OCR HIPAA Audits Industry Report Identify Popular Areas of Non-compliance with the HIPAA Regulations

The Department of Health and Human Services’ Office for Civil Rights has released its 2016-2017 HIPAA Audits Industry Report, showing areas where HIPAA-covered entities and their business associates are complying or fails to follow the conditions of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act mandates the HHS to perform routine audits of HIPAA covered entities and business associates to evaluate HIPAA Policies compliance. Between 2016 and 2017, the HHS carried out its second level of compliance reviews on 166 covered entities and 41 business associates to check compliance with certain conditions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance reviews were performed on representative entities by area; an expanded cross-section of covered entities and business associates. It comprised of desk audits – remote assessments of HIPAA documents – as opposed to on-site audits. All entities were since advised of the discoveries of their particular audits.

The 2016-2017 HIPAA Audits Industry Report specifies the general results of the audits, such as important sectors of HIPAA compliance that are appearing challenging for covered entities and business associates.

In the report, OCR gives every audited entity a score based on their level of compliance with every specified term of the HIPAA Rules under review. A ranking of 1 means the covered entity or business associate was totally compliant with the aims of the picked specifications and implementation criteria. A score of 2 indicates the entity considerably achieved the requirements and satisfactorily followed policies and procedures and could provide documentation|paperwork} or other confirmation of compliance.

A ranking of 3 suggests the entity minimally dealt with the audited necessities and had exerted some effort to abide, but was unable to comply entirely or was confused about the HIPAA specifications. A score of 4 indicates the entity made negligible work to comply with the rules, for instance giving policies and procedures for assessment that were copied right from an association template or delivering poor or generic records as confirmation of training. A ranking of 5 suggests OCR was not presented with information of a serious endeavor to conform with the HIPAA regulations.

Based on the audit results, most audited organizations mostly failed to efficiently apply the HIPAA Rules conditions.

Most covered entities were compliant with the Breach Notification Rule requirement to give on-time notifications in the eventuality of a data breach. HIPAA demands the mailing of those notices in 60 days of uncovering a data breach; even so, most covered entities were unable to include all the vital facts in their breach notices. The audits showed prevalent compliance with the need to generate and post a Notice of Privacy Practices on their site. The Notice of Privacy Practices offers a clear, intuitive explanation of individuals’ rights with regard to their personal health information (PHI) and points out the company’s privacy practices. Nonetheless, most audited entities did not present all the essential facts in their Notice of Privacy Practices.

The individual right of access is a critical provision of the HIPAA Privacy Rule. Folks have the right to get and check their health records. Most covered entities did not effectively carry out the prerequisites of the HIPAA Right of Access, which includes having access to or a copy of the PHI held within 30 days after obtaining a request and merely asking for an acceptable cost-based price for access.

The first cycle of HIPAA compliance audits done by OCR in 2012 disclosed extensive non-compliance with the condition to carry out an extensive, organization-wide risk analysis to uncover vulnerabilities and danger to the integrity, confidentiality, and availability of PHI. In its enforcement activities in the past 11 years, the typically mentioned HIPAA violation is a risk analysis failure.

HIPAA covered entities continue to fail in this vital provision of the HIPAA Security law, with the most current round of audits showing most audited entities didn’t follow the HIPAA Security Rule on risk evaluation and risk management.

The complete 2016-2017 HIPAA Audits Industry Report is available on this page.