Curious? Find Out What Phase 1 OCR Audits Revealed
Published on Tue Aug 19, 2014
Security-standard compliance items are a weak spot for providers.
If you’re wondering how covered entities (CEs) fared during the first round of audits by the HHS Office for Civil Rights (OCR), you might be surprised at the answer. And you should pay close attention to these findings, because they will impact the compliance areas that OCR will focus on in the Phase 2 audits.
According to McDermott Will & Emery (MWE) attorneys in a July 29 article published in The National Law Review, the Phase 1 OCR audits of 115 CEs produced the following aggregate results:
-
Only 11 percent of audited CEs had no findings or observations;
-
Despite representing just 53 percent of audited CEs, health care providers were responsible for 65 percent of the total findings and observations;
-
The smallest audited CEs struggled with compliance under all three of the HIPAA standards;
-
More than 60 percent of the findings or observations were security-standard violations, and 58 of 59 audited health care provider CEs had at least one security-standard finding or observation, even though the security standards represented only 28 percent of the total audit items;
-
OCR attributed more than 39 percent of the findings and observations related to the privacy standards to a lack of awareness of the applicable privacy-standard requirement; and
-
Only 10 percent of the findings and observations related to a lack of compliance with the breach-notification standards.