2023 HIPAA Update

, | March 20, 2023

2023 HIPAA Update

HIPAA’s federal standards determine when and how health care providers, including allergists, and their business associates can store, transmit, use, and disclose individuals’ protected health information (PHI). HIPAA violations have been more common in recent years and create potential financial liabilities for breach of confidentiality of PHI. HHS’ Office for Civil Rights (OCR) recently published its Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021, which summarizes key enforcement activities undertaken by OCR during 2021. According to the Annual Report, although OCR did not perform any audits in 2021, there have been significant increases in HIPAA complaints and large breaches. This article provides a high-level overview of the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule and the Annual Report.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes federal standards governing the use and disclosure of PHI. Under the HIPAA Privacy Rule, health care providers and their business associates are prohibited from using or disclosing PHI unless the HIPAA Privacy Rule requires/permits it. When using or disclosing PHI or when requesting PHI from another covered entity or business associate, a health care provider or its business associate must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request (the “minimum necessary rule”).

In addition, the HIPAA Privacy Rule provides directives regarding the use and disclosure of de-identified PHI. The HIPAA Privacy Rule also sets standards governing business associate contracts, notice of privacy practices, rights of individuals, and administrative requirements (e.g., personnel designations, training, policies, and procedures). For additional information, please refer to the Privacy Rule.

HIPAA Security Rule

The HIPAA Security Rule requires that health care providers and their business associates maintain certain technical, administrative, and physical safeguards to ensure the reasonable and appropriate protection of electronic-PHI (e-PHI).

Under the HIPAA Security Rule, health care providers and their business associates must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
  • Ensure compliance by their workforce.

In their implementation of security measures, health care providers or their business associate must consider the following factors:

  • The size, complexity, and capabilities of the entity
  • The entity’s technical infrastructure, hardware, and software security capabilities
  • The cost of implementing security measures
  • The probability and criticality of potential risks to e-PHI

For additional information, please refer to the Security Rule.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires a health care provider, following the discovery of a breach of unsecured PHI, to notify HHS and each individual whose unsecured PHI has been, or is reasonably believed to have been breached. For a breach of unsecured PHI involving more than 500 residents of a state, the health care provider, following the discovery of the breach, must notify prominent media outlets serving the state. A business associate must similarly notify the covered entity (i.e., health care provider) of such a breach. For additional information, please refer to the Breach Notification Rule.

Annual Report

In its 2021 Annual Report, the OCR identified the number of complaints received, how those complaints were resolved, the number of compliance reviews initiated by OCR, the outcome of each review, the number of audits performed, and the number of subpoenas or inquiries issued. Notably, OCR did not perform any audits in 2021 “due to a lack of financial resources,” and OCR issued only one subpoena in 2021.

Between 2017 and 2021, there has been a significant increase in HIPAA complaints (39%) and large breaches reported (58%). During this timeframe, breaches impacting fewer than 500 individuals increased by 5%, and the number of breaches impacting 500 or more individuals increased by 58%. Between 2020 and 2021, there has been a 25% increase in HIPAA complaints, totaling 34,077 new complaints in 2021. That year OCR resolved 26,420 complaints.

  • OCR resolved 20,661 (78%) complaints before initiating an investigation (including untimely complaints, complaints involving alleged conduct that does not violate HIPAA, and complaints involving alleged violation by entities not covered by HIPAA).
  • OCR resolved 4,139 (16%) complaints by providing technical assistance in lieu of an investigation.
  • OCR resolved 1,620 (6%) complaints by investigation:
    • 817 complaints resulted in a finding that there was insufficient evidence of a HIPAA violation.
    • 714 complaints resulted in corrective action.
    • 89 complaints resulted in post-investigated technical assistance.

OCR resolved 13 complaint investigations through resolution agreements and/or corrective action plans and monetary settlements totaling $815,150. OCR resolved two complaints by assessing civil monetary penalties in the amount of $150,000. In 2021, the top five issues alleged were impermissible uses and disclosures, right of access, safeguards, administrative safeguards, and breach-notice to individuals.

In 2021, OCR initiated 674 compliance reviews to investigate allegations of HIPAA violations that did not arise from complaints. Of the 573 closed compliance reviews, the majority of these cases were resolved following an investigation with the entity taking corrective actions, agreeing to a settlement with a corrective action plan, or the imposition of a civil monetary penalty.


OCR is tasked with enforcing HIPAA by investigating complaints, conducting compliance reviews and audits, issuing subpoenas to compel cooperation with an investigation, providing education and outreach to support compliance, and imposing civil monetary penalties ranging from $100 to $50,000 per violation (adjusted for inflation). In 2019, HHS significantly reduced the maximum annual limit for civil monetary penalties: $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1,500,000 for uncorrected willful neglect, adjusted for inflation.

The Advocacy Council will continue to monitor these and other regulatory issues.