ORC Report to Congress: HIPAA Complaints Skyrocket

A blue door with two small holes in it.

Between 2017 and 2021, Health Insurance Portability and Accountability Act (HIPAA) complaint violations rose 39 percent and large breaches reported increased 58 percent, according to a recent report from the Office for Civil Rights (OCR) to Congress.

We have been writing about these complaints and settlements since 2019.

OCR received 34,077 new HIPAAcomplaints alleging violations of the HIPAA Rules and the HITECH
Act, representing an increase of 25% from the number of complaints received in calendar year 2020. OCR resolved 26,420 complaints. Of those, 20,661 (78 percent) were resolved before an investigation was initiated. OCR resolved 4,139 (16 percent) by providing technical assistance in lieu of an investigation (pre-investigational technical assistance). In 714 (3 percent) of the investigations, a covered entity or business associate took corrective action, and in 89 of these complaints, OCR provided technical assistance after initiating an investigation (post-investigated technical assistance).

OCR resolved 13 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $815,150, and two complaint investigations with civil money penalties totaling $150,000.

OCR completed 573 compliance reviews and required those implicated to take corrective action
or pay a civil money penalty in 83% (475) of these investigations. Two compliance reviews
were resolved with RA/CAPs and payments totaling $5,125 million.

In the remaining 98 complaints (17 percent) completed compliance reviews, OCR provided the covered entity or business associate with post-investigation technical assistance (3%), found insufficient evidence of a violation of the HIPAA Rules (11%), or lacked jurisdiction to investigate the allegations (3%). OCR issued one subpoena, and no audits were initiated.

OCR enforces HIPAA by investigating written complaints and conducts compliance reviews to
determine if covered entities or business associates comply.

Due to a lack of funding, OCR said it did not conduct any audits in 2021. However, it did settle some of the investigations initiated earlier. Among them:

Banner Health agreed to pay $200,000 and take corrective action to resolve two complaints involving violations of the HIPAA Right of Access standard.

Excellus Health Plan agreed to pay $5.1 million and take corrective action to settle a data breach affecting more than 9.3 million people.

Renown Health agreed to pay $75,000 and take corrective action to resolve allegations that it failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party. 

Sharp Healthcare dba Sharp Rees-Stealy Medical Centers (SRMC) agreed to pay $70,000 to
settle allegations it failed to take timely action in response to a patient’s records access request directing that an electronic copy of PHI in an electronic health record be sent to a third party.

For more click here.

Providers should review their policies and practices to ensure that they respond to patient requests for access to medical records promptly and in compliance with HIPAA rules. Our attorneys are well qualified to assist you in this matter. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.

Ready to find out more?

Call 305-358-4500 to schedule a
FREE 15-minute consultation today!

Posted in

The Health Law Offices of Anthony C. Vitale