Governance, Risk & Compliance: GRC
Key Insights from the HIPAA Journal’s 2023 Report: Challenges and Solutions
Maintaining the privacy and security of patient information is of utmost importance in the healthcare industry, especially when addressing HIPAA compliance challenges.
Below, we explore key statistics from The HIPAA Journal’s State of HIPAA May 2023 report, shedding light on HIPAA compliance and the challenges healthcare entities face in protecting patient privacy.
The OCR: Enforcement, Challenges, and Settlements
In recent years, the HHS Office for Civil Rights (OCR) has intensified its enforcement of HIPAA compliance. In 2022, a record number of settlements and civil monetary penalties (CMPs) were imposed due to violations. While most financial penalties still pertain to the HIPAA Right of Access, the OCR has also started imposing fines for other violations of HIPAA Rules. However, the OCR faces challenges due to a growing workload and stagnant budget. The number of reported data breaches, particularly ransomware attacks, has rapidly increased.
The three most common HIPAA violations in OCR’s enforcement actions between 2020 and 2023 were HIPAA right of access with 42 cases, risk analysis with 11 cases, and notice of privacy practices with four cases. – Source: The HIPAA Journal
Challenges Faced by the OCR
Due to a 28 percent increase in potential HIPAA violation complaints and flat funding, the OCR’s ability to investigate and pursue financial penalties has been hindered. This has resulted in a 45 percent reduction in enforcement staff, impacting the speed and number of cases they can address.
Despite an increase in settlements and CMPs, there has been a substantial reduction in total HIPAA penalties. This reduction is primarily due to the reinterpretation of the HITECH Act language, which has led to lower maximum penalties for violations. As a result, the OCR struggles to significantly increase funding through enforcement actions until Congress considers raising the maximum penalties.
Healthcare Data Breaches in June 2023
According to the HHS Office for Civil Rights (OCR) data breach portal, 43 healthcare data breaches were reported in June 2023, affecting over 2.9 million individuals. The most common type of breach was hacking, which accounted for 36 of the 43 incidents. Other types of breaches included unauthorized access, theft, and improper disposal of PHI.
The following are just a few of the top healthcare data breaches reported in June 2023:
- Managed Care of North America (MCNA): A dental insurer, MCNA, was hit with the largest breach of health data in 2023, and it surpasses any breach in 2022 as well. The breach affected more than 8.8 million Americans, according to HHS.
- Optum360: A healthcare technology company, Optum360, suffered a data breach that affected more than 4.2 million individuals. The breach was caused by a security vulnerability in the company’s software.
- EPIC Health Systems: A healthcare information technology company, EPIC Health Systems, suffered a data breach affecting over 3.7 million individuals. The breach was caused by a security vulnerability in the company’s software.
How Can SAI360 Help?
SAI360 is a cloud-based software solution that can help healthcare organizations protect themselves from HIPAA violations. The solution provides a comprehensive set of features and tools to help organizations manage their privacy and security risks, including:
- Risk assessment and remediation: Helps organizations assess their privacy and security risks and develop remediation plans to mitigate those risks
- Policy management: Provides a centralized repository for privacy and security policies, procedures, and training materials
- Training: Offers a variety of training modules to help employees understand their privacy and security responsibilities
- Incident management: Helps organizations manage data breaches and other security incidents
- Reporting: Provides a variety of reports to help organizations track their compliance progress and identify areas for improvement
