A comprehensive study of HIPAA compliance across the healthcare industry, conducted by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), has found some good news and some bad news for healthcare providers which we will outline below.
Why does OCR conduct these audits?
In 2009, the U.S. Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was designed to promote the adoption and meaningful use of health information technology.
The HITECH Act included a requirement for “periodic audits to ensure that covered entities and business associates . . . comply with such requirements.”
- HIPAA Privacy Rule: Covers the use and disclosure of protected health information (PHI) and the standards that must be upheld for individuals to understand and control how their individually identifiable health information is used.
- HIPAA Security Rule: Establishes required security standards to protect electronic protected health information (ePHI), which is health information or records that are held or transferred in electronic form.
HITECH itself addresses the privacy and security concerns associated with the electronic transmission of health information by strengthening the civil and criminal enforcement of HIPAA rules.
SEE ALSO: The Complete Guide to HIPAA Violations
What did the latest audit find?
Although released this month, this latest report covers audits performed in 2016 and 2017. During that timeframe, the OCR looked at 166 covered entities and 41 business associates and summarized its findings.
First, the good news:
- Most covered entities met the timeliness requirements for providing breach notifications to affected individuals.
- Most covered entities with websites satisfied the requirement to prominently post their Notice of Privacy Practices.
Then, the bad news:
- Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
- Most covered entities failed to provide all of the required content for breach notifications to affected individuals.
- Most covered entities failed to properly implement right of access requirements.
- Most covered entities and business associates failed to implement the HIPAA Security Rule’s requirements for risk analysis and risk management.
“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”
What does this audit mean for health care organizations?
The audit helpfully highlights two areas where the OCR has increased its focus and enforcement activities: hacking and the Right of Access initiative.
On this front, cybersecurity training is a key way to make sure your employees aren’t vulnerable to attack, as well as investing in a HIPAA compliant email solution with inbound security such as Paubox Email Suite Plus.
As for the Right of Access initiative, which was launched last year, the OCR is ensuring that patients have ready and reasonable access to their own health records.
As patient requests for their medical data become more common, it’s important to develop an efficient and secure way to fulfill them. Securely automating patient communications with tools like the Paubox Email API can help.