Taelor Thornton

Associate Editor

Loyola University Chicago School of Law, JD 2024

The Health Information Portability and Accountability Act (HIPAA) complaints and breaches increased from 2017 to 2021, yet the Department of Health and Human Services Office for Civil Rights (HHS OCR) stated that they did not perform any audits due to financial resources in 2021. The number of large breaches affecting 500 people or more increased by 58% from 2017 to 2021. This lack of financial resources demonstrates one example of how the healthcare system is hurting individuals in America. HIPAA should be revised to allow for these individuals to have a way to address the situation other than through HHS OCR enforcement.    

HHS OCR HIPAA report 

HHS OCR is responsible for enforcing HIPAA rules that protect the privacy and security of individuals’ health information. The majority of HHS OCR’s enforcement of HIPAA has been directed at large-scale breaches that impact at least 500 people. HHS OCR publicizes these breaches by highlighting them on its website. However, HHS OCR is not even required to tell the public which healthcare providers reported small breaches that affect less than 500 people or how many. These breaches only have to be reported to HHS OCR once a year. 

The HHS OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to report to Congress annually. This report to Congress contains the number, nature, and response to breaches endangering protected healthcare information. It must also include how the violation was resolved and the number of reports that resulted in penalties. In the report submitted recently to Congress, HHS OCR has seen a 39% increase in the number of HIPAA complaints and has initiated 44% more compliance reviews. Large breaches increased by 58% from 2017 to 2021, while small breaches increased by 5% within the same time. 

Hurting Americans 

In large breaches, the most commonly reported case of the breach is a hacking incident. The frequency of cyberattacks on hospitals and health systems more than doubled from 2016 to 2021. Healthcare organizations across the world reported an average of 1,463 cyberattacks per week in 2022.  Patients’ medical history and other information were the most commonly compromised data in these attacks. This information is wanted by the hackers because of the financial and personal data contained in these files. The hackers can use the information for blackmail or to commit fraudulent billing. 

Then in small breaches, the most commonly reported cause of the breach is unauthorized access and disclosures. These small breaches have real consequences, but HHS OCR rarely punishes healthcare providers for them, instead, HHS OCR makes them pledge to fix any problems. These kinds of breaches can lead to a lot of misery in an individual’s life.  

Now, with the lack of financial resources in this office, HIPAA enforcement actions are limited. This will hurt the American people the most rather than the hospitals and other healthcare companies. Hospitals and other healthcare companies are normally penalized with a fine, while people could face actual pain and hatred. Now, this fine may not be imposed, but people could still face pain and hatred from their privacy being compromised. 

HIPAA doesn’t even allow people to even sue for damages if their privacy is violated since there is no private right of action. If people feel like their healthcare data has been exposed, they can only contact the HHS OCR. HHS OCR not only investigates these claims, but also other civil rights laws, privacy, and religious freedom laws. Now their lack of funding might lead some people with no recourse in cases of HIPAA violations.  

Some people may have another legal redress through a violation of state law, not a HIPAA violation. Around thirteen states such as California and New York have passed laws that expand patient rights that are considered to be more stringent than HIPAA. These states recognize that data privacy is becoming a concern and that there is a need to protect it.  

The HIPAA should be amended to allow all people to sue the hospital and healthcare entity.  People deserve another recourse, and it shouldn’t depend on the state they are in. This will increase the enforcement power and not have it fall all to HHS OCR in some states. In return, healthcare entities will be more incentivized to fix their systems.