ARTICLE
21 January 2021

Learning From The Mistakes Of Others: OCR Releases Audit Report

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore
The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates.
United States Privacy
Photo of Liisa M. Thomas
Photo of Susan Ingargiola
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR's report.

OCR concluded that most covered entities and business associates met the timeliness requirements for providing breach notification to individuals, and most covered entities (that maintained a website about their customer services or benefits) also satisfied the requirement to prominently post their Notice of Privacy Practices on their website. However, OCR also found that most covered entities and business associates failed to meet the requirements for other selected provisions in the audit. Covered entities and business associates can keep these findings in mind as they build out and review their privacy and security measures. Concerns raised by OCR included, among others, that the entities failed to:

  • Properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of PHI within 30 days of receiving a request and only charging a reasonable cost-based fee for access.
  • Implement the HIPAA Security Rule requirements for risk analysis and risk management.
  • Satisfy regulatory content requirements for breach notification letters (e.g. failing to include a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm).

Putting it Into Practice:  As HIPAA covered entities and business associates enter the new year, they can use the report as a tool to enhance their awareness of their HIPAA compliance obligations. Steps to consider include access rights, risk management, and including correct content in breach notices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Susan Ingargiola
Susan Ingargiola
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More