The Department of Health and Human Services Office for Civil Rights (OCR) published a report on audits of compliance with the privacy, security and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) by HIPAA covered entities (CEs) and business associates (BAs). Most CEs complied with requirements for timely notification of breaches and prominent posting of the Notice of Privacy Practices (NPP) on their websites. However, many CEs failed to fully comply with requirements of the HIPAA Privacy Rule for providing access to Protected Health Information (PHI), and with regard to the required content of the NPP. Also, most CEs and BAs failed to demonstrate that they complied with the HIPAA Security Rule requirement for risk analysis and risk management. OCR noted that it provides extensive compliance resources for these areas.
With regard to the NPP, OCR found that only 2% of CEs had all the required content in their NPP, and many failed to meet the requirement that the NPP be written in plain language. In particular, content relating to individual rights was found deficient. OCR encouraged CEs to review the model NPP available on OCR’s website. The majority of CEs met the requirement for posting the NPP in a prominent location on the CE website. For those who did not, the most frequent problem was that the CE did not meet the requirement that the NPP be “prominently posted”, such as through an accurately titled link on the home page.
Almost all CEs failed to correctly implement the HIPAA Privacy Rule requirements for assuring individuals’ access to their PHI. Failures included inadequate documentation of access requests, and inadequate or incorrect policies. In particular, OCR was critical of procedures that required individuals to submit signed authorization forms, which is not required for a right of access request. ONC referred CEs to its published guidance on improving the health records request process for patients, and OCR’s audit protocol.
Both CEs and BAs generally met the timeliness requirement for breach notification, but the content of the notification was lacking for both CEs and BAs. Deficiencies for CEs included failure to explain the CE’s investigation and mitigation activities beyond a summary statement, and inadequate contact information. Some BAs failed to report to the CE the identities of individuals whose PHI was compromised, which would have made it impossible for the CE to appropriately notify the affected individuals.
A major area of deficiency for both CEs and BAs was failure to comply with Security Rule requirements for performing risk analyses and ongoing risk management. OCR found that only 14% of CEs and 17% of BAs were substantially meeting the risk analysis requirement. OCR was critical of reliance by CEs and BAs on standardized security products without customizing them for the specific circumstances of the entity. The appendix to the report lists several resources for Security Rule compliance published by OCR, the Office of the National Coordinator for Health Information Technology, and the National Institute of Standards and Technology.
The OCR report summarizes results of audits conducted in 2016 and 2017. The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires that OCR periodically audit compliance with the HIPAA rules, so it can be expected that OCR will conduct ongoing reviews of these and other HIPAA requirements in the years to come.