OCR Audits Reveal Dismal Performance

For well over a year, the Office for Civil Rights (OCR) has been public about its top seven priorities in HIPAA compliance. The priorities were developed from OCR’s first Phase of Desk Audits in 2016. The Phase 2 Audits were finished recently and we now have the preliminary results which are profoundly disappointing. Two areas where entities drastically failed stand out – an individual’s Right of Access to their protected health information, and Security Management. OCR's full summary regarding all seven areas is here.

Seven Deadly Sins, Seven Simple Solutions

Our HIPAA expert, Paul Hales, J.D., has spoken frequently on the top priorities over the past year in an effort to help covered entities and business associates learn from OCR’s guidance. The HIPAA E-Tool® software contains policies and procedures to address all of them. The secret to HIPAA is that the rules are easy to follow step-by-step once you know the steps.

Although there are seven priorities, they fall into four categories, illustrated below:

4 categories.png

Unfortunately, although these hot buttons have been publicized, it appears that covered entities and business associates have not gotten the message, or are slow in finding solutions.

Right of Access

A central principle of HIPAA law is the individual’s Right of Access to their own health information, but fewer than 1% (1 out of 103) had it right. Ten entities substantially met the requirements, but a whopping 65 of them (63%) had no or negligible efforts toward compliance. 

Access pie chart w percent.png

How can that be? One theory is that health care providers confuse the Authorization with the Right to Access, and are requiring patients to submit an Authorization form, a more cumbersome process.

The U. S. Department of Health and Human Services (HHS) warned in 2016 published guidance that requiring an Individual to execute an Authorization in order to exercise his or her Right of Access may create an impermissible obstacle. See: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. HHS explained the significant differences between a Disclosure of PHI to an Individual under the Right of Access which is required by the Privacy Rule and a Disclosure by valid HIPAA Authorization which is permitted by the Privacy Rule. Forms for both are contained in The HIPAA E-Tool® and are specifically designed and developed from the Privacy Rule Standard.

Risk Analysis and Risk Management

Even more surprising is how poorly covered entities are faring in Risk Analysis and Risk Management. Risk Analysis and Risk Management have been mandatory for covered entities since 2005. And the Anthem healthcare data breach in January 2015 which exposed 78.8 million individuals’ protected health information should have been a wake-up call. Almost three years later the level of noncompliance in security is astounding.

No entities were found to be in full compliance with the Risk Analysis rules. Thirteen percent were found to be substantially in compliance and the remaining 87% had made minimal to no efforts toward compliance.

Risk analysis Pie chart percents.png

Unsurprisingly, the Risk Management results are similar, if a little worse. Of the 63 entities audited, only one was in compliance; three were substantially in compliance, but the remaining 59 or 93% had made minimal to no efforts toward compliance. See below.

Risk Management Pie chart percents.png

The HIPAA E-Tool® contains an easy-to-use interactive Risk Analysis module that securely saves and archives data as it's completed. Scalable to the organization’s size, it works for one or multiple locations. Designed for use by on-staff practice managers, compliance and IT personnel it fosters an internal culture of compliance and saves the unnecessary expense of outside consultants. As the Risk Analysis is completed, it populates a Risk Management Plan with inventories, tasks, and responsible staff to carry out the Plan. The beginning page is below.

RA-RM Screen Shot .png

If you suspect your organization needs guidance, take a look at The HIPAA E-Tool®. The most legally rigorous and complete HIPAA compliance product available, it contains every policy, procedure and form needed for full compliance, is always up-to-date with step-by-step instructions in plain language to allow you to take control and comply with HIPAA. Privacy, Security, Breach Notification, and Risk Analysis - Risk Management are all covered, and links to the 180 HHS Audit Protocols to guide you through an audit.

For other information, including a snapshot of results from the other four topics, see the blog by our respected colleague, Margaret Scavotto, J.D. CHC, and President of Management Performance Associates.