25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2022

Posted By on Feb 22, 2024

The Department of Health and Human Services (HHS) Office for Civil Rights has submitted its annual reports to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance and breaches of unsecured protected health information (PHI) for calendar year 2022.

HIPAA Compliance in 2022

OCR explains in the report that large data breaches have increased by 107% from 2018 to 2022, complaints about potential HIPAA violations have increased by 17% over the same period, and  OCR is now required to assess whether an entity has implemented recognized security practices when determining penalties. As a result, OCR’s workload has significantly increased yet OCR has not received any increase in appropriations. OCR also reassessed the language of the HITECH Act in 2019 and reduced the penalty amounts in three of the four penalty tiers, resulting in smaller penalties. The increase in workload and lowering of the penalty amounts has placed a severe strain on OCR’s limited staff and resources and the lack of funding is hampering its ability to investigate complaints and data breaches at a time of substantial growth in cyberattacks on the healthcare sector. OCR is required by the HITECH Act to conduct annual audits to assess HIPAA compliance, but no such audits were conducted in 2022 due to a lack of financial resources.

Summary of HIPAA Complaints

In 2022, there was an 11% year-over-year decrease in complaints and <1% increase in compliance reviews.

  • 30,435 new complaints received alleging violations of the HIPAA Rules and the HITECH Act
  • 11,465 open complaints carried over from previous years
  • 32,250 complaints were resolved in calendar year 2022
  • 28,107 complaints were resolved before an investigation was initiated
  • 2,882 complaints were resolved through technical assistance
  • 560 complaints were resolved through voluntary corrective action
  • 686 complaints had insufficient evidence of HIPAA violations
  • 15 complaints resulted in OCR providing technical assistance after an investigation
  • 17 complaints were resolved through resolution agreements, corrective action plans, and monetary settlements ($802,500)
  • 1 complaint was resolved with a civil monetary penalty ($100,000)

OCR initiated 676 compliance reviews and closed 846 compliance reviews, 674 of which required corrective action to be taken or a civil monetary penalty to be paid. Three compliance reviews were resolved with resolution agreements and monetary payments totaling $2,425,640. The remaining 172 (20%) were resolved with technical assistance (4%), insufficient evidence was found to indicate a violation of the HIPAA Rules (11%), or due to OCR lacking jurisdiction to investigate the allegations (5%).  The OCR HIPAA compliance report to Congress can be viewed here.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Calendar Year 2022 Healthcare Data Breaches

In calendar year 2022, OCR received 626 notifications of breaches of 500 or more records, which represents an increase of 3% from 2021. Across those incidents, the PHI of 41,747,613 individuals was breached. The main cause of those data breaches was hacking. OCR also received 63,966 reports of breaches affecting fewer than 500 individuals affecting a total of 257,105 individuals, which represents a 1% increase in small breaches from 2021.

OCR investigated all of the large data breaches and two of the smaller breaches and conducted 799 breach investigations in calendar year 2022. Investigations that identified potential HIPAA violations were resolved through technical assistance, voluntary compliance, corrective action plans (CAPs), and monetary payments. In 2022, OCR resolved three investigations with monetary settlements/CAPs – Oklahoma State University – Center for Health Sciences; New England Dermatology & Laser Center; Banner Health – and collected $2,425,640 from these settlements.

OCR said 74% of the reported large data breaches were due to hacking/IT incidents, which affected 32,255,597 individuals, with the compromised data most commonly located on network servers. 22% of breaches were unauthorized access/disclosure incidents, and fewer than 1% of breaches were due to loss, theft, or improper disposal of PHI. The smaller breaches were mostly (93%) due to the unauthorized access or disclosure of PHI, most commonly paper records. 4% were due to loss, 1% were hacking/IT incidents and fewer than 1% were improper disposal incidents.

The largest healthcare data breach in 2022 was a ransomware attack on a healthcare provider that affected 3,388,856 individuals. Ransomware attacks were common in 2022, as was the use of malware, phishing, and the exposure of PHI on public websites. The largest unauthorized access/disclosure incident occurred when a healthcare provider used tracking technologies on its website, which impermissibly disclosed the PHI of 3 million individuals to technology providers.

Loss and theft incidents have been falling due to the use of encryption. The largest theft incident involved 149,940 paper records which were stolen from a storage facility used by a healthcare provider. The largest loss incident involved the destruction of 2,500 records when a pipe broke. The largest improper disposal incident involved the records of 7,500 individuals, which were disposed of in a regular dumpster, rather than being sent for shredding.

OCR’s investigations have confirmed that there is a continued need for HIPAA-regulated entities to improve HIPAA compliance, especially in the areas of risk analysis, risk management, information system activity review, audit controls, response and reporting, and person or entity authentication.

The most common measures taken in response to data breaches were:

  • Implementing multi-factor authentication for remote access
  • Revising policies and procedures
  • Training or retraining workforce members who handle PHI
  • Providing free credit monitoring and identity theft protection services to customers
  • Adopting encryption technologies
  • Imposing sanctions on workforce members
  • Changing passwords
  • Performing a new risk analysis
  • Revising business associate contracts

OCR’s annual report to Congress on data breaches can be viewed here.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist