The Office for Civil Rights (OCR) completed its initial privacy and security audits in March, and many have wondered how the first 20 audited entities fared. At a recent OCR and National Institute of Standards and Technology conference, OCR provided some official details (available here).
Covered entities that were lucky enough to avoid the first round of HIPAA audits should use this opportunity to learn from the less fortunate. Examining the audit results—and the (soon-to-be-released) audit protocol—allows covered entities to:
- Identify areas for improvement in their compliance efforts;
- Revisit their risk analysis and risk management;
- Discover risks and vulnerabilities that previously had not been identified;
- Reinforce training;
- Examine mechanisms for promoting compliance, particularly audits; and
- Encourage renewed attention to compliance activities.
The results of this small audit sample confirmed many suspicions regarding HIPAA compliance—small covered entities have some of the largest compliance issues, health care providers still are behind with respect to their compliance issues, and audit monitoring appears to be one of the biggest disconnects between covered entity practices and government expectations. Some highlights from the OCR overview concerning the 2012 HIPAA audits include:
- Small covered entities had a lot more issues than large ones. Six of the 20 audited entities (30%) were small entities (e.g., $50 million or less in revenue), but these small entities represented 66% of the deficiency findings (77% of privacy audit findings, 61% of security audit findings).
- Health care providers had more problems than plans or clearinghouses. A disproportionate number of the deficiencies were by health care providers. While providers represented 50% of the 20 audited entities, they were responsible for 81% of the deficiency findings.
- Security is the bigger problem. The majority of the findings were related to the Security Rule (65%), followed by the Privacy Rule (26%), and then the Breach Notification Rule (9%). OCR indicated that this is partially attributable to more of the audit protocol focusing on security than privacy or breach notification.
The biggest privacy issues involved:
- Review process for denials of patient access to records;
- Failure to provide appropriate patient access to records;
- Lack of policies and procedures;
- Uses and disclosures of decedent information;
- Disclosures to personal representatives; and
- Business associate contracts.
Non-compliance with the HIPAA Security Rule’s administrative safeguards requirements accounted for 42% of the audit findings, followed closely by technical safeguards (41%), with physical safeguards (17%) coming in a distant third. The biggest security issues involved:
- User activity monitoring;
- Contingency planning;
- Media reuse and destruction;
- Risk assessment; and
- Granting and modifying user access.
What can covered entities do?
Covered entities can use this initial data to review their own HIPAA compliance efforts. For example:
- Does the covered entity appropriately monitor user access?
- Has the covered entity planned for contingencies such as power or network outages?
- Does the covered entity have a process in place for reviewing certain denials of patient access?
- Does the covered entity have policies and procedures protecting decedent information?
- Does the covered entity have up-to-date, HIPAA-compliant business associate contracts in place with all of its business associates?
- Is the covered entity’s risk analysis up-to-date?