breaches under 500. Of these 631 investigations, OCR completed 554 of the investigations through technical assistance; achieving voluntary compliance through corrective action; resolution agreements and corrective action plans; or after determining no violation occurred. Two investigations did result in monetary payments totaling $5.125M.

[34:41] No surprise in OCR’s recommendations that there is a continued need for regulated entities to improve compliance with HIPAA, in particular, the Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, and access control.

If you want to know what you should be auditing in your own organization, there’s your priority list right there.

The other aspects of the reports worth mentioning are the definitions and regulations, which are great for quick references to understand things like:

  • What is the definition of a breach
  • What are the breach notification requirements
  • When do you have to notify the media
  • When do you have to notify the Secretary (OCR)
  • How is notification handled if the breach occurs at or by a business associate

Lots of very useful and important information, not just interesting stats for us nerds 🙂.

Go to top

You can tell from these reports that OCR is very busy. They include some really good information in these reports. Just like we say that the OCR CAPs have great information in them, these reports provide information on the things you should be doing to comply with HIPAA.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: