HHS: 2016-2017 HIPAA Audits Industry Report (Dec. 2020)
Available at https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf
HHS’s Office for Civil Rights (OCR) has issued a report describing its 2016–17 audit program, which reviewed covered entities’ and business associates’ compliance with certain HIPAA privacy, security, and breach notification rules (see our Checkpoint article). The report summarizes the audit results and recommends resources to address deficiencies identified in the audits. According to the report, OCR audited 166 covered entities—representing a “wide range” of health care providers, health plans, and health care clearinghouses—and 41 business associates. Covered entities were audited either on (1) aspects of the Notice of Privacy Practices, the individual access right, and breach notification; or (2) their risk analysis and risk management policies and procedures under the security rule. Business associates were audited on risk analysis, risk management, and breach notification. Compliance efforts were rated on a scale of 1 (entity was in compliance with goals and objectives of the selected standards and implementation specifications) to 5 (no evidence of a serious attempt to comply).
Describing the results, OCR notes that most covered entities demonstrated compliance with prominent posting of the Notice of Privacy Practices on their websites but omitted some required content. Few covered entities complied with individual access rights. Most covered entities complied with the timelines for breach notifications, but a significant majority omitted some required content. Few covered entities or business associates complied with the risk analysis and risk management implementation specifications. Although most of the audited business associates reported not having experienced breaches of unsecured PHI, most of those that had experienced a breach demonstrated minimal or negligible efforts to comply with the audited requirements.
EBIA Comment: The audit report paints a disappointing compliance picture, which is perhaps to be expected given the length and complexity of the privacy, security, and breach notification rules. Covered entities and business associates can benefit from reviewing the lists of recurring deficiencies in the audit report to evaluate whether their HIPAA compliance efforts suffer from similar shortcomings. The compliance resources identified in the audit report may also be helpful. Those seeking to limit liability for potential violations may be interested in legislation passed at the end of 2020, Pub. L. 116-321, which requires HHS to consider whether covered entities or business associates had “recognized security practices” in place for at least 12 months when determining penalties, audits, and other actions related to HIPAA breaches and security incidents. Recognized security practices include, among others, cybersecurity practices promulgated under the Cybersecurity Act of 2015. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.C (“HIPAA Compliance Audits by OCR”), XXV (“Breach Notification for Unsecured PHI”), XXVII.B (“Right to Access PHI in Designated Record Set”), XXVII.G (“Right to Receive Notice of Privacy Practices”), XXIX.E.4 (“Using the Health Industry Cybersecurity Practices as a Resource”), and XXX.B (“Administrative Safeguards”).
Contributing Editors: EBIA Staff.