The Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services, the federal agency that enforces the HIPAA Privacy, Security, and Breach Notification Rules, recently released its preliminary results for Covered Entities participating in its Phase 2 HIPAA compliance audit program.  Overall, the audit shows significant compliance gaps for the entities audited.

While the Phase 2 audits examined Covered Entities and Business Associates, the preliminary results are limited to the 166 audited Covered Entities.  The audits of Business Associates, 41 in total, are still in process.  The vast majority of Covered Entities audited (90%) were healthcare providers and the rest were health plans or healthcare clearinghouses.

The 166 Covered Entities surveyed were broken up into two groups.  There were 103 Covered Entities reviewed for privacy and breach notice compliance and another 63 assessed on security compliance efforts.

OCR identified a number of areas of significant gaps in HIPAA privacy, breach reporting, and security compliance.  According to OCR, the content of notices of privacy practices were significantly deficient (receiving a score of 3, 4, or 5, with 5 being the lowest) in 65% of entities analyzed.  Scoring on a patient’s right of access to his or her health information was even worse, with 89% of entities rated as inadequate.  The results of the breach notice and security provisions were little better.  The full report can be accessed here.

These preliminary results of the OCR Phase 2 Audit of Covered Entities point out critical areas of need for improvement for the healthcare community.  OCR will take these findings and identify areas for technical assistance and will consider the results when designing its permanent audit program. OCR has also stated that it may open a compliance review if an entity demonstrates “significant” deficiencies during the audit process.

With large scale privacy and security breaches becoming an almost daily headline, the need for continually monitoring and reviewing one’s privacy and security program is a must.  Venable’s healthcare practice team has a wealth of knowledge and experience guiding organizations through HIPAA audits and compliance reviews, the implementation of robust privacy and security practices, and incident response.  Reach out to a member of our team to discuss these audit results and how your organization can be fully prepared.