Skip to main content

OCR Releases HIPAA Audits Industry Report

Analysis  |  By Revenue Cycle Advisor  
   December 22, 2020

Specific to the right of access provision, OCR found that 89% of audited CEs failed to meet standards. 

A version of this article was first published December 22, 2020, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

The Office for Civil Rights (OCR) on December 17 released its 2016-2017 HIPAA audits industry report, providing an overview of how selected covered entities (CE) and business associates (BA) complied with certain provisions of the HIPAA privacy, security, and breach notification rules.

OCR conducted audits of 166 CEs and 41 BAs to compile the report. In a summary of the report, OCR concluded that most CEs met the timeliness requirements for providing breach notification to individuals and prominently posted their notice of privacy practice (NPP) on their websites.

However, OCR determined that most of the CEs audited failed to meet other requirements, such as adequately safeguarding protected health information (PHI), ensuring individual right of access, and providing appropriate content of their NPP. In addition, OCR found that most CEs and BAs failed to implement the HIPAA security rule requirements for risk analysis and risk management.

Specific to the right of access provision, OCR found that 89% of audited CEs failed to meet standards. Recurring themes in their documentation included the following:

  • Inadequate documentation of access requests.
  • Insufficient evidence of policies for individuals to request and obtain access to PHI. For example, one entity provided a form used by patients to name an authorized representative as its access policy.
  • Inadequate or incorrect policies and procedures for providing access.
  • Lack of a clear reasonable cost-based fee policy or application of blanket fees in violation of the standard.
  • Failure to maintain policies and procedures requiring a timely written denial and the basis for denying an access request.
  • NPP did not correctly describe individual rights.
  • NPP did not identify or incorrectly identified the patient’s right to timely access (i.e., within 30 days of request unless an extension is provided). Many covered entities stated incorrectly that the entity had 60 days, instead of 30 days, to respond to requests.

In a press release, OCR director Roger Severino noted that enforcement initiatives will continue “until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

In 2020, OCR settled 12 cases as part of its HIPAA right of access initiative.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.

Get the latest on healthcare leadership in your inbox.