December 18, 2020
End of year report cards are in (or at least they are for covered entities) and the HIPAA compliance grades the Office for Civil Rights (OCR) & Department of Health and Human Services (HHS) just handed out are not ones to write home about. Just yesterday, the HHS released their latest HIPAA Audits Industry Report grading providers and business associates’ on their level of compliance with HIPAA regulations.
The report evaluated audit results from 166 covered entities and 41 business associates, focusing specifically on compliance with the Notice of Privacy Practices, patient records access, breach notifications timeliness and content, the Security Risk Analysis, and appropriate risk management programs. While the full report is pretty lengthy, we’ve compiled some of the top takeaways from these latest results:
- Only 2% of covered entities fully met the requirements for the Notice of Privacy Practices.
- Only 11% could demonstrate that they met requirements for individual right of access.
- Most audited organizations either did not meet timeframe requirements (no surprise given the OCR’s recent patient right of access enforcement activity) or did not have proper policies documenting how access is provided.
- 29% did not meet breach notification timeframe requirements for providing individuals with notice, and 67% did not include the appropriate required information in their notifications to individuals (yikes!).
- Only 14% of covered entities and 17% of business associates fulfilled requirements to conduct a Security Risk Analysis (SRA). This includes correct documentation of the SRA process, and evidence of the practice’s continual review and updates (FYI – required on a yearly basis).
- And the final whammy – 94% of covered entities and 88% of business associates FAILED to implement appropriate risk management activities (aka, did not have a proper, ongoing HIPAA compliance program in place to mitigate risks).
So what does this data tell us? In some ways, nothing new – all of the areas audited have factored heavily into recent OCR enforcement activity, and highlight the same trends we’ve seen all year. If not part of recent enforcement, these areas factor into the recent proposal to modify the HIPAA Privacy Rule, including proposed adjustments to the Notice of Privacy Practices.
“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in addition to the latest report, “we will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”
What NEW information can we take away from these results? Organizations are STILL. NOT. COMPLIANT. Many of the covered entities or business associates audited produced what they thought was sufficient evidence, but did not meet actual HIPAA requirements. Some weren’t even close – when asked to produce an SRA, entities provided irrelevant documents like a patient’s insurance prescription coverage and rights; a document discussing pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page – none of which are even semi-related to an actual SRA.
If your practice wants to get a slightly better HIPAA grade than the ones in this recent audit, ensuring you have the PROPER documentation in place, and meet ALL HIPAA requirements is key. If HIPAA isn’t your best subject, a software solution like Abyde is the tutor you’ve been needing to help walk you through the process to get an A+ (plus avoid hefty HIPAA fines, stress over your HIPAA program, and general unhappiness).