Warning: OCR HIPAA Audits Reveal Widespread Noncompliance

Rivkin Radler LLP

Rivkin Radler LLP

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released an audit report on HIPAA compliance by 166 covered entities and 41 business associates during 2016-2017. The audits included detailed on-site reviews of entities’ documentation and implementation of HIPAA rules. The release of the report may foreshadow increased enforcement activities in 2021.

The audits revealed widespread and inexplicable failures to comply with basic HIPAA privacy and security rules, with most covered entities demonstrating full compliance in just two out of seven audited areas. Shockingly, the audit found that 98% of providers failed to provide appropriate content in their required Notices of Privacy Practices, despite the availability of templates on HHS’s website; 67% did not provide all of the required content and document adequate compliance with data breach notification requirements; and 89% did not comply with patient right of access guidelines. OCR has recently targeted the latter problem with its Right of Access Initiative, as discussed here and here, and these efforts will undoubtedly continue.

Most alarming was the failure by most covered entities and business associates to comply with the HIPAA Security Rule requirement that they conduct periodic risk assessments, despite numerous efforts by OCR over many years to educate providers of this need. A provider or health plan that suffers a data breach and, upon investigation, is found not to have conducted risk assessments or to have properly trained its employees will generally be forced to pay much higher financial penalties. With the availability of HHS’s user-friendly security risk assessment tool, discussed here, covered entities and business associates have no legitimate excuse for shirking their obligation to safeguard patients’ protected health information.

In a statement, OCR Director Roger Severino said, “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” Any healthcare entity that has not taken a serious look at its HIPAA compliance lately is urged to do so.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.