Health Information Compliance Alert

Enforcement News:

New OCR Report Details Enforcement Activity and Reasoning

Risk analysis remains a thorn in CEs’ sides.

A review of HIPAA audits suggests that covered entities (CEs) are succeeding in some compliance areas while failing in others.

In the 2016-2017 HIPAA Audits Industry Report, the HHS Office for Civil Rights (OCR) details audits conducted on the HIPAA compliance activity of 166 CEs and 41 business associates (BAs). In its summary, the OCR reveals that most CEs were compliant with breach notification timeline requirements.

The majority of CEs also followed rules for posting Notices of Privacy Practices online, but the report showed many CEs’ Notices of Privacy Practices didn’t contain the correct content required by the HIPAA Privacy Rule, a release suggests.

OCR pointed to other failures uncovered while auditing the CEs and BAs. Examples of problems include:

  • Risk analysis failures by both BAs and CEs
  • Missing HIPAA-required content in patient materials
  • Right of Access issues

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in a release.

Resource: See the audit report at www.hhs.gov/about/news/2020/12/17/ocr-issues-audit-report-health-care-industry-compliance-hipaa-rules.html .