2023 Data Security Incident Response Report Get the Full Report

OCR/Healthcare Update

Share this chapter

Healthcare privacy and security regulatory activity began slowly in 2022. But by the end of the year, between the Dobbs decision, significant regulatory guidance, and the deluge of healthcare privacy class actions, 2022 will have a lasting effect.

Dobbs in the Driver’s Seat

The impact of Dobbs on the healthcare industry cannot be overstated. While providers, employers, and insurance companies scrambled to reassess the way they provide and record information about women’s reproductive healthcare, regulators showed they recognized Dobbs as impacting many corners of operations:

Just days after the Dobbs decision was published, the OCR reminded covered entities and business associates that the privacy rule permits – but does not require – them to share PHI when requested by law enforcement officials.
The FTC stated in a July letter that non-HIPAA regulated entities in the health information space “would be hearing” from the FTC if they made false statements about data anonymization, data sharing, or data aggregation to users.
California passed several laws that impact how employers, healthcare providers, and insurance plans respond to law enforcement requests for information about individuals who have sought abortion-related services.

Ransomware Wobbles, Snooping Surges

Ransomware attacks declined significantly through mid-2022, but came roaring back at the end of the year and into the first quarter of 2023. Throughout 2022, however, we saw a significant increase in snooping incidents. Many of these incidents were driven by workforce members (including licensed care providers) looking for and diverting controlled substances, implicating insurance billing, patient safety, and inventory controls. What do ransomware and snooping have in common? Both can be detected early with appropriate auditing of system activity and timely reviews of those audit reports.

Recognized Security Practices – Take Two?

The passage of the HIPAA Safe Harbor amendment in January 2021 (requiring the OCR to consider whether an entity had in place recognized security practices prior to an incident) was warmly welcomed by the healthcare industry. Both newly initiated and years-old investigations asked entities for proof of their recognized security practices. The problem? Entities were not clear on what “recognized security practices” really meant; it turns out, neither was the OCR. In April, the OCR requested public comment on how it should measure security practices, providing the CISO’s office a unique opportunity to frame HIPAA Security Rule compliance standards.

State Attorneys General Take an Interest in HIPAA-Regulated Entities

In 2022, we saw a marked increase in the number of state attorneys general interested in healthcare entities’ compliance and incident response posture. After providing notification, the attorneys general of Florida, New York, New Jersey, and Texas initiated investigations into HIPAA and state regulatory compliance.

OCR’s Right of Access Initiative – Big Problems Continue for Smaller Entities

The OCR’s Right of Access (ROA) Initiative continued to be a focus in 2022, with 17 such settlements as of the end of December 2022. While many non-ROA settlements have generally involved larger entities — and thus larger monetary assessments — the ROA settlements show a very different trend, exemplified by the entities involved in the 2022 ROA settlements:

7

specialty practices

6

dentist offices

2

health systems

1

Federally Qualified Health Center

1

small hospital

Only two of the settlements exceeded $100,000 (one large hospital system, one larger specialty practice), with the remaining 15 settlement values averaging less than $38,000. Our clients have continued to receive ROA requests, signaling that even with OCR’s increased focus on reproductive health privacy, ROA continues to be an area of regulatory risk for entities in 2023. In fact, OCR Director Melanie Fontes Rainer said in a December 2022 press release that “[t]he right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. [OCR] will continue to ensure that healthcare providers and health plans take this right seriously and follow the law.”

OCR Enforcement Actions

Outside of ROA settlements, the OCR entered into six enforcement actions and settlements in 2022, many of which underscored that, in the era of network intrusions and ransomware, entities cannot forget the basics:

  • Do not publicly respond to online complaints by posting PHI
  • Do not use a patient list – even if just demographics – for marketing without an authorization
  • Do not dispose of PHI in garbage cans

OCR did not miss two opportunities to remind entities that deficient network activity monitoring, security risk assessments, and risk mitigation plans continue to drive enforcement actions. In fact, the two largest monetary settlements finalized between January 1 and December 31, 2022 ($875,000 in July 2022 and $1.25 million in December 2022) were based largely on alleged deficiencies in those areas.

From the first enforcement action in 2008 to the end of 2022

129

(23 in 2022) Cases settled or imposed a Civil Monetary Penalty

$16M

($1.25M in 2022) Highest amount paid as part of a resolution agreement

$133.5M

($2.25M in 2022) Amount collected by OCR through its enforcement actions

HIPAA Breaches of 500+ Individuals Reported to OCR

2016
329
2017
358
2018
369
2019
512
2020
663
2021
714
2022
717