HIPAA/HITECH , Standards, Regulations & Compliance

At Last, Results of HIPAA Compliance Audit Program Revealed

Lack of a Risk Assessment, Failure to Provide Patients With Records Access Are Common Problems
At Last, Results of HIPAA Compliance Audit Program Revealed

A long-overdue report on findings from a HIPAA compliance audit program conducted in 2016 and 2017 illustrates shortcomings that, unfortunately, are still common today. Those include the failure to conduct a security risk analysis and the failure to give patients access to their records.

See Also: The Biggest & Boldest Data Breaches & Insider Threats of 2023

Those shortcomings found in remote “desk audits” of 166 covered entities and 41 business associates are still often cited by the Department of Health and Human Services in its Office for Civil Rights’ breach investigations.

It’s not clear if the long-dormant HIPAA compliance audit program could be revived under the Biden administration. HHS OCR did not immediately respond to an Information Security Media Group request for comment on the belated release of the audit report and plans for an audit program moving forward.

Under the HITECH Act, HHS is required to periodically audit covered entities and business associates for their compliance with the HIPAA rules.

“We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records,” says OCR Director Roger Severino.

Over the last year, OCR has issued proposed changes to the HIPAA Privacy Rule that would streamline certain requirements for notices of privacy practices.

The Timing

Why did OCR release the overdue audit report now?

“OCR published the report in order to fulfill its statutory obligations under the HITECH Act before yet another year passed and before the end of the current administration,” says privacy attorney Iliana Peters of the law firm Polsinelli.

“The audit program is a statutory mandate, and it will be interesting to see what develops under the next administration’s leadership with regard to next steps for the program.”

Given OCR’s recent HIPAA settlement agreements, “risk analysis, risk management and patient access are still issues with which HIPAA covered entities - and business associates … struggle,” she notes.

“I believe this is due to a combination of factors: a lack of understanding of these more complicated requirements under HIPAA, a lack of resources to address them and a lack of recognition of their importance.”

Looking Ahead

Peters hopes that OCR will revive its HIPAA audits as a way to promote compliance.

“There are still significant areas for improvement in HIPAA compliance in the industry,” she says.

But Nahra says the audit program likely would be too small-scale to have an impact.

“It is too small a universe, too burdensome on the random recipients, and sending out a report three to four years later removes virtually all of the potential usefulness of the information. I would much rather see any money spent on audits be put into better guidance or educational materials or other kinds of more useful information.”


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.