HHS Summarizes HIPAA Privacy, Security and Breach Notification Audits
The Office for Civil Rights (OCR) at HHS released its 2016 – 2017 HIPAA Audits Industry Report, which reviews compliance with HIPAA privacy, security and breach notification rules of certain healthcare entities and business associates. The HITECH Act requires a periodic audit of covered entities and business associates to monitor for HIPAA compliance. Pursuant to this requirement, OCR completed audits of 166 covered entities and 41 business associates in 2016 and 2017.
The seven provisions audited include: required content of the notice of privacy practices, prominent posting of the notice of privacy practices on websites, individual right of access, timelines of breach notification, content of breach notification, risk analysis, and risk management. A summary of the findings noted in the industry report demonstrates that:
- Most covered entities met the timeliness requirements for providing breach notification to individuals; and most also satisfied the requirement to prominently post their notice of privacy practices on their website (for those who maintain a website about their service or benefits).
- Most covered entities failed to adequately safeguard protected health information (PHI), ensure individual right of access, provide required content in the notice of privacy practices, and implement risk analysis and risk management as required by HIPAA Security Rule.
The findings identify common areas of noncompliance. For example, while most covered entities met the breach notification timeliness requirement (notice must be sent without unreasonable delay but no later than 60 days following the breach discovery date), the content of the notice did not meet the rule’s requirements for many covered entities. Similarly, while most covered entities satisfied the requirement to post their notice of privacy practices on their website, only 2% fully met the content requirement.
In addition to an analysis of the audit results, the industry report provides details on the specific requirements of each audited provision and outlines the documents requested during the audit. For more information on the process and findings, see the industry report.
The audit serves to improve industry awareness of compliance obligations, among other goals. Employers should be mindful of OCR’s findings when formulating and administering their own HIPAA policies.
2016 – 2017 HIPAA Audits Industry Report »