The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

The HITECH Act requires OCR to issue annual reports to Congress of HIPAA breaches and complaints received by OCR during the calendar year. For 2020, OCR reported that it received 656 notifications of breaches affecting 500 or more individuals, 66,509 notifications of breaches affecting fewer than 500 individuals, and 27,182 complaints alleging violations of HIPAA and the HITECH Act. The number of “500+” breaches increased by 61%  from the number received in 2019, and OCR reported that those 656 breaches affected over 37 million individuals.

OCR’s breach report contains useful information regarding the most commonly reported categories of breaches and OCR’s recommendations on best practices to avoid such breaches. OCR reported that 68% of the “500+” breaches in 2020 involved “hacking/IT incidents of electronic equipment or a network server” while 23% involved “unauthorized access or disclosure of records containing PHI.” Less frequent but still somewhat common were breaches involving thefts of electronic equipment/devices (5%), loss of electronic media or paper records (2%), and improper disposal of protected health information (2%). At the conclusion of the report, OCR urged all covered entities to focus on their risk analysis and risk management processes, information system activity reviews, audit controls, security awareness and training, and authentication processes.

OCR’s enforcement report also provides statistics and information that can be useful to covered entities in focusing their compliance efforts. The top five issues alleged in complaints received by OCR in 2020 were: impermissible uses and disclosures, safeguards, right of access, administrative safeguards (Security Rule), and technical safeguards.

The enforcement report also includes a summary of the eleven resolution agreements entered into following complaint investigations in 2020. While the fact patterns that resulted in the complaints varied, there were commonalities in the compliance issues identified during the investigations and the requirements imposed in the resolution agreements. Many of the resolution agreements required the covered entities to conduct enterprise-wide risk analysis and develop and implement risk management. The development of right of access policies and workforce training regarding those policies was another recurring requirement. Risk analysis and management and the right of access have been areas of focus for OCR for several years, and this report makes clear that both remain high on OCR’s list of enforcement priorities.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.