The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services recently published its findings from audits conducted in 2016 and 2017 of covered entities' and business associates' compliance with selected provisions of HIPAA's Privacy, Breach Notification, and Security Rules. The audits included health care providers, health plans, health care clearinghouses, and business associates. In short, OCR found material noncompliance with HIPAA's Notice of Privacy Practices (NPP), right of access, breach notification, and security risk analysis and risk management requirements.
Key findings from the report include:
- Content of
NPP. Of the covered entities audited,
only 2% fully met the content requirements of a valid NPP. Most
covered entities failed to provide required content related to
individual rights or, in some cases, failed to provide an NPP
written in plain language.
- Prominently Posted
NPP. Most covered entities met the
requirement to post their NPP on their website prominently. Still,
some covered entities failed to meet the "prominently
posted" requirement by failing to post the NPP directly on or
accessible from the homepage or in some cases using hyperlinks
which could confuse the individual, such as hyperlinks titled
"policy" or "HIPAA" or including multiple
hyperlinks titled "Privacy Policy," which would connect a
user to two different privacy guidelines.
- Right of
Access. Covered entities are required to
provide individuals with access to the protected health information
(PHI) the covered entity maintains about the individual in a
designated record set. However, almost all covered entities failed
to show that they were correctly implementing procedures to ensure
the right of access. OCR found reoccurring themes in its audit,
including inadequate documentation of access requests and
insufficient, inadequate, incorrect, and in some cases, a lack of
policies related to providing access.
- Breach Notification
Rule. A majority of covered entities audited issued
breach notifications to individuals within the 60-calendar day
regulatory timeframe provided by the HIPAA Breach Notification
Rule. However, most covered entities submitted notification letters
to individuals that were missing required content. OCR noted that
the most frequently omitted required content was a description of
the types of unsecured PHI involved in the breach, steps the
individual should take to protect themselves from potential harm
caused by the breach, inadequate contact information, and an
explanation of the entity's investigation and mitigation
activity.
- Security Risk
Analysis. OCR found that less than 20% of covered
entities and business associates audited fulfilled their regulatory
responsibilities to safeguard electronic PHI (ePHI) through risk
analysis activities. OCR noted that covered entities and business
associates generally failed to identify and assess the risks for
all ePHI, develop and implement policies and procedures for
conducting a risk analysis, identify threats and vulnerabilities in
light of their potential impact to ePHI, review and periodically
update a risk analysis in response to changes or events which may
impact ePHI, and conduct a risk analysis consistent with policies
and procedures.
- Risk Management Standards. OCR found that because both covered entities and business associates failed to conduct appropriate risk analyses, as discussed above, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of covered entities (94%) and business associates (88%) failed to implement appropriate risk management activities.
The areas audited above are likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Therefore, covered entities and business associates should audit their privacy policies and practices and, at a minimum, consider the following takeaways from OCR's audit findings:
- NPPs must contain all
required elements, including, among other requirements, the
elements regarding individual rights, and be written in plain
language. Covered entities should review the model NPPs on OCR's website for
guidance.
- NPPs should be easily
accessed and prominently posted on the covered entity's
website. Best practices include providing a link on
the homepage that clearly identifies the link to the HIPAA Notice
of Privacy Practices, ensuring that the links function and direct
the individual to the appropriate privacy guidelines, and that the
NPP identifies the correct covered entity that maintains the
website, or in the event that separate covered entities participate
in an organized health care arrangement, a joint notice is provided
that clearly describes with specificity the covered entities, or
class of covered entities, to which the joint notice applies.
- Review individual rights of
access documentation, policies, and procedures to evidence and
improve the individual records request process. The
audit report comes at the tail end of a year that saw OCR
vigorously enforce individuals' rights to access and
exercise control over their medical records. Right of access
compliance will continue to receive attention as OCR recently
issued a
Notice of Proposed Rulemaking to revise the HIPAA Privacy
Rule, which seeks, among other revisions, to expand the right of
access. Therefore, covered entities and business associates can
expect a continuation of enforcement into infringements of an
individual's right to access their individual's health
information from OCR in 2021. For covered entities and business
associates seeking additional assistance, the Office of the
National Coordinator for Health Information Technology has
developed aids addressing this specific issue, such as Improving the Health Records Process for
Patients.
- Breach notification letters
must be written in plain language and include: a
brief description of the breach, including the dates the breach is
believed to have occurred and the date the breach was discovered; a
description of the PHI involved in the breach; any steps
individuals should take to protect themselves from potential harm
resulting from the breach; a description of what the covered entity
is doing to investigate the breach, mitigate the harm, and prevent
further breaches; and contact information for the covered entity or
business associates, as applicable.
- Conduct a security risk
analysis of the potential risks and vulnerabilities to
ePHI. Whether conducting the analysis internally or
through a third-party vendor, covered entities and business
associates are responsible for maintaining an appropriate and
current risk analysis consistent with policies, procedures, and
changes in the environment, operations, or security incidents. OCR
provides helpful resources and links for covered
entities and business associates seeking guidance on risk
analyses.
- Implement appropriate risk management strategies. Covered entities and business associates must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks. In an attempt to promote and incentivize compliance with the Security Rule, Congress has proposed legislation, which would effectively create a safe harbor by amending the HITECH Act to require OCR to take into account whether a covered entity or business associate has met the recognized security standards when making determinations regarding enforcement and regulatory actions.
Originally Published by Foley & Lardner, January 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.