OCR Shares HIPAA Compliance Audit Results: 5 Takeaways

The Office of Civil Rights (OCR) recently reported on its first round of HIPAA compliance audits. There’s much for everyone to learn from the results. Some early takeaways:

1. Small covered entities have more issues than larger ones

“Six of the 20 audited entities (30%) were small entities (e.g., $50 million or less in revenue), but these small entities represented 66% of the deficiency findings (77% of privacy audit findings, 61% of security audit findings)…” [HIPAA Audits Results Released: We Still Have Work to Do – Davis Wright Tremaine]

2. Providers had the most findings (81%)

“Provider findings were both privacy and security related… The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial  proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance…” [OCR Shares Preliminary HITECH Audit Results; What Regulated Entities Can Expect Next  – Mintz Levin Health Law]

3. Security remains a big issue

“Non-compliance with the HIPAA Security Rule’s administrative safeguards requirements accounted for 42% of the audit findings, followed closely by technical safeguards (41%), with physical safeguards (17%) coming in a distant third…” [Davis Wright Tremaine again]

4. In the next round of audits, the document deadline will be increased to 15 days

“In the first round of audits, covered entities were required to produce documents within 10 days of OCR’s initial written request.  For the next round of audits, OCR is extending that time period to 15 days in light of the difficulties that covered entities had in meeting the 10 day deadline.  No extensions of the 15 day period will be granted…” [Mintz Levin]

5. Business associates will be targeted in future audits

“OCR’s general advice for covered entities was to conduct regular program reviews and updates.  Covered entities were advised to look at their  compliance programs,  re-evaluate and make necessary updates on a regular basis.  According to OCR, ongoing policy review and revision is a compliance requirement…” [Mintz Levin]

Read the updates:

Follow additional HIPAA-related advisories on Twitter>>