The HIPAA enforcement agency has reported to Congress that in 2011 and 2012, there were hundreds of reported privacy breaches involving millions of persons.  The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued two reports to Congress. The two reports – required under the Health Information Technology for Economic and Clinical Heath Act (HITECH) – address (i) Breaches of Unsecured Protected Health Information (Breach Report) and (ii) Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rule Compliance (Compliance Report).

Breach Report

The Breach Report outlines the breach notification requirements and discusses the breach notification reports received during the calendar year 2011 to 2012 reporting period, including the number and nature of breaches reported during the reporting period and actions taken in response to those breaches.

The Breach Report identifies theft; unauthorized access, use, or disclosure; improper disposal; hacking/IT incident; and unknown/other as the primary reported causes of larger breaches. HHS reports that in this reporting period, HHS has entered into seven resolution agreements/corrective action plans totaling more than $8 million in settlements as a result of investigations conducted after a breach was reported to HHS. In addition, HHS reports that OCR received 236 reports of breaches involving 500 or more individuals occurring in calendar year 2011, which affected approximately 11,415,185 individuals. HHS also reports that OCR received 222 reports of large breaches occurring in calendar year 2012, which affected approximately 3,273,735 individuals.

Compliance Report

The Compliance Report reviews HHS compliance and enforcement activities as well as complaints received by HHS with respect to the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report outlines the number of complaints received, those resolved informally, and those resulting in the imposition of civil money penalties or resolved through monetary settlements. The Compliance Report also summarizes the number of compliance reviews (and outcomes), the number of subpoenas or inquiries issued, the number of audits (and summary of findings), and the Secretary of HHS’s plan for improving compliance and enforcement in the following year.

HHS reports that from 2003 to 2012, OCR investigated 27,466 complaints and resolved 18,559 of these cases by requiring corrective actions and/or providing technical assistance. During calendar year 2011, OCR opened at least 245 compliance reviews that did not arise from complaints, and in 2012, OCR opened at least 235 compliance reviews that did not arise from complaints. The Compliance Report also summarizes seven resolution agreements in the reporting period.

Interested parties should stay tuned for next year’s Compliance Report to assess whether OCR’s increased investigation and enforcement discretion pursuant to the HITECH Omnibus Rule will significantly affect compliance statistics, enforcement activities, and imposition of penalties.