On December 17, 2020, the Office for Civil Rights (OCR) published its Health Insurance Portability and Accountability Act (HIPAA) Industry Audit Report findings.
In 2016 and 2017, you may remember when OCR notified covered entities and business associates of its intent to conduct Phase 1 and Phase 2 HIPAA Compliance Audits. OCR conducted HIPAA audits on 166 covered entities and 41 business associates with the intent of assessing processes to protect HIPAA Privacy and Security of protected health information (PHI). The intent was to share the results and provide guidance to the industry by identifying strengths and weaknesses within the processes reviewed during the auditing process.
OCR Audit Findings
The Department of Health and Human Services (HHS) OCR released the full “2016-2017 HIPAA Audits Industry Report,” but at a basic level, the findings support OCR’s investigational focus surrounding hacking prevention and enforcing the patient’s Right of Access.
Here are the higher-level OCR HIPAA Audit findings:
- Most covered entities met the timeliness requirements for providing breach notification to individuals.
- Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
- Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
- Most covered entities failed to provide all of the required content for their Breach Notification Rule to individuals.
- Most covered entities failed to properly implement individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
- Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
Why Should I Care?
- OCR released a Notice of Proposed Rulemaking (NPRM) on December 10, 2020 proposing to shorten the compliance timeline from 30 days to 15 days to comply with the Patient Right of Access to their PHI.
- Since August 2020, OCR has released its thirteenth investigation for non-compliance under the HIPAA Right of Access Initiative with most findings noting non-compliance with the 30-day requirement. Having access, especially during the Public Health Emergency (PHE) is critical to quality care.
- Since August 2020, OCR has released at least five HIPAA security related investigations, noting non-compliance with portions of the HIPAA Security rules, in particular, the Security Risk Analysis and Security Management rules.
What Should You do?
- Engage a consultant to Conduct a Security Risk Analysis of your enterprise, regardless of size. Keep in mind many of the recent Telehealth and remote workforce expansions pose increased data security risks.
- Ensure processes and technologies are in place to detect and prevent system intrusions. Many focus on detection, but implementing intrusion prevention systems can drastically help reduce or completely negate the impact of attacks.
- Establish a routine HIPAA Security Audit process to monitor system and network activity for possible attacks or unauthorized data access from external threats.
- Review staff training materials to confirm it reflects the workforce roles, rights, and access levels to reduce insider threats. Insider threats continue to remain one of highest threats to our data systems.
- Consider Data Penetration or Intrusion testing to ensure your data cannot be accessed by external threats and software vulnerabilities.
LW Consulting, Inc.’s (LWCI) experienced professionals conduct HIPAA Security Risk Analyses and also train clients in conducting these functions independently as well. To learn more about our cost-effective, self-paced Security Risk Analysis product, HIPAA SP3: HIPAA Security Policies and Procedures Package, visit our LWCI Learning Center.
Not sure where to start with your Security Risk Analysis? Contact Deborah Alexander at 717-213-3122 or email DAlexander@LW-Consult.com.