In 2016 and 2017, the Department of Health and Human Services (HHS) conducted “desk audits” of 166 covered entities and 41 business associates. These audits focused on selected requirements of HIPAA’s privacy, security and breach notification requirements. Although HHS has not released its official findings from these audits yet, it has identified serious compliance gaps in the following areas:
- Security risk analysis
- Security risk management
- Right of access to protected health information (PHI)
It is likely that HHS will issue more tools and guidance in the future to help entities understand their legal obligations and close these compliance gaps.
Employers that sponsor group health plans should periodically review their compliance with the HIPAA rules, including whether their security analysis and risk management for electronic PHI (ePHI) is up to date. Employers should also watch for more guidance from HHS on these compliance requirements.
HIPAA Rules
Privacy Rule
The HIPAA privacy rule requires covered entities (that is, health plans, health care clearinghouses and covered health care providers) to comply with national standards for the protection of PHI. The privacy rule includes the following three main protections for PHI:
- Use and disclosure rules—The privacy rule limits when an individual’s PHI may be used or disclosed by covered entities;
- Individual rights—The privacy rule requires covered entities to provide individuals with certain rights with respect to their PHI, including the right to receive a notice of privacy practices (privacy notice) and inspect and receive copies of their own PHI;
- Administrative safeguards—The privacy rule requires covered entities to develop written privacy procedures an implement appropriate safeguards for PHI.
Security Rule
The HIPAA security rule establishes national standards for securing individuals’ ePHI. These standards require a covered entity to perform a risk analysis as a crucial first step of its security process. During the risk analysis, a covered entity examines the risks and vulnerabilities to ePHI it creates, transmits, receives or maintains. This analysis allows a covered entity to implement an appropriate security management process, which involves specific security measures to prevent, detect, contain and correct security problems.
Breach Notification Rule
The breach notification rule require covered entities to notify affected individuals following the discovery of a breach of unsecured PHI. Notification must also be provided to HHS and, in some cases, to the media. The breach notifications must include certain information and be provided by specific deadlines (for example, notice to individuals must be provided within 60 days after the breach is discovered).
Audit Findings
During the second phase of its HIPAA audit program, HHS conducted desk audits of 155 covered entities and 41 business associates. Of these covered entities, 90 percent were health care providers, approximately 9 percent were health plans and approximately 2 percent were health care clearinghouses.
Audit Focus and Scores
During these audits, HHS focused on specific requirements of the HIPAA privacy, security and breach notification rules, and requested that the auditees submit documentation demonstrating their compliance. Based on the information that HHS received, it assigned a score from 1 to 5 for each compliance requirement, based on the following guidelines:
| SCORE | DESCRIPTION |
| 1 | Entity is in full compliance with requirement |
| 2 | Entity substantially meets the requirement |
| 3 | Entity has made attempts to comply with the requirement, but implementation is inadequate |
| 4 | Entity has made negligible efforts to comply with the requirement |
| 5 | Entity has made no serious attempt to comply with the requirement |
Serious HIPAA Compliance Problems
The most serious compliance problems identified by HHS relate to security risk analysis and security risk management. Out of the 63 entities that were reviewed for security compliance:
- For security risk analysis, only eight entities scored better than a 3 and approximately 57 percent of the reviewed entities scored a 4 or 5.
- For security risk management, only four entities scored better than a 3 and approximately 73 percent of the reviewed entities scored a 4 or 5.
Another compliance problem identified by HHS is the requirement to allow individuals to inspect and copy their own PHI upon request. According to HHS, of the 103 covered entities reviewed for this requirement, only 11 entities scored better than a 3 and approximately 63 percent of the reviewed entities scored a 4 or 5.
Possible Outcomes
According to HHS, the goal of its HIPAA audit program is improve compliance with the HIPAA rules. HHS intends to use information gathered from these audits to structure a permanent HIPAA audit program and develop tools and guidance to support compliance. Based on the audit findings, HHS may issue additional tools and guidance for covered entities on security analysis and management, as well as individuals’ right to access PHI.
Also, HHS continues to investigate covered entities for HIPAA violations and imposes costly outcomes for serious violations. Thus, covered entities should periodically review their compliance with the HIPAA rules, including whether their security analysis and risk management for ePHI is up to date.
