Annual Report on HIPAA Compliance Released by HHS
As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office of Civil Rights (OCR) has issued its annual report to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance for the 2022 calendar year.
Employer Action Items
Plan sponsors of HIPAA-covered entities, especially those of self-insured health plans and business associates, should continually self-assess their compliance with the HIPAA privacy and data security rules, and the requirements under the HITECH Act. This includes ensuring business associate agreements are current, appropriate safeguards are being maintained, and policies and procedures are up-to-date and being followed.
Summary
A summary of OCR’s findings found that during 2022, it received 30,435 new complaints alleging violations of HIPAA and the HITECH Act, and resolved 32,250 complaints. Most of these (87%) were resolved before initiating an investigation. In the 560 investigations that the OCR conducted, the covered entity or business associate took corrective action. 17 were resolved with Resolution Agreements and Corrective Action Plans (RA/CAP) and monetary settlements totaling over $802,500, and two with civil money penalties totaling $100,000.
The OCR also completed 846 compliance reviews and required entities to take corrective action or pay a civil penalty in 674 (80%) of these investigations, two of which resulted in RA/CAPs, along with monetary payments totaling over $2.4 million.
In addition, the OCR engaged in 124 outreach activities to (1) increase education to the public about their HIPAA rights, and to regulated entities about trends in large HIPAA breaches and (2) educate regarding the requirements of the HIPAA rules.
More Information
Read the full report here.
For questions regarding this Legislative Update or any other related compliance issues, please contact your Burnham Benefits Consultant or Burnham Benefits at 949‐833‐2983 or inquiries@burnhambenefits.com.
This Legislative Update was prepared by the Baldwin Regulatory Compliance Collaborative (the “BRCC”), a partnership of compliance professionals offering client support and compliance solutions for the benefit of the Baldwin Risk Partners organization, which includes: Jason Sheffield, BRP National Director of Compliance; Richard Asensio, Burnham Benefits Insurance Services; Nicole L. Fender, the Capital Group; Bill Freeman, AHT Insurance; Stephanie Hall, RBA/TBA; Caitlin Hillenbrand, AHT Insurance; Paul Van Brunt, Baldwin Krystyn Sherman Partners (BKS); and Natashia Wright, Insgroup.
Burnham Benefits and the BRCC do not engage in the practice of law and this publication should not be construed as the providing of legal advice or a legal opinion of any kind. The consulting advice we provide is intended solely to assist in assessing its compliance with applicable federal and state law requirements, and is based on our interpretation of federal guidance in effect as of the date of this publication. To the best of our knowledge, the information provided herein, and assumptions relied on, are reasonable and accurate as of the date of this publication. Furthermore, to ensure compliance with IRS Circular 230, any tax advice contained in this publication is not intended to be used, and cannot be used, for purposes of (i) avoiding penalties imposed under the United States Internal Revenue Code or (ii) promoting, marketing or recommending to another person any tax-related matter.