Skip to main content


Resource Library

OCR audits of 166 health care entities reveal most failed to comply with provisions of HIPAA rules

Also: HIPAA Privacy Rule changes proposed to improve coordination of care

January 14, 2021 4146

Recently completed audits of selected health care entities for compliance with HIPAA rules found that most of the entities met the timeliness requirements for providing breach notification to individuals but failed to comply with other provisions of the HIPAA Privacy, Security, and Breach Notification Rules. 

The 2016-17 HIPAA Audits Industry Report released in December by the U.S. Department of Health and Human Services’ Office for Civil Rights provides the overall findings of the office’s audits of 166 covered entities and 41 business associates for compliance with the HIPAA rules.

Covered entities failed to properly implement right-of-access requirements

Most covered entities failed to provide all the required content for the Notice of Privacy Practices and failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

Also, most covered entities failed to properly implement the individual right-of-access requirements, such as timely action within 30 days and charge a reasonable fee for access.

The OCR enforces all HIPAA Privacy and Security rules and investigates related complaints. Last year, two small health care providers in Virginia and Colorado agreed to pay $10,000 and $3,500, respectively, to settle potential violations of the right-of-access provision. The settlements were just two of seven that resulted from OCR investigations completed in September 2020. The OCR completed six more investigations that led to settlements by the end of 2020. 

For more background on the OCR’s 2016-17 audits, read the report, which explains the audit and entity selection process and specifics about the results of the audited elements: (1) Notice of Privacy Practices, (2) Electronic Notice, Provision of Notice, (3) Right of Access, (4) Timeliness of Notice of Breach Notification, (5) Content of Breach Notification, (6) Breach Notification by a Business Associate to a Covered Entity, (7) Security Risk Analysis and (8) Security Risk Management.

The OCR releases the audit reports periodically as required by the federal HITECH Act of 2009.

CDA Practice Support explains data breach notification requirements, summarizes the HIPAA Security Rule, and provides dozens more privacy and HIPAA resources for members, including a sample Breach Notification Notice. Find all of them in the resource library.

OCR proposes HIPAA Privacy Rule modifications

Also in December, the OCR announced proposed amendments to the HIPAA Privacy Rule that are intended primarily to improve coordination of care and case management and ease patient access to their information while also easing the regulatory burden on covered entities. 

The OCR’s Dec. 10 news release states that the proposed changes include strengthening individuals’ rights to access their own health information, including electronic information; enhancing flexibilities for disclosures in an emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and several others.

An adoption timeline for the amendments has not yet been set, but covered entities will have 180 days after the effective date of the amended rule to come into compliance. CDA will communicate the rule amendments and compliance deadline to members once that information is available.

Comments are only visible to subscribers.