Physician Notes:
HIPAA audits reveal that smallest entities had most trouble staying compliant
Published on Mon Oct 27, 2014
If you’re wondering how covered entities fared during the first round of audits by the HHS Office for Civil Rights, you might be surprised at the answer. And you should pay close attention to these findings, because they will impact the compliance areas that OCR will focus on in the Phase 2 audits.
According to McDermott Will & Emery in an article published in The National Law Review, the Phase 1 OCR audits of 115 CEs produced the following aggregate results:
-
Only 11 percent of audited CEs had no findings or observations;
-
Despite representing just 53 percent of audited CEs, health care providers were responsible for 65 percent of the total findings and observations;
-
The smallest audited CEs struggled with compliance under all three of the HIPAA standards;
-
More than 60 percent of the findings or observations were security-standard violations, and 58 of 59 audited health care provider CEs had at least one security-standard finding or observation, even though the security standards represented only 28 percent of the total audit items;
-
OCR attributed more than 39 percent of the findings and observations related to the privacy standards to a lack of awareness of the applicable privacy-standard requirement; and
-
Only 10 percent of the findings and observations related to a lack of compliance with the breach-notification standards.