HHS’ Office of Civil Rights has published the findings of an audit of more than 200 covered entities and business associates during 2016 and 2017, finding most surveyed met requirements regarding reporting breaches and notifying those whose information is involved required under HIPAA.
But fewer complied with providing appropriate notices of their privacy practices, all the information required for a breach notification, or how patients can access their medical records.
Covered entities and business associates also failed to apply HIPAA requirements or appropriate risk analysis and risk management to avoid breaches – an oversight HHS said it would move to rectify.
Although the Health Insurance Portability and Accountability Act was implemented nearly a quarter century ago, it has not completely guaranteed the confidentiality of patients and their medical records. Although breaches are relatively rare, larger breaches still command significant media attention.
Since the law has gone into effect, OCR has been monitoring how healthcare organizations safeguard their protected health information. The latest survey involved the practices of 166 covered entities – virtually all of which were hospitals and medical practices – and 41 business associates, including billing firms, consultants and accreditation organizations, among others.
Although the survey did not find any glaring security lapses, OCR did find little adherence to some collateral safeguards, such as how patients are provided notifications regarding privacy practices. Only 2% provided the required content in their privacy notices, while 66% “failed to or made minimal or negligible efforts to comply.” Most also failed to state their privacy practices in plain language, or to furnish appropriate information regarding the individual rights of patients. That’s despite the fact the OCR posted a model of how the information should be provided on its website. However, a large majority “noted their appreciation for the comments or findings, and initiated actions to strengthen policies, procedures, and/or correct deficiencies.”
Perhaps even more concerning is how covered entities dealt with records requests from patients. OCR concluded 89% failed to show they correctly implemented a system that guaranteed patients were aware they had a right to such information and how they could request it.
“Many covered entities stated that they had never received an access request,” the audit concluded. “This suggests a possible misunderstanding of the standard, as it is common for a patient to request a copy of lab results, immunization records, or a copy of a bill. Some covered entities did not maintain adequate records of how and when it responded to a request.”
However, most of the entities said they would make revisions to their policies in order to comply with HIPAA. In September, OCR settled numerous cases with providers regarding access issues; most paid fines in order to do so.
Moreover, few organizations were employing risk analysis in order to ensure their information systems remained secure over the long term. Only 14% of covered entities and 17% of business associates said they were “substantially fulfilling their regulatory responsibilities to safeguard (electronic) PHI they hold through risk analysis activities.” The audit later added that “failing to document any efforts to develop, maintain and update policies and procedures, and to use them to conduct risk analyses, was common.”
Meanwhile, the Trump administration recently proposed a rule to ease HIPAA requirements, ostensibly to promote value-based care and COVID-19 contact tracing. It is unknown whether the Biden administration would eliminate the proposed rule after it takes over in January.
“We will continue our HIPAA enforcement initiatives until healthcare entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records,” said OCR Director Roger Severino in a statement.
There were some bright spots: 71% of those surveyed notified patients in a timely fashion to breaches involving less than 500 individuals, although 67% of those notifications lacked all the required information, including a description of the breach and how individuals could take steps to protect themselves. Similar issues cropped up with business associates reporting breaches, although the percentages of failure to fully comply were not included in the audit.