OCR Audit Gives Providers Mixed Results for HIPAA Compliance

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires the HHS Office for Civil Rights (OCR) to periodically audit covered entities and business associates for compliance with HIPAA Privacy, Security and Breach Notification Rules. On Dec. 17, 2020, the OCR announced the findings of its most recent audit covering 166 covered entities and 41 business associates. The Good News OCR found that most covered entities: Met the timeliness requirements for providing breach notification to individuals; and Satisfied the requirement to prominently post their Notice of Privacy Practices on the website they maintain about their customer services or benefits. The Bad News The OCR audit also found that most covered entities failed to: Provide all of the required content in their Notice of Privacy Practices; Provide all of the required content for breach notification to individuals; Properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee; and Implement the HIPAA Security Rule requirements for risk analysis and risk management (this was also the case for most business associates).