HHS: Healthcare continues to struggle with HIPAA compliance, IT security

Healthcare entities are continuing to struggle with meeting compliance requirements of the Health Insurance Portability and Accountability Act, particularly with securing network servers from hacking and IT risks, according to the Office for Civil Rights annual congressional report.

The Department of Health and Human Service OCR report is designed to help entities improve HIPAA compliance and is shared with Congress to detail the agency’s investigatory efforts and compliance reviews.

However, funding constraints are limiting HIPAA enforcement actions. Not only were there significant increases in HIPAA complaints filed with OCR between 2017 to 2021, the sector saw a 58% rise in reported large breaches during the same timeframe and “without any increases in appropriations during that same time period.”

The steep reduction of the penalty tiers for HIPAA violations have added to OCR’s monetary constraints. The agency requested an increase in the HITECH civil monetary penalty caps for this year.

But as it stands, the financial “factors have combined to cause a severe strain on OCR’s limited staff and resources [and] limits OCR’s HIPAA enforcement activities during a time of substantial growth in cybersecurity attacks to the healthcare sector.”

The data highlights these issues: OCR received 34,077 new complaints of possible HIPAA and HITECH violations in 2021, a 25% increase from 2020. The agency resolved 26,420 of those complaints, 20,661, or 78%, before initiating an investigation. In just 3% of those investigations, or 714 cases, OCR took corrective actions against the entities.

Just 13 investigations were resolved with resolution agreements and corrective action plans, two of which were resolved with monetary payments that totaled $5.13 million.

Notably, the report revealed OCR did not initiate any periodic audits in 2021, as required by the  HITECH Act. The agency is mandated to perform periodic audits of covered entities and business associates against HIPAA rules, “based on the application of a set of objective selection criteria.”

These audits aim to assess HIPAA compliance, adequate data protection, and ensure patients are being provided with their rights as outlined in HIPAA.

However, OCR was unable to initiate these audits due to “a lack of financial resources.” The agency is “currently developing the criteria for implementing future audits.”

Where covered entities struggle most with HIPAA compliance

The report also detailed areas where covered entities still struggle to meet HIPAA Security Rule requirements, including risk analysis and management, IT system activity review, audit controls and access controls. OCR stressed there’s a continued need to improve compliance in these areas.

In 2021, hacking and IT incidents were the largest category of data breaches reported to OCR as impacting over 500 or more patients and also comprised 75% of the reported incidents, as well as the most individuals. The largest category of incidents occurred against network servers. 

OCR is urging relevant entities to review HIPAA Security Rule standards and implementation specifications around security management process standards to improve prevention, detection, and correction of security violations. The agency has determined risk analysis and management are key areas for improvement.

“Failures to conduct a risk analysis leave regulated entities vulnerable to breaches of unsecured ePHI as cybersecurity attacks are increasing,” according to the report. OCR continues to find noncompliance in this area, as well as failure to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Entities are also failing to regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports. Agency investigations “found instances of deficient or non-existent information system activity review processes.”

In particular, OCR found “examples of deficient processes,” such as “a total lack of review of information system activity as well as reviews that were ad hoc and reactive.”

System activity review processes are critical to “detecting malicious activity, including from malicious insiders,” according to the report. Early detection of malicious activity can be key to eliminating or mitigating potential breaches and reducing the potential number of individuals affected.”

As revealed in the latest Protenus Breach Barometer, over 59 million patient records were reported as compromised last year. With the current state of nation-state targeting and DDoS attacks, it’s clear healthcare entities should prioritize remediating these key vulnerabilities.