Contact Us

Warning: OCR HIPAA Audits Reveal Widespread Noncompliance

December 23, 2020 | Eric D. Fader | Electronic Health Records | HIPAA | Legislation and Public Policy | Litigation | Private Insurers

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released an audit report on HIPAA compliance by 166 covered entities and 41 business associates during 2016-2017. The audits included detailed on-site reviews of entities’ documentation and implementation of HIPAA rules. The release of the report may foreshadow increased enforcement activities in 2021.

The audits revealed widespread and inexplicable failures to comply with basic HIPAA privacy and security rules, with most covered entities demonstrating full compliance in just two out of seven audited areas. Shockingly, the audit found that 98% of providers failed to provide appropriate content in their required Notices of Privacy Practices, despite the availability of templates on HHS’s website; 67% did not provide all of the required content and document adequate compliance with data breach notification requirements; and 89% did not comply with patient right of access guidelines. OCR has recently targeted the latter problem with its Right of Access Initiative, as discussed here and here, and these efforts will undoubtedly continue.

Most alarming was the failure by most covered entities and business associates to comply with the HIPAA Security Rule requirement that they conduct periodic risk assessments, despite numerous efforts by OCR over many years to educate providers of this need. A provider or health plan that suffers a data breach and, upon investigation, is found not to have conducted risk assessments or to have properly trained its employees will generally be forced to pay much higher financial penalties. With the availability of HHS’s user-friendly security risk assessment tool, discussed here, covered entities and business associates have no legitimate excuse for shirking their obligation to safeguard patients’ protected health information.

In a statement, OCR Director Roger Severino said, “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” Any healthcare entity that has not taken a serious look at its HIPAA compliance lately is urged to do so.

Share this article:
Eric D. Fader

AUTHOR

Eric D. Fader

Partner

Authors
show more
ARCHIVES
December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018
Authors
show more
ARCHIVES
December 2020 November 2020 October 2020 September 2020 August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 December 2019 November 2019 October 2019 September 2019 August 2019 July 2019 June 2019 May 2019 April 2019 March 2019 February 2019 January 2019 December 2018 November 2018 October 2018

Get legal updates and news delivered to your inbox

Attorney Advertising. Prior results do not guarantee a similar outcome.
Terms of Use | DMCA | Privacy Policy | Cookie Policy | Do Not Sell or Share My Personal Information
© 2026 Rivkin Radler LLP. All Rights Reserved.