The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently released the results of an audit evaluating the state of HIPAA compliance in health care. The audit reviewed the privacy and security practices of covered entities and their business associates to determine how effectively health care providers are complying with the HIPAA rules. The report reveals several areas where providers are commonly not meeting HIPAA requirements. These include:
1. Notices of Privacy Practices (“NPPs”) frequently do not include all of the elements required by the regulations. Only 2% of audited covered entities fully met the requirements specifying what information NPPs must contain and OCR found that over two thirds of covered entities failed to or made only minimal efforts to comply with the NPP requirements.
2. Many covered entities are not consistently ensuring that patients are able to access their protected health information within the HIPAA-specified time limits. Many of the audited covered entities failed to sufficiently document request for access to information or had inadequate policies for ensuring that information was provided within the deadlines set by the HIPAA regulations. Many covered entities also had policies that were incorrect or inconsistent with HIPAA right of access requirements such as those restricting the fees that can be charged for providing health information.
3. Most of the covered entities audited (67%) failed to include one or more required elements when notifying individuals of a breach of protected health information. When breaches occur, covered entities are required to provide affected individuals with a notice that conforms to the regulatory requirements. Many of these breach notification letters failed to include sufficient descriptions of the PHI involved, enough detail about the covered entity’s investigation and mitigation activities, or other important information mandated by the HIPAA regulations.
4. A very large percentage of covered entities and business associates are not conducting the mandatory risk analysis and risk management activities that are needed to protect electronically stored health information. Only 14% of covered entities and 17% of business associates audited were substantially fulfilling their obligations to safeguard electronic protected health information through risk analysis activities. Many entities failed to conduct regular or sufficient risk analyses and failed to maintain and update their policies and procedures. The audit also revealed that many entities only used third party template policies that did not show any entity-specific review or revision of those policies.
Wise Carter wishes to remind its covered entity and business associate clients of the importance of complying with the HIPAA regulations. Failure to comply with HIPAA requirements can result in civil monetary penalties and other consequences, including the reputational harm associated with the public notices issued by OCR when penalties for noncompliance are announced. Further, not complying with HIPAA requirements can result in loss of certain incentive payments for eligible providers (e.g. MIPS). We urge our clients to conduct regular reviews of their HIPAA compliance.
Wise Carter routinely reviews Notices of Privacy Practices and HIPAA policies and procedures to ensure they are up-to-date and consistent with HIPAA requirements. We can also assist providers in conducting security risk analyses and ongoing risk management. Further, for providers that experience a potential security incident or breach, we provide advice on whether a breach has occurred and what actions must be taken as a result of a breach.