There are important lessons for covered entities and business associates in the 2016-2017 HIPAA Audits Industry Report the Office for Civil Rights (OCR) just released. The report is based on their findings from a review of selected covered entities for compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.
By way of background, OCR's announcement mentioned the Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities and business associates for their compliance with the HIPAA Rules.
Import Lessons for Covered Entities and Business Associates from Conducted OCR Audits
OCR conducted audits of 166 covered entities and 41 business associates and has published an Industry Report of overall findings. OCR's summary of audit findings are important lessons for covered entities and business associates:
- Most covered entities met the timeliness requirements for providing breach notification to individuals;
- Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website;
- Most covered entities failed to provide all of the required content for a Notice of Privacy Practices;
- Most covered entities failed to provide all of the required content for breach notification to individuals;
- Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charge a reasonable cost-based fee;
- Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
In a nutshell, even with the proposed changes to the HIPAA Privacy Rule, covered entities will still need to provide timely breach notification to individuals and must ensure notification letters include all required content. Additionally, the requirement to prominently post the Notice of Privacy Practices will remain, even with proposed changes to the Privacy Rule. In fact, covered entities may need to update existing Notice of Privacy Practices if the proposed rule is finalized. Right of access continues to be a major focus. Covered entities should look at their current processes and determine if they are charging a reasonable cost-based fee. And, as is the case every year, one of the top enforcement activities from OCR is a failure to implement an accurate and thorough Security Risk Analysis and risk management plan.
Healthcare Compliance Pros can help your organization make sure you are in compliance with these very important HIPAA requirements. Contact us by phone: 855-427-0427 or by email: firstname.lastname@example.org.