OCR Says Desk Audits Rates Many HIPAA Efforts to be Inadequate or Worse

  • HHS OCR Logo

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.

OCR reported that 90% of the organizations selected were healthcare providers, while the remainder was health plans and a single healthcare clearinghouse. CEs were required to submit documentation through an online web portal demonstrating that they had policies and processes in place that addressed the requirements as specified in the review.

During the desk audits, 103 CEs were tested on their Privacy and Breach Notification Rule compliance. Specifically, OCR reviewed how healthcare providers were meeting requirements for notices of privacy practices. They also reviewed how providers were handling patients’ requests for their right to access Protected Health Information (PHI) and to receive an electronic copy of it. Additionally, OCR audited how an organization notified individuals affected by a reportable breach of PHI.

At the same time, 63 CEs received audit protocols testing Security Rule compliance. OCR requested documentation of policies and procedures for risk analysis of the effectiveness of safeguards protecting information systems that handle e-PHI, including copies of enterprise-wide risk analysis performed. They also requested the organization’s risk management plan to address gaps identified during the assessment.

The Results

After the audits were completed, the responses were assessed through the subjective analysis of OCR’s reviewers. The analysis was then scored using its, “Compliance Effort Rating of 1 to 5.” A response that earned a compliance effort rating of “1” or “2” demonstrated full compliance with the requirements of the standard or implementation specification. OCR described a compliance effort rating score of 3 as,  “…implementation that was inadequate…or a misunderstanding  of the requirements.”  A response with a score of “4” or “5,” could best be described as failure, or epic failure, respectively.

Rated Inadequate or Worse Topic
89% Patient right of access or copy of their PHI
65% Content of Notice of Privacy Practices
67% Content of notice to individual that there has been a breach
83% Perform an information security risk analysis
94% Establish or maintain an information security risk management plan

While the lasting impact of the Phase 2 HIPAA Audit program is open to debate, the comprehensive audit protocol is being widely used by OCR investigators to conduct compliance reviews and investigations. The hallmarks of the audit protocol are their breadth, addressing each and every standard and implementation specification of the Privacy, Security, and Breach Notification Rules.  The tool also provides criteria on how to measure if an organization’s actions demonstrate their meeting the requirements of the HIPAA standards. Healthcare organizations, as well as contractors and vendors handling PHI, should use the 2016 Audit Protocol as the yardstick against which their compliance will be measured.

More than 25 OCR resolution agreements and corrective action plans cite the failure of a covered entity to perform an adequate information security risk analysis. OCR’s finding that 83% of their audits found serious problems with the organization’s risk analysis points out the health care industry has a lot of work to do in taking those first steps to safeguarding the information systems that handle PHI. It is just as alarming that 94% audited could not demonstrate they have an effective information security risk management plan.

How to Prepare

Healthcare provider practices, health plan administrators, and business associates should prepare now so they are ready if selected for a compliance review or complaint investigation. Some best practices to prepare now include:

  • Review OCR’s audit protocol as well as the HIPAA and HITECH regulations
  • Make sure you have the latest guidelines, policies, and procedures in place
  • Ensure you have access to all required audit documentation and clearly understand the submission process
  • Consider having your staff conduct a mock audit or use a third-party specialist to make sure you are prepared for the real.
Learn More

Learn more about our OCR Mock Audit service.

Our team of experts will help you prepare in the event you are selected.
Learn More
September 15th, 2017|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.