The Most Alarming Fact of the HIPAA Audits

Great article by Daniel J. Solove. Daniel is the John Marshall Harlan Research Professor of Law at George Washington University Law School.

Daniel reviews the results of phase 1 HIPAA Compliance audits performed by HHS-OCR that  took place during 2011 and 2012. Some alarming statistics on a whole, most notiably :

  • Under OCR’s pilot audit program,“58 out of 59 health care providers audited had at least one negative finding regarding Security Rule compliance.” That’s more than 98%.
  • Two thirds of all entities–47 of out of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses—had no complete or accurate risk assessment program.
  • Of what OCR kindly termed the “findings and observations,” most involved the Security Rule. Of the total pilot audit findings, 60% were based on the Security Rule, 30% on the Privacy Rule, and 10% on the Breach Notification Rule.

The Second Phase of Audits

While there is no set start date, the second phase of audits is scheduled to begin this fall (2014) and continue into 2016.

Unlike phase 1, phase 2 will be conducted primarily by OCR staff. Another difference is that phase 2 will likely result in compliance reviews, a type of enforcement tool. Moreover, OCR does not intend for phase 2 to include on-site audits.

According to an OCR report, the 2014 audits will focus on covered entities and the following areas: security risk analysis and management, breach notifications, and privacy notices and access issues.

The InfoTech Innovators solution powered by one of our elite security business partners will provide you with the tools and expertise you need to help you comply with the HIPAA Security Rule. Our solution was developed by experts knowledgeable with the HIPAA Security Rule, computer and network security, and security training.

His article can be viewed here


Comments are closed.