The Office for Civil Rights (OCR) recently released a report discussing HIPAA compliance audits from 2016 and 2017. The report points to common areas of non-compliance with HIPAA standards, including Notice of Privacy Practices, right of access, breach notification, and risk management. More details on the HIPAA compliance audits are discussed.
HIPAA Compliance Audit and Notice of Privacy Practices
A Notice of Privacy Practices (NPP) provides patients with clarification on how their protected health information (PHI) will be used by their healthcare provider and the patient’s rights regarding their PHI. An NPP must be written clearly that patients can easily understand and prominently posted on the provider’s website. OCR’s HIPAA compliance audit report indicates that only 2% of audited organizations fully met the NPP requirements. Most of the organizations that failed to meet the NPP requirements either failed to explain patient’s rights or failed to provide patients with an NPP that they could easily understand. Additionally, although most audited organizations posted their NPPs on their website, several failed to make the NPP easily accessible from their homepage.
HIPAA Compliance Audit and Right of Access
The HIPAA right of access requires healthcare organizations to provide patients timely access to their medical records in the format requested and charge a reasonable cost-based fee for the records. Overall, the HIPAA compliance audits uncovered widespread noncompliance with right of access standards. The most common deficiencies included lack of or insufficient documentation of access requests and lack of right of access policies and procedures. Read more about what is HIPAA right of access and its violation fines 2020:
HIPAA Compliance Audit and Breach Notification
The HIPAA Breach Notification Rule requires healthcare organizations that experience a breach affecting PHI to report the incident. Breaches affecting 500 or more patients must be reported within 60 days of discovery to the HHS’ OCR, affected patients, and the media. Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year in which the breach occurred (March 1st) to HHS’ OCR and affected patients. HIPAA compliance audit stated that most entities complied with timing requirements for breach notification; however, they failed to meet the content requirements for breach notification letters sent to patients. Most entities failed to provide patients with adequate contact information, a description of the types of PHI affected by the breach, the steps patients should take to protect themselves from potential harm resulting from the breach, and a description of what the breached organization is doing to investigate and mitigate the breach.
HIPAA Compliance Audit and Risk Management
HIPAA requires organizations to conduct annual HIPAA compliance audits, including self-audits to determine risks to PHI security. They must then use their findings to create risk management plans to address threats and vulnerabilities to PHI. According to the HIPAA compliance audits, most healthcare organizations failed to conduct thorough and accurate risk assessments, with less than 20% of organizations meeting the requirements. It was also determined that 94% of covered entities failed to implement risk management sufficient to secure PHI.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!