The OCR recently released an update on Phase 2 of its HIPAA audit program. Updates include:
- Desk audits for 166 covered entities are complete
- Desk audits for 41 business associates are underway
- After the desk audits are finished, on-site audits will begin
The OCR scores entities on their HIPAA compliance on a scale of 1 (in compliance) to 5 (no serious evidence of compliance). Results were mixed:
- For timeliness of breach notification, 65% of covered entities received a 1 score (the highest score)
- For content of breach notification, only 14% of covered entities scored a 1
- For content of notice of privacy practices, only 2% of covered entities scored a 1!
- Covered entities did better with the provision of notice of privacy practices: 57% received a 1 score
- Only 1% of covered entities scored a 1 for right of access
- ZERO covered entities received a score of 1 for their HIPAA security risk analysis
- For Security risk management, 1% of covered entities earned a 1 score
What scores would your organization receive?
You can read the OCR’s findings, and its desk audit protocol, here: https://www.nist.gov/sites/default/files/documents////sanches_0.pdf