In an annual report published by the Office for Civil Rights (OCR) with the U.S. Department of Health and Human Services Office for Civil Rights, it has been found that HIPAA complaints increased significantly in the period between 2017 and 2021. The report titled; ‘Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance’, complaints of alleged breaches to HIPAA’s regulations and the HITECH Act are detailed and compared with previous years. The OCR is obliged to provide a report on HIPAA compliance to Congress that includes data on the number of complaints received, compliance reviews conducted, and a summary of any ongoing audits. The OCR received more complaints in 2021 compared to 2020, however, fewer breaches were documented. No year has received more complaints since 2020, where the prevalence of the pandemic may have contributed. Without an increase in funding over this key five-year period, noticeable increases in the number of HIPAA complaints occurred, with an overall thirty nine percent increase from 2017 to 2021. Additionally, the number of breaches deemed to be more significant or severe saw a fifty eight percent increase over the period.
Many American Citizen’s private health information may be exposed if a data breach occurs at a location where their data is stored. This is not only damaging to the healthcare experience of the individual, but may also force the closure of the medical institution who’s information was accessed. The HIPAA privacy law was introduced in 1996 to mitigate the opportunity of third party’s accessing unauthorized information without the permission of the patient. The law ensures healthcare entities take the storage of their patients’ data with extensive care. Given the recent rise in cybersecurity attacks against hospitals and other healthcare organizations, the OCR’s lack of funding is concerning. According to studies, the healthcare industry is particularly vulnerable to cyberattacks due to its low cybersecurity investments, extensive usage of linked medical devices and health IT systems, and prevalence of sensitive and valuable personal data. Experts in this field are concerned about cybersecurity attacks derived from Russia’s invasion of Ukraine, which may lead to an increased accessibility to private information for third parties, leading to more breaches. The HHS encountered this early in 2023, issuing warning to hospitals regarding a Russian hacker activist collective known as ‘Killnet’, which alluded to possible targeting of hospitals and healthcare entities, not only in Ukraine but institutions around the world.
The OCR continues to develop the levels of compliance nationwide through outreach events, hosting over 200 in 2021 to raise awareness where possible. As well as this, the OCR introduced a website detailing the regulations of HIPAA, which received nearly half a million visits per month two year ago, in 2021.
The following entities are considered covered entities liable to the regulations of HIPAA:
- organizations that issue healthcare coverage plans
- healthcare providers
- business associates of healthcare providers that engage in the exchange of patient information.