The Department of Health and Human Services’ Office for Civil Rights has publicized its 2016-2017 HIPAA Audits Industry Report, featuring areas where HIPAA-covered entities and their business associates are complying or unable to abide with the standards of the Health Insurance Portability and Accountability Act.
The Health Information Technology for Economic and Clinical Health (HITECH) Act demands the HHS to perform regular audits of HIPAA covered entities and business associates to evaluate HIPAA Regulations compliance. From 2016 to 2017, the HHS performed its second stage of compliance reviews on 166 covered entities and 41 business associates to check compliance with specific terms of the HIPAA Security, Privacy, and Breach Notification Rules.
The 2016/2017 HIPAA compliance audits were done on representative entities by location; an extensive cross-section of covered entities and business associates. It included desk audits – remote evaluations of HIPAA paperwork – instead of on-site audits. All entities were since informed of the results of their specific audits.
The 2016-2017 HIPAA Audits Industry Report specifies the common discoveries of the audits, which include essential areas of HIPAA compliance that are showing troublesome for covered entities and business associates.
In the report, OCR provides every audited entity a score dependent on their degree of compliance with every particular condition of the HIPAA Rules under evaluation. A ranking of 1 signifies the covered entity or business associate was completely compliant with the objectives of the chosen requirements and implementation requirements. A score of 2 indicates the entity significantly fulfilled the standards and adequately kept policies and procedures and could give documentation|paperwork} or other evidence of compliance.
A ranking of 3 suggests the entity minimally resolved the audited demands and had applied some effort to comply, though did not comply completely or had misinterpreted the HIPAA specifications. A score of 4 indicates the entity made negligible attempts to abide, for example providing policies and procedures for evaluation that were copied straight from an association form or giving poor or generic paperwork as proof of training. A ranking of 5 suggests OCR was not given proof of a serious effort to conform with the HIPAA policies.
As per the audit findings, most audited covered entities typically failed to effectively carry out the HIPAA Rules prerequisites.
Most covered entities were compliant with the Breach Notification Rule requirement to deliver prompt notifications in case of a data breach. HIPAA necessitates the sending of those notifications in 60 days of discovering a data breach; but, most covered entities did not have all the necessary data in their breach announcements. The audits showed prevalent compliance with the prerequisite to make and plainly post a Notice of Privacy Practices on their web page. The Notice of Privacy Practices provides a clear, intuitive clarification of individuals’ rights regarding their personal health information (PHI) and points out the entity’s privacy practices. Nevertheless, most audited entities didn’t have all the needed information in their Notice of Privacy Practices.
The individual right of access is an essential condition of the HIPAA Privacy Rule. People have the right to acquire and examine their health data. Most covered entities did not correctly carry out the demands of the HIPAA Right of Access, which includes giving access to or a copy of the PHI held in 30 days after getting a request and just billing a fair cost-based payment for access.
The first stage of HIPAA compliance audits performed by OCR in 2012 showed extensive noncompliance with the prerequisite to carry out a detailed, company-wide risk analysis to determine vulnerabilities and threats to the integrity, availability, and confidentiality of PHI. In its enforcement actions in the last 11 years, the most often reported HIPAA violation is a risk analysis failure.
HIPAA covered entities still fail in this essential provision of the HIPAA Security regulation, with the most recent round of audits showing most audited entities didn’t follow the HIPAA Security Rule demands for risk examination and risk control.