The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has released a report of its Phase 2 audits of HIPAA rules conducted in 2016 and 2017. Among other findings, OCR said that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
In 2016 and 2017, OCR conducted audits of 166 covered entities and 41 business associates regarding compliance with selected provisions of the HIPAA Rules.
OCR’s Phase 1 audits conducted in 2012 included comprehensive on-site audits of covered entities’ documentation and implementation of the HIPAA Rules. For Phase 2, between 2016 and 2017, OCR focused on testing the utility and cost effectiveness of desk audits of HIPAA covered entities’ and business associates’ compliance with selected provisions of the HIPAA Rules.
The 166 audited covered entities, chosen randomly, submitted lists of all their business associates, which OCR combined to create a pool of business associates. OCR chose 41 business associates through a randomized selection from this pool. A wide range of healthcare providers were represented including practitioners, pharmacies, hospitals, health systems, skilled nursing facilities, and elder care facilities.
Based on its findings, OCR concluded that most covered entities met the timeliness requirements for providing breach notification to individuals, and most covered entities that maintained a website about their customer services or benefits also satisfied the requirement to prominently post their Notice of Privacy Practices (NPP) on their website.
However, OCR also found that most covered entities failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding protected health information (PHI), ensuring the individual right of access, and providing appropriate content in their NPP.
Generally, covered entities demonstrated compliance in two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of NPP on their websites. Covered entities generally attempted to comply with the individual access and content of breach notification provisions, OCR said, but 89 percent (access) and 67 percent (notification content) failed to document adequate compliance. Almost all covered entities audited failed to show they were correctly implementing the individual right of access. OCR said certain themes recurred in their documentation, including inadequate documentation of access requests and the lack of a clear reasonable cost-based fee policy or application of blanket fees in violation of the standard.
Consistent with the findings of the Phase 1 audits, covered entities still struggle to implement the Security Rule’s requirements of risk analysis and risk management.
The audits confirmed that small percentages of covered entities (14 percent) and business associates (17 percent) are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities. Entities generally failed to:
• Identify and assess the risks to all of the ePHI in their possession.
• Develop and implement policies and procedures for conducting a risk analysis.
• Identify threats and vulnerabilities, to consider their potential likelihoods and impacts, and to rate the risk to ePHI.
• Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
• Conduct risk analyses consistent with policies and procedures.
Failing to document any efforts to develop, maintain and update policies and procedures, and to use them to conduct risk analyses, was common, OCR said.
Many entities utilize and rely on outside agencies to manage or perform risk analyses for their organizations; however, these companies frequently failed to meet the requirements. Entities incorrectly assumed that a purchased security product satisfied all Security Rule requirements. The responsibility to maintain an appropriate risk analysis rests with the entity, OCR stressed. “It is essential that entities understand and comply with risk analysis requirements in order to appropriately safeguard PHI.”
Because the audited entities largely failed to conduct appropriate risk analyses, they were then unable to link their security plans to management of identified risks. Some entities had identified risks but failed to respond and implement appropriate security measures. Ninety-four percent of covered entities and 88 percent of business associates failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
The policies and procedures provided in support of the risk analysis and risk management requirements indicate entity misunderstanding of the importance of determining acceptable levels of risk, what specific vulnerabilities were applicable to their environment, or how to mitigate the risks or vulnerabilities to ePHI throughout their organization.
In some instances, encryption was included as part of a remediation plan, but was not carried out or was not implemented within a reasonable timeframe.
OCR noted that one entity had implemented an appropriate risk management plan in 2013, but failed to conduct any updates since that time.