In December, the OCR published the results of the 2016-2017 Phase 2 HIPAA Audits, which included desk audits of 166 covered entities and 41 business associates. The audits sought to determine the extent to which these organizations comply with selected HIPAA rules. The OCR found:
- Only 2% of covered entities fully met the requirements for the content of the Notice of Privacy Practice. Most of these providers failed to provide a notice written in plain language.
- 57% of covered entities posted the Notice of Privacy Practices prominently on their websites (e.g. on a drop down menu on a home page, or at the top or bottom of their home page).
- 89% of covered entities failed to show they complied with the individual right of access.
- 71% of covered entities issued breach notices in a timely manner.
- 67% of covered entities provided breach notification letters that were missing required content.
- 94% of overed entities “failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” For example: “In some instances, encryption was included as part of a remediation plan, but was not carried out or was not implemented within a reasonable timeframe.”
- 14% of covered entities “are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.”
For the 14% of covered entities who failed to meet risk analysis requirements, there were some common issues:
- "Providers commonly submitted documentation of some security activities of a third party security vendor, but no documentation of any risk analysis that served as the basis of the activities.”
- “Entities offered third party template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation.”
Are you ready?
The OCR's report did not speak highly of covered entities' HIPAA compliance. In fact, for some metrics, collective compliance was alarmingly low. How would your organization measure up?
Covered entities and business associates were given 10 business days to respond to the audit document requests. While there is not a formal HIPAA audit program underway now, providers often receive audit letters from the OCR in response to a complaint or as part of a formal investigation. Are you prepared to prove your HIPAA compliance within 10 business days (without creating new documentation)?