At Last, Results of HIPAA Compliance Audit Program RevealedLack of a Risk Assessment, Failure to Provide Patients With Records Access Are Common Problems
A long-overdue report on findings from a HIPAA compliance audit program conducted in 2016 and 2017 illustrates shortcomings that, unfortunately, are still common today. Those include the failure to conduct a security risk analysis and the failure to give patients access to their records.
Those shortcomings found in remote “desk audits” of 166 covered entities and 41 business associates are still often cited by the Department of Health and Human Services in its Office for Civil Rights’ breach investigations.
It’s not clear if the long-dormant HIPAA compliance audit program could be revived under the Biden administration. HHS OCR did not immediately respond to an Information Security Media Group request for comment on the belated release of the audit report and plans for an audit program moving forward.
Under the HITECH Act, HHS is required to periodically audit covered entities and business associates for their compliance with the HIPAA rules.
“We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records,” says OCR Director Roger Severino.
Over the last year, OCR has issued proposed changes to the HIPAA Privacy Rule that would streamline certain requirements for notices of privacy practices.
Why did OCR release the overdue audit report now?
“OCR published the report in order to fulfill its statutory obligations under the HITECH Act before yet another year passed and before the end of the current administration,” says privacy attorney Iliana Peters of the law firm Polsinelli.
“The audit program is a statutory mandate, and it will be interesting to see what develops under the next administration’s leadership with regard to next steps for the program.”
Given OCR’s recent HIPAA settlement agreements, “risk analysis, risk management and patient access are still issues with which HIPAA covered entities - and business associates … struggle,” she notes.
“I believe this is due to a combination of factors: a lack of understanding of these more complicated requirements under HIPAA, a lack of resources to address them and a lack of recognition of their importance.”
Peters hopes that OCR will revive its HIPAA audits as a way to promote compliance.
“There are still significant areas for improvement in HIPAA compliance in the industry,” she says.
But Nahra says the audit program likely would be too small-scale to have an impact.
“It is too small a universe, too burdensome on the random recipients, and sending out a report three to four years later removes virtually all of the potential usefulness of the information. I would much rather see any money spent on audits be put into better guidance or educational materials or other kinds of more useful information.”