ARTICLE
21 January 2021

Learning From The Mistakes Of Others: OCR Releases Audit Report

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates.
United States Privacy
Liisa M. Thomas and Susan Ingargiola
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with Inhouse Counsel

The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR's report.

OCR concluded that most covered entities and business associates met the timeliness requirements for providing breach notification to individuals, and most covered entities (that maintained a website about their customer services or benefits) also satisfied the requirement to prominently post their Notice of Privacy Practices on their website. However, OCR also found that most covered entities and business associates failed to meet the requirements for other selected provisions in the audit. Covered entities and business associates can keep these findings in mind as they build out and review their privacy and security measures. Concerns raised by OCR included, among others, that the entities failed to:

  • Properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of PHI within 30 days of receiving a request and only charging a reasonable cost-based fee for access.
  • Implement the HIPAA Security Rule requirements for risk analysis and risk management.
  • Satisfy regulatory content requirements for breach notification letters (e.g. failing to include a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm).

Putting it Into Practice:  As HIPAA covered entities and business associates enter the new year, they can use the report as a tool to enhance their awareness of their HIPAA compliance obligations. Steps to consider include access rights, risk management, and including correct content in breach notices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Susan Ingargiola
Susan Ingargiola
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More