The OCR HIPAA Report and Proper Breach Requirements

HIPAA Breach notification featured

HIPAA is a core cybersecurity framework for patients and healthcare providers in the U.S. Unfortunately, a new report from the OCR shows an increase in significant events and a lack of resources to follow up on critical compliance issues. 

We’re covering some of this report and the underlying HIPAA requirements reflected in it. 


HIPAA Compliance, Breaches, and Penalties in 2022

The Department of Health and Human Services (HHS) released a report to Congress documenting the success (or lack thereof) of the HIPAA program. Their findings are eye-opening:

  • Significant data breaches increased by 107% between 2018 and 2022.
  • 74% of these breaches were due to hacks or IT incidents affecting 23M+ records.
  • The vast majority of breach reports come directly from healthcare providers (68%) rather than BAs (19%) or Health Plans (13%).
  • For breaches affecting more than 500 individuals, this information was accessed primarily on a network server (79%). For those affected less than 500, paper records were lost (62%).
  • Concerns about other HIPAA violations grew by 17% during the same period.
  • The Office of Civil Rights (the managing branch of HIPAA) has faced a growing demand for compliance and penalty assessments but has not received additional funding to handle the increased workload. This has been exacerbated by lowering HIPAA fees (which means less revenue for the department).
  • Although OCR is expected to conduct annual HIPAA audits, they did not perform any during 2022 due to financial constraints. 

A few common security steps were also taken in response to breaches. The primary steps taken included:

  • Implementing multi-factor authentication
  • Training staff
  • Using Encryption
  • Modifying passwords
  • Conducting risk assessments
  • Modifying Business Associate Agreements (BAA)

This report isn’t the most uplifting document, and it shows that there is still a long way to go in ensuring that HIPAA is appropriately implemented and supported on a federal level. However, it doesn’t mean that CEs can shirk their responsibilities for their own sake or the sake of their patients.


What Are the Penalties for Violating HIPAA Rules?

HIPAA Breach notification

As of 2023, the penalties for HIPAA breaches are determined based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of the same provision. The penalties are divided into four categories, which reflect increasing levels of culpability:

  • Category 1: A violation the CE was unaware of and could not have realistically avoided had a reasonable amount of care been taken to abide by HIPAA Rules. The penalty range for Category 1 violations is $100 to $50,000 per violation.
  • Category 2: This is a violation the CE should have been aware of but could not have avoided even with reasonable care (falling short of willful neglect of HIPAA Rules). The penalty range for Category 2 violations is $1,000 to $50,000 per violation.
  • Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules in cases where an attempt has been made to correct the violation. The penalty range for Category 3 violations is $10,000 to $50,000 per violation.
  • Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. The penalty for Category 4 violations is $50,000 per violation.

It’s important to note that these are federal penalties and that states may have laws and penalties for protecting health information that could apply in addition to the federal HIPAA penalties.


What is the Breach Notification Rule?

The HIPAA Breach Notification Rule is a federal regulation under the Health Insurance Portability and Accountability Act (HIPAA). It requires covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The rule is part of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act 2009.

Here are the critical components of the HIPAA Breach Notification Rule:

  • Definition of a Breach: A breach is generally defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. There are exceptions, such as when the risk of harm to the individual is low.
  • Notification to Individuals: Covered entities must notify affected individuals immediately and no later than 60 days after discovering a breach. The notifications must include, to the extent possible, a description of what happened, the types of PHI involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate the breach, mitigate harm, and prevent further breaches, as well as contact information for individuals to ask questions.
  • Notification to the Secretary of HHS: In addition to notifying affected individuals, covered entities must notify the Secretary of Health and Human Services (HHS). The timing and method of this notification depend on the number of individuals affected by the breach.
  • Notification to the Media: For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must also notify prominent media outlets serving that state or jurisdiction.
  • Notification by Business Associates: If a breach occurs at or by a covered entity’s business associate, the business associate must notify the covered entity. Covered entities are ultimately responsible for ensuring individuals are notified.
  • Unsecured PHI: The Breach Notification Rule applies specifically to unsecured PHI, which is information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of HHS.
  • Risk Assessment: Entities must perform a risk assessment to determine the probability that PHI has been compromised. This assessment must consider factors such as the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was acquired or viewed, and the extent to which the risk to the PHI has been mitigated.

This rule emphasizes the importance of protecting the privacy and security of health information, providing transparency in the event of a breach, and setting standards for the notification process to ensure that individuals are informed and can take steps to protect themselves from potential harm.


Stay On Top of HIPAA Compliance and Risk with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including changes and revisions to security frameworks like SOC 2. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

Continuum GRC