The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

The HITECH Act requires OCR to issue annual reports to Congress of HIPAA breaches and complaints received by OCR during the calendar year. For 2020, OCR reported that it received 656 notifications of breaches affecting 500 or more individuals, 66,509 notifications of breaches affecting fewer than 500 individuals, and 27,182 complaints alleging violations of HIPAA and the HITECH Act. The number of “500+” breaches increased by 61% from the number received in 2019, and OCR reported that those 656 breaches affected over 37 million individuals.

OCR’s breach report contains useful information regarding the most commonly reported categories of breaches and OCR’s recommendations on best practices to avoid such breaches. OCR reported that 68% of the “500+” breaches in 2020 involved “hacking/IT incidents of electronic equipment or a network server” while 23% involved “unauthorized access or disclosure of records containing PHI.” Less frequent but still somewhat common were breaches involving thefts of electronic equipment/devices (5%), loss of electronic media or paper records (2%), and improper disposal of protected health information (2%). At the conclusion of the report, OCR urged all covered entities to focus on their risk analysis and risk management processes, information system activity reviews, audit controls, security awareness and training, and authentication processes.

OCR’s enforcement report also provides statistics and information that can be useful to covered entities in focusing their compliance efforts. The top five issues alleged in complaints received by OCR in 2020 were: impermissible uses and disclosures, safeguards, right of access, administrative safeguards (Security Rule), and technical safeguards.

The enforcement report also includes a summary of the eleven resolution agreements entered into following complaint investigations in 2020. While the fact patterns that resulted in the complaints varied, there were commonalities in the compliance issues identified during the investigations and the requirements imposed in the resolution agreements. Many of the resolution agreements required the covered entities to conduct enterprise-wide risk analysis and develop and implement risk management. The development of right of access policies and workforce training regarding those policies was another recurring requirement. Risk analysis and management and the right of access have been areas of focus for OCR for several years, and this report makes clear that both remain high on OCR’s list of enforcement priorities.