The office for Civil Rights gathered information at the end of 2020 that is important for any covered entity or business associate that operates under HIPAA guidelines. Summarized in the U.S. Health and Human Service (HHS) HIPAA Audits Industry Report, this data should be regarded as a useful tool for any business that deals with HIPAA, and one that they can learn from.
While the report was just released, it is related to the 166 covered entities and 41 business associates with regard to HIPAA compliance and selected provisions that were audited in 2016 and 2017.
The good news is that the OCR found most of these successfully met the timeliness requirements in reporting breaches to individuals and also in prominently posting the Notice of Privacy Practices (NPP) on their websites. Where they failed was with regard to meeting the provisions that safeguarded the patient’s protected health information (PHI), providing appropriate content in the aforementioned NPP, and ensuring the individual right of access. In fact, 89% of covered entities failed to show this adequately. Additionally, they failed to “implement the HIPAA Security Rule requirements for risk analysis and risk management.”
With tools in place to assist these entities in complying with HIPAA, including online resources and guidance, there is likely little reason to overlook the occurrence of a breach that results in lack of preparation or attempted compliance. While having a full-time individual within a small business is sometimes not feasible to oversee HIPAA compliance, there are options available that would assist in meeting these needs to avoid fines and failures, in addition to securing your business.
Despite the pandemic bringing uncertainty and some confusion to 2020, the OCR remained diligent in its efforts to enforce HIPAA. They provided guidance on how to handle COVID-19 related issues that were focused on protected health information (PHI) and also issued an FAQ for telehealth providers so effective and protected treatment could continue despite the changing landscape.
If you are providing guidance for healthcare providers and business associates, the OCR has given you a tool that establishes best practices for creating an IT inventory list. This is essential when it comes to understanding the whereabouts of electronic protected health information (ePHI) and how to maintain that under HIPAA law. Additionally, there are resources for mobile health technology and guidelines that review the regulations for hospitals and health systems that want to donate cybersecurity technology to physician practices.
This overview of available information that includes investigations into failures and fines (and how they were broken down), as well as resources and tools available to you as a member of the healthcare industry (either directly or in a support role), only emphasize that despite a year of uncertainty, the OCR’s commitment to strong human cybersecurity practices along with HIPAA compliance remains certain.