The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR’s report.

OCR concluded that most covered entities and business associates met the timeliness requirements for providing breach notification to individuals, and most covered entities (that maintained a website about their customer services or benefits) also satisfied the requirement to prominently post their Notice of Privacy Practices on their website. However, OCR also found that most covered entities and business associates failed to meet the requirements for other selected provisions in the audit. Covered entities and business associates can keep these findings in mind as they build out and review their privacy and security measures. Concerns raised by OCR included, among others, that the entities failed to:

  • Properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of PHI within 30 days of receiving a request and only charging a reasonable cost-based fee for access.
  • Implement the HIPAA Security Rule requirements for risk analysis and risk management.
  • Satisfy regulatory content requirements for breach notification letters (e.g. failing to include a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm).

Putting it Into Practice: As HIPAA covered entities and business associates enter the new year, they can use the report as a tool to enhance their awareness of their HIPAA compliance obligations. Steps to consider include access rights, risk management, and including correct content in breach notices.