By: Andrew Silverio, Esq.
In December 2020, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released the findings of an extensive audit of Covered Entities and Business Associates, performed in 2016 and 2017 for compliance with various HIPAA requirements. This data, available at https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf, provides valuable insight into what Covered Entities are doing right, and what they’re doing wrong, when it comes to HIPAA compliance (of the Covered Entities audited, 90% were health care providers, 9% were health plans, and 1% were health care clearinghouses).
Rather than a general audit for compliance with all of HIPAA’s requirements, the audit focused on seven provisions. It looked at compliance with the notice of privacy practices and content requirements, provision of notice – electronic notice (website posting), and right of access requirements (from the Privacy Rule), the timeliness of notification and content of notification requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule). For Business Associates, the scope of the audit was more narrow, focusing only on the notification by a business associate requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule).
Overall, the audit found that compliance with requirements that come into play after a security issue or breach occur, such as breach notification requirements, is generally good. Compliance with the requirement to make the applicable Notice of Privacy Practices online was also good. However, the results were less positive in regard to other requirements which represent more of the “groundwork” in setting up proper safeguards and procedures. For example, “… OCR also found that most covered entities failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding protected health information (PHI), ensuring the individual right of access, and providing appropriate content in their NPP. OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.”
These findings make sense from an intuitive standpoint – it’s easy to simply not think about HIPAA’s requirements until a problem arises. However, this audit underscores the importance of creating proper safeguards proactively – doing so can result in less damage when and if a breach occurs, both financially and when it comes to preserving client and participant good will.