Getty Images

OCR: Healthcare HIPAA Compliance Report Finds PHI Security Failures

While many covered entities and business associates met HIPAA-required breach notification compliance requirements, an OCR audit revealed a host of PHI security failures for most providers.

The Department of Health and Human Services Office for Civil Rights released an audit report on HIPAA compliance in the sector from 2016 to 2017 based on reviews of selected healthcare covered entities and business associates, which revealed several protected health information security failures.

Under HITECH, HHS is required to periodically conduct audits on industry compliance with the HIPAA rules. For its latest report, OCR conducted reviews of 166 covered entities and 41 business associates, which have been notified of the agency’s findings.

“The audits gave OCR an opportunity to examine mechanisms for compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities,” according to the report.

“Through the information gleaned from the audits, OCR has developed, and will continue to develop, tools and guidance to assist the industry in compliance, self-evaluation, and preventing breaches,” it added.

OCR’s auditing processes included comprehensive on-site reviews of documentation and implementation of HIPAA rules at the sites of audited entities. Phase two of the auditing process focused on testing the utility and cost effectiveness of desk audits and compliance with certain areas of the HIPAA rule.

The report sheds light on overall compliance with HIPAA, boasting positive findings on several key issues and a host of other privacy and security concerns.

The good news: most covered entities that maintained a website on provided customer services or benefits met the HIPAA requirement to prominently display a notice of privacy practices on the site. 

And many of these audited providers met the timeliness requirements for providing victims with breach notifications. Under HIPAA, breached entities are required to notify impacted patients within 60 days of discovering the incident.

OCR found that most covered entities demonstrated compliance in just two out of seven audited areas.

But overall, OCR found a range of security failures for most of these audited covered entities, with most of these covered entities failing to meet the compliance requirements for other selected provisions of the audit.

Namely, most covered entities failed to adequately safeguard protected health information, in addition to failing to ensure an individual’s right to access their health data. HHS has made the HIPAA Right of Access a key priority for enforcement efforts in the last year.

In fact, 89 percent of the audited entities failed to comply with access requirements. Another 67 percent failed to comply with providing the necessary content and to document adequate compliance in their breach notifications.

The audit also found 98 percent of providers failed to provide appropriate content in the Notice of Privacy Practices, with two-thirds failing to or making minimal or negligible efforts to comply with the rule.

In particular, the biggest NPP failure centered around writing a notice written in plain language.

“Business associates achieved audit ratings similar to those achieved by covered entities in security risk analysis and risk management,” according to the report. “Most of the audited business associates (32 of 41) reported not having experienced any breaches of unsecured PHI.”

“The audit results of business associates that had experienced a breach primarily identified minimal or negligible efforts to address audited requirements,” it added.

But perhaps the most concerning is that OCR determined most covered entities and businesses associates did not comply with the HIPAA Security Rule provision that requires entities to perform routine risk assessments and risk management practices.

Given the extent of threat sophistication, legacy platform use, and sheer volume of targeted attacks on the sector, failure to perform adequate, routine risk assessments leaves the front door wide open to threat actors.

What’s worse, is that HHS has a range of free support tools to help providers with these crucial tasks, including a security risk assessment tool, a privacy practice model from OCR, and OCR insights on complying with the risk analysis requirements under HIPAA.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino, in a statement.

“We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records,” he added.

A review of the audit report can prove useful to covered entities and business associates to strengthen their own HIPAA compliance, while shedding light on the OCR auditing process to bolster privacy and security practices across the enterprise.

Next Steps

Dig Deeper on HIPAA compliance and regulation