Key Findings & Takeaways from OCR HIPAA Audit Findings

15 January 2021 Health Care Law Today Blog
Authors: Jennifer L. Urban Jennifer J. Hennessy Aaron T. Maguregui

The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services recently published its findings from audits conducted in 2016 and 2017 of covered entities’ and business associates’ compliance with selected provisions of HIPAA's Privacy, Breach Notification, and Security Rules. The audits included health care providers, health plans, health care clearinghouses, and business associates. In short, OCR found material noncompliance with HIPAA’s Notice of Privacy Practices (NPP), right of access, breach notification, and security risk analysis and risk management requirements.

Key findings from the report include:

  • Content of NPP. Of the covered entities audited, only 2% fully met the content requirements of a valid NPP. Most covered entities failed to provide required content related to individual rights or, in some cases, failed to provide an NPP written in plain language.

  • Prominently Posted NPP. Most covered entities met the requirement to post their NPP on their website prominently. Still, some covered entities failed to meet the "prominently posted" requirement by failing to post the NPP directly on or accessible from the homepage or in some cases using hyperlinks which could confuse the individual, such as hyperlinks titled "policy" or "HIPAA" or including multiple hyperlinks titled "Privacy Policy," which would connect a user to two different privacy guidelines.      

  • Right of Access. Covered entities are required to provide individuals with access to the protected health information (PHI) the covered entity maintains about the individual in a designated record set. However, almost all covered entities failed to show that they were correctly implementing procedures to ensure the right of access. OCR found reoccurring themes in its audit, including inadequate documentation of access requests and insufficient, inadequate, incorrect, and in some cases, a lack of policies related to providing access.    

  • Breach Notification Rule. A majority of covered entities audited issued breach notifications to individuals within the 60-calendar day regulatory timeframe provided by the HIPAA Breach Notification Rule. However, most covered entities submitted notification letters to individuals that were missing required content. OCR noted that the most frequently omitted required content was a description of the types of unsecured PHI involved in the breach, steps the individual should take to protect themselves from potential harm caused by the breach, inadequate contact information, and an explanation of the entity's investigation and mitigation activity. 

  • Security Risk Analysis. OCR found that less than 20% of covered entities and business associates audited fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities. OCR noted that covered entities and business associates generally failed to identify and assess the risks for all ePHI, develop and implement policies and procedures for conducting a risk analysis, identify threats and vulnerabilities in light of their potential impact to ePHI, review and periodically update a risk analysis in response to changes or events which may impact ePHI, and conduct a risk analysis consistent with policies and procedures.

  • Risk Management Standards. OCR found that because both covered entities and business associates failed to conduct appropriate risk analyses, as discussed above, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of covered entities (94%) and business associates (88%) failed to implement appropriate risk management activities.

The areas audited above are likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Therefore, covered entities and business associates should audit their privacy policies and practices and, at a minimum, consider the following takeaways from OCR's audit findings:

  • NPPs must contain all required elements, including, among other requirements, the elements regarding individual rights, and be written in plain language. Covered entities should review the model NPPs on OCR’s website for guidance.

  • NPPs should be easily accessed and prominently posted on the covered entity's website. Best practices include providing a link on the homepage that clearly identifies the link to the HIPAA Notice of Privacy Practices, ensuring that the links function and direct the individual to the appropriate privacy guidelines, and that the NPP identifies the correct covered entity that maintains the website, or in the event that separate covered entities participate in an organized health care arrangement, a joint notice is provided that clearly describes with specificity the covered entities, or class of covered entities, to which the joint notice applies.

  • Review individual rights of access documentation, policies, and procedures to evidence and improve the individual records request process. The audit report comes at the tail end of a year that saw OCR vigorously enforce individuals' rights to access and exercise control over their medical records. Right of access compliance will continue to receive attention as OCR recently issued a Notice of Proposed Rulemaking to revise the HIPAA Privacy Rule, which seeks, among other revisions, to expand the right of access. Therefore, covered entities and business associates can expect a continuation of enforcement into infringements of an individual's right to access their individual’s health information from OCR in 2021. For covered entities and business associates seeking additional assistance, the Office of the National Coordinator for Health Information Technology has developed aids addressing this specific issue, such as Improving the Health Records Process for Patients.

  • Breach notification letters must be written in plain language and include: a brief description of the breach, including the dates the breach is believed to have occurred and the date the breach was discovered; a description of the PHI involved in the breach; any steps individuals should take to protect themselves from potential harm resulting from the breach; a description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity or business associates, as applicable.

  • Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI. Whether conducting the analysis internally or through a third-party vendor, covered entities and business associates are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in the environment, operations, or security incidents. OCR provides helpful resources and links for covered entities and business associates seeking guidance on risk analyses.

  • Implement appropriate risk management strategies. Covered entities and business associates must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks. In an attempt to promote and incentivize compliance with the Security Rule, Congress has proposed legislation, which would effectively create a safe harbor by amending the HITECH Act to require OCR to take into account whether a covered entity or business associate has met the recognized security standards when making determinations regarding enforcement and regulatory actions.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services