The Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services, the federal agency that enforces the HIPAA Privacy, Security, and Breach Notification Rules, recently released its preliminary results for Covered Entities participating in its Phase 2 HIPAA compliance audit program. Overall, the audit shows significant compliance gaps for the entities audited.
While the Phase 2 audits examined Covered Entities and Business Associates, the preliminary results are limited to the 166 audited Covered Entities. The audits of Business Associates, 41 in total, are still in process. The vast majority of Covered Entities audited (90%) were healthcare providers and the rest were health plans or healthcare clearinghouses.
The 166 Covered Entities surveyed were broken up into two groups. There were 103 Covered Entities reviewed for privacy and breach notice compliance and another 63 assessed on security compliance efforts.