May 26, 2022

Volume XII, Number 146


May 26, 2022

Subscribe to Latest Legal News and Analysis

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

Key Findings & Takeaways from OCR HIPAA Audit Findings

The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services recently published its findings from audits conducted in 2016 and 2017 of covered entities’ and business associates’ compliance with selected provisions of HIPAA's Privacy, Breach Notification, and Security Rules. The audits included health care providers, health plans, health care clearinghouses, and business associates. In short, OCR found material noncompliance with HIPAA’s Notice of Privacy Practices (NPP), right of access, breach notification, and security risk analysis and risk management requirements.

Key findings from the report include:

  • Content of NPPOf the covered entities audited, only 2% fully met the content requirements of a valid NPP. Most covered entities failed to provide required content related to individual rights or, in some cases, failed to provide an NPP written in plain language.

  • Prominently Posted NPP. Most covered entities met the requirement to post their NPP on their website prominently. Still, some covered entities failed to meet the "prominently posted" requirement by failing to post the NPP directly on or accessible from the homepage or in some cases using hyperlinks which could confuse the individual, such as hyperlinks titled "policy" or "HIPAA" or including multiple hyperlinks titled "Privacy Policy," which would connect a user to two different privacy guidelines.      

  • Right of Access. Covered entities are required to provide individuals with access to the protected health information (PHI) the covered entity maintains about the individual in a designated record set. However, almost all covered entities failed to show that they were correctly implementing procedures to ensure the right of access. OCR found reoccurring themes in its audit, including inadequate documentation of access requests and insufficient, inadequate, incorrect, and in some cases, a lack of policies related to providing access.    

  • Breach Notification Rule. A majority of covered entities audited issued breach notifications to individuals within the 60-calendar day regulatory timeframe provided by the HIPAA Breach Notification Rule. However, most covered entities submitted notification letters to individuals that were missing required content. OCR noted that the most frequently omitted required content was a description of the types of unsecured PHI involved in the breach, steps the individual should take to protect themselves from potential harm caused by the breach, inadequate contact information, and an explanation of the entity's investigation and mitigation activity. 

  • Security Risk Analysis. OCR found that less than 20% of covered entities and business associates audited fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities. OCR noted that covered entities and business associates generally failed to identify and assess the risks for all ePHI, develop and implement policies and procedures for conducting a risk analysis, identify threats and vulnerabilities in light of their potential impact to ePHI, review and periodically update a risk analysis in response to changes or events which may impact ePHI, and conduct a risk analysis consistent with policies and procedures.

  • Risk Management Standards. OCR found that because both covered entities and business associates failed to conduct appropriate risk analyses, as discussed above, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of covered entities (94%) and business associates (88%) failed to implement appropriate risk management activities.

The areas audited above are likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Therefore, covered entities and business associates should audit their privacy policies and practices and, at a minimum, consider the following takeaways from OCR's audit findings:

  • NPPs must contain all required elements, including, among other requirements, the elements regarding individual rights, and be written in plain language. Covered entities should review the model NPPs on OCR’s website for guidance.

  • NPPs should be easily accessed and prominently posted on the covered entity's website. Best practices include providing a link on the homepage that clearly identifies the link to the HIPAA Notice of Privacy Practices, ensuring that the links function and direct the individual to the appropriate privacy guidelines, and that the NPP identifies the correct covered entity that maintains the website, or in the event that separate covered entities participate in an organized health care arrangement, a joint notice is provided that clearly describes with specificity the covered entities, or class of covered entities, to which the joint notice applies.

  • Review individual rights of access documentation, policies, and procedures to evidence and improve the individual records request process. The audit report comes at the tail end of a year that saw OCR vigorously enforce individuals' rights to access and exercise control over their medical records. Right of access compliance will continue to receive attention as OCR recently issued a Notice of Proposed Rulemaking to revise the HIPAA Privacy Rule, which seeks, among other revisions, to expand the right of access. Therefore, covered entities and business associates can expect a continuation of enforcement into infringements of an individual's right to access their individual’s health information from OCR in 2021. For covered entities and business associates seeking additional assistance, the Office of the National Coordinator for Health Information Technology has developed aids addressing this specific issue, such as Improving the Health Records Process for Patients.

  • Breach notification letters must be written in plain language and include: a brief description of the breach, including the dates the breach is believed to have occurred and the date the breach was discovered; a description of the PHI involved in the breach; any steps individuals should take to protect themselves from potential harm resulting from the breach; a description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity or business associates, as applicable.

  • Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI. Whether conducting the analysis internally or through a third-party vendor, covered entities and business associates are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in the environment, operations, or security incidents. OCR provides helpful resources and links for covered entities and business associates seeking guidance on risk analyses.

  • Implement appropriate risk management strategies. Covered entities and business associates must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks. In an attempt to promote and incentivize compliance with the Security Rule, Congress has proposed legislation, which would effectively create a safe harbor by amending the HITECH Act to require OCR to take into account whether a covered entity or business associate has met the recognized security standards when making determinations regarding enforcement and regulatory actions.

© 2022 Foley & Lardner LLPNational Law Review, Volume XI, Number 15

About this Author

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...