Lack of a Risk Assessment, Failure to Provide Patients With Records Access Are Common Problems
A long-overdue report on findings from a HIPAA compliance audit program conducted in 2016 and 2017 illustrates shortcomings that, unfortunately, are still common today. Those include the failure to conduct a security risk analysis and the failure to give patients access to their records.
Those shortcomings found in remote “desk audits” of 166 covered entities and 41 business associates are still often cited by the Department of Health and Human Services in its Office for Civil Rights’ breach investigations.
It’s not clear if the long-dormant HIPAA compliance audit program could be revived under the Biden administration. HHS OCR did not immediately respond to an Information Security Media Group request for comment on the belated release of the audit report and plans for an audit program moving forward.
Under the HITECH Act, HHS is required to periodically audit covered entities and business associates for their compliance with the HIPAA rules.
“We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records,” says OCR Director Roger Severino.
Over the last year, OCR has issued a dozen HIPAA settlements in cases involving violations of patients’ rights to access their records.
Plus, over the years, dozens of OCR HIPAA settlements after breach investigations have cited weak or missing security risk assessments as key factors.
OCR’s desk audits examined covered entities’ compliance with certain provisions of the HIPAA privacy, security and breach notification rules. Audits of business associates focused on breach notification and security rule compliance.
OCR’s report issued Thursday highlighted the comparative compliance strengths and weaknesses. For instance, the HIPAA enforcement agency found that most covered entities:
- Met the timeliness requirements for providing breach notification to individuals;
- Satisfied the requirement to prominently post their notice of privacy practices on their website;
- Failed to provide all of the required content for a notice of privacy practices;
- Failed to provide all of the required content for breach notification to individuals;
- Failed to properly implement requirements for providing patients access to their records, such as timely action within 30 days and charging a reasonable cost-based fee;
- Failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
Privacy attorney Kirk Nahra of the law firm WilmerHale said the audits’ finding of shortcomings in providing privacy notices that include information about individuals’ rights to inspect and receive a copy of their health information was surprising.
“I am actually astonished by this finding: Only 2% of covered entities fully met the requirements, while two-thirds failed to or made minimal or negligible efforts to comply,” he says.
“That has not at all been my experience with privacy notices – many of them are hard to read because they include all of the information that OCR requires.”
HHS OCR recently issued proposed changes to the HIPAA Privacy Rule that would streamline certain requirements for notices of privacy practices.
Why did OCR release the overdue audit report now?
“OCR published the report in order to fulfill its statutory obligations under the HITECH Act before yet another year passed and before the end of the current administration,” says privacy attorney Iliana Peters of the law firm Polsinelli.
“The audit program is a statutory mandate, and it will be interesting to see what develops under the next administration’s leadership with regard to next steps for the program.”
Given OCR’s recent HIPAA settlement agreements, “risk analysis, risk management and patient access are still issues with which HIPAA covered entities – and business associates … struggle,” she notes.
“I believe this is due to a combination of factors: a lack of understanding of these more complicated requirements under HIPAA, a lack of resources to address them and a lack of recognition of their importance.”
Peters hopes that OCR will revive its HIPAA audits as a way to promote compliance.
“There are still significant areas for improvement in HIPAA compliance in the industry,” she says.
But Nahra says the audit program likely would be too small-scale to have an impact.
“It is too small a universe, too burdensome on the random recipients, and sending out a report three to four years later removes virtually all of the potential usefulness of the information. I would much rather see any money spent on audits be put into better guidance or educational materials or other kinds of more useful information.”