By Compliancy Group

2023 was a banner year for health care fines and breaches. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled 13 cases with health care organizations for potential violations of the Health Insurance Portability and Accountability Act of 1996. The OCR breach portal also listed 563 large-scale breaches on its site.

2023 OCR fines: Who and why

In 2023, the HHS OCR settled cases with eight covered entities and four business associates for potential HIPAA violations. Fines ranged from $15,000 to $1.3 million, totaling $4,176,500.

2023 fines: Facts and lessons

1. HIPAA Security Rule violation fines reigned supreme.
2. The HIPAA Right of Access Initiative remained a top priority for enforcement.
3. Doctors’ offices must learn how to respond to patient reviews.
4. Insider breaches remain a threat, highlighting the importance of policies, procedures, employee training and access controls.
5. Hacking and phishing incidents are bound to happen, but when organizations fail to conduct a Security Risk Assessment (SRA) and implement robust security controls, they will be fined.
6. Business associate agreements ensure your vendors uphold HIPAA standards, and when they don’t, they’ll be fined – not you.

2023 health care breaches: Facts and figures

There were 563 large-scale breaches reported on the OCR breach portal in 2023. Those breaches affected a staggering 124,630,800 patients, an increase of 127% compared to 2022’s 55 million patients.

Ransomware and hacking are still the primary cyber threats in health care. According to the HHS, over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continued in 2023, where hacking accounted for 84% of the large breaches reported to OCR.

Unauthorized access or disclosure of protected health information (PHI) accounted for 13.68% of breaches on the OCR online portal, while theft accounted for 1.6% of incidents reported. Both improper disposal and loss of medical records accounted for less than 1% of reported breaches.

In 2023, the majority of breaches listed by OCR were reported by health care providers—366 incidents, representing 65.01% of reported breaches and affecting 35,188,999 patients. While business associates reported 112 incidents, patients affected by business associate breaches were at an all-time high of 59,315,445 affected patients, or 47.59% of total patients affected. Eighty-two health plans also reported breaches affecting 14,900,373 patients. One health care clearinghouse reported a breach affecting 501 patients.

Preventing health care breaches and fines

As breaches targeting health care organizations skyrocket, it is essential to implement measures to prevent unauthorized access to sensitive data. Implementing an effective HIPAA compliance program is the best way to do this. HIPAA compliance includes risk analysis, policies and procedures, employee training, and incident management. Had organizations fined by OCR over the last year implemented an effective compliance program, the incident and subsequent fine could have been prevented.

Learn more about 2023 health care breaches and fines in this free eBook.

Compliancy Group’s software automates HIPAA compliance for medical spas. Achieving compliance can be done quickly through just a few self-paced virtual meetings. New customers will save 15% on Compliancy Group’s software, which includes live coaching to guide you through your compliance requirements, risk assessment that makes the required HIPAA risk assessment a breeze, policies and procedures that fully satisfy HIPAA regulations and protect your business, and intuitive and automated HIPAA training that awards the HIPAA Seal of Compliance upon completion.