Warning: OCR HIPAA Audits Reveal Widespread Noncompliance

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released an audit report on HIPAA compliance by 166 covered entities and 41 business associates during 2016-2017. The audits included detailed on-site reviews of entities’ documentation and implementation of HIPAA rules. The release of the report may foreshadow increased enforcement activities in 2021.

The audits revealed widespread and inexplicable failures to comply with basic HIPAA privacy and security rules, with most covered entities demonstrating full compliance in just two out of seven audited areas. Shockingly, the audit found that 98% of providers failed to provide appropriate content in their required Notices of Privacy Practices, despite the availability of templates on HHS’s website; 67% did not provide all of the required content and document adequate compliance with data breach notification requirements; and 89% did not comply with patient right of access guidelines. OCR has recently targeted the latter problem with its Right of Access Initiative, as discussed here and here, and these efforts will undoubtedly continue.

Most alarming was the failure by most covered entities and business associates to comply with the HIPAA Security Rule requirement that they conduct periodic risk assessments, despite numerous efforts by OCR over many years to educate providers of this need. A provider or health plan that suffers a data breach and, upon investigation, is found not to have conducted risk assessments or to have properly trained its employees will generally be forced to pay much higher financial penalties. With the availability of HHS’s user-friendly security risk assessment tool, discussed here, covered entities and business associates have no legitimate excuse for shirking their obligation to safeguard patients’ protected health information.

In a statement, OCR Director Roger Severino said, “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” Any healthcare entity that has not taken a serious look at its HIPAA compliance lately is urged to do so.