Catherine Boerner (cboerner@boernerconsultingllc.com) is President of Boerner Consulting LLC in New Berlin, WI.
The Office for Civil Rights (OCR) conducted Phase 2 desk audits of 166 covered entities and 41 business associates for compliance with selected provisions of the Health Insurance Portability and Accountability Act (HIPAA). The 2016-2017 HIPAA Audits Industry Report,[1] released in December 2020, compiles the results from these audits, and it is a good exercise for privacy and security officers to review the report.
The report states that the vast majority of audited covered entities were healthcare providers (150 of the 166 total). A wide range of healthcare providers were represented, including practitioners, pharmacies, hospitals, health systems, skilled nursing facilities, and elder care facilities.
The conclusion of the report states:
This report presents information about OCR’s Phase 2 audits, the achievements and weaknesses identified, and methods audited entities may adopt, modify, and implement to strengthen compliance.
Notices of Privacy Practices are often missing elements – using an HHS model notice to help them prepare a compliant NPP may assist covered entities to avoid that mistake.
Most audited covered entities prominently post their Notices of Privacy Practices on their websites.
Covered entities are not consistently providing individual access under the Privacy Rule—they can improve by implementing better procedures and digital technology using HHS technical assistance.
The majority of audited covered entities issued breach notifications to individuals within the regulatory deadline.
Both covered entities and business associates failed to implement effective risk analysis and risk management activities to safeguard ePHI. Among other resources, smaller covered entities and business associates can use the updated Security Risk Assessment Tool released by HHS in 2018 to assist them with required risk management activities.
It is important to review your entire privacy and security program’s compliance and focus in particular on the Notice of Privacy Practices compliance, patient access requirements, breach notification and security risk analysis, and risk management activities.
The OCR report refers to a document the Office of the National Coordinator for Health Information Technology put together, entitled Improving the Health Records Request Process for Patients: Insights from User Experience Research, to help covered entities think about and improve patient access to records. The document suggests eight improvements that can be made to create a streamlined, transparent, and electronic records request process.
HIPAA privacy and security compliance is ongoing. It is all about patient rights, safeguarding protected health information, and reducing risks and vulnerabilities to a reasonable and appropriate level.