A report released on Friday found that HIPAA complaints and breaches spiked between 2017 and 2021, with the agency in charge of handling the notices saying it lacks sufficient resources to properly respond.
The Health Information Technology for Economic and Clinical Health Act requires the Department of Health and Human Services (HHS) to submit an annual report to Congress regarding HIPAA complaints, including how many the agency has received and resolved as well as how many complaints were settled monetarily.
The HHS Office for Civil Rights (OCR) stated that an audit for report was not performed in 2021 due to a lack of financial resources.
According to the report, the number of large HIPAA breaches rose by 58 percent between 2017 and 2021, and the number of complaints rose by 39 percent. The agency defines large breaches as ones that affect at least 500 individuals.
HHS generally defines HIPAA breaches as any disclosure that “compromises the security or privacy of the protected health information” of an individual. Entities that are subject to the HIPAA Privacy Rule include insurance providers, health billing services, health care providers and facilities.
In the years that were scrutinized, 2020 saw the largest increase in large HIPAA breaches — 61 percent. While complaints and breaches rose, the agency noted in its report that appropriations did not.
“These factors have combined to cause a severe strain on OCR’s limited staff and resources. This lack of necessary funding limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the health care sector,” the report stated.
Of the more than 34,000 alleged HIPAA violations that HHS received in 2021, OCR said it resolved 78 percent of them before initiating an investigation. Another 13 complaints were resolved through investigations and monetary settlements totalling $815,150. Two investigations were resolved with civil money penalties totaling $150,000.
Many of the complaints that were resolved monetarily were for instances in which OCR determined that providers had failed to take “timely action” in response to patients’ requests for records.