2016/2017 HIPAA Compliance Audit Findings Published by HHS’ Office for Civil Rights

The long-awaited report from the Department of Health and Human Services’ Office for Civil Rights on the outcomes of the 2016/2017 HIPAA compliance audits has finally been released. The report provides insights into the provisions of HIPAA that have been proving problematic for healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities.

Based on previous audits and investigations, OCR devised its HIPAA audit protocol to assess compliance with aspects of HIPAA that were known to have caused problems in the past, and it would appear from the report that there is still considerable scope for improvement in compliance with those provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

OCR’s audit program was a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR conducted the first phase of its HIPAA audits in 2012, with the second phase conducted in 2016/2017 on a representative sample of 166 covered entities and 41 business associates.

While the first phase of audits involved on-site, in-depth audits, the second phase consisted of much narrower check of compliance in ‘desk audits,’ which consisted of reviews of HIPAA compliance paperwork.

There were some positives in the report, as most covered entities were maintaining a website that provided easy access to their notice of privacy practices (NPP). The NPP details how the protected health information (PHI) of patients or health plan members will be used, and the rights individuals have over their PHI. Most covered entities were also found to be issuing breach notifications to OCR and breach victims within the 60-days allowed by the HIPAA Privacy Rule.

However, while the notices of privacy practices were being provided, most covered entities failed to include all the required content in their NPP and although timely breach notifications were being sent, most covered entities failed to include all the required content.

In 2019, OCR launched a new HIPAA Right of Access enforcement initiative and has since imposed 12 financial penalties on healthcare organizations that have failed to provide individuals with a copy of their health data within 30 days of a request being submitted and only charging a reasonable cost-based fee for doing so.

The audit report highlights the extent of noncompliance with this Privacy Rule requirement. Most covered entities had failed to implement the individual right of access requirements and provide copies of PHI within 30 days for a reasonable cost.

Despite issuing guidance and imposing many financial penalties on covered entities and business associates for failing to conduct an organization-wide, comprehensive risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, most covered entities and business associates were found to have failed to implement the HIPAA Security Rule requirements for risk analyses and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”