February 28, 2021

Volume XI, Number 59


February 26, 2021

Subscribe to Latest Legal News and Analysis

Learning from the Mistakes of Others: OCR Releases Audit Report

The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR’s report.

OCR concluded that most covered entities and business associates met the timeliness requirements for providing breach notification to individuals, and most covered entities (that maintained a website about their customer services or benefits) also satisfied the requirement to prominently post their Notice of Privacy Practices on their website. However, OCR also found that most covered entities and business associates failed to meet the requirements for other selected provisions in the audit. Covered entities and business associates can keep these findings in mind as they build out and review their privacy and security measures. Concerns raised by OCR included, among others, that the entities failed to:

  • Properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of PHI within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

  • Implement the HIPAA Security Rule requirements for risk analysis and risk management.

  • Satisfy regulatory content requirements for breach notification letters (e.g. failing to include a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm).

Putting it Into Practice:  As HIPAA covered entities and business associates enter the new year, they can use the report as a tool to enhance their awareness of their HIPAA compliance obligations. Steps to consider include access rights, risk management, and including correct content in breach notices.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 19



About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Susan Ingargiola is an associate in the Corporate Practice Group in the firm's New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with...