OCR’s Audit Report Reveals Concerns that Continue to Guide HIPAA Enforcement

By Mathew J. Levy, Esq. & Zoila Sanchez, MPH, JD
Email Mathew Email Zoila

Recently, the Office of Civils Rights (OCR) within the U.S. Department of Health and Human Services (HHS) published its 2016-2017 Health Insurance Portability and Accountability Act (HIPAA) Audits Industry Report. HHS is required to periodically audit a sample of covered entities and business associates for HIPAA compliance under the Health Information Technology for Economic and Clinical Act (HITECH) Act. 

Across this sample, OCR found failures with the Notice of Privacy Practices requirements, the HIPAA Breach Notification Rule, the individual right of access to health information rule and the HIPAA Security Rule. Since the Audit was completed in 2016-2017, we would expect that a number of the fundamental deficiencies that OCR identified have been rectified by covered entities and business associates, as the OCR has been very aggressive in its enforcement activities during the last five years imposing significant financial penalties on non-compliant entities. Nonetheless, it is worth noting that these are the areas that OCR chose to focus on then and they remain as serious in 2021 as they were during this audit period:

  • Notice of Practices: of the 166 covered entities sampled, 98% failed to fully include required content for HIPAA-mandated Notice of Privacy Practices including content related to individual rights and the use of plain language as required by the Privacy Rule.
  • Breach of Notification to Individuals: findings uncovered failures to include the required description of Protected Health Information (PHI) and steps for individual protection. 
  • Individual Right of Access: the majority of covered entities failed to correctly implement individual right-of-access requirements, such as  granting reasonable access to PHI records within 30 days and charging a reasonable cost-based fee – due to Electronic Health Record (EHR), health care entities and business associates should only charge per-page fees that represent actual cost of the paper and manpower to print the record.
  • HIPAA Security Rule: findings showed failures to implement the detailed requirements for risk analysis and risk management. 

These areas of concern will continue to guide OCR’s continuing HIPAA enforcement efforts, which is intended to ensure that covered entities (and business associates) carefully and thoroughly identify security risks to protected health information in their custody and meet their duty to provide patients with understandable documents that describe their HIPAA rights and their timely and cost-based access to their medical records. 

It is critical for covered entities, including health care entities, and business associates to know the minimum requirements for HIPAA compliance. One way to assess whether your practice is ready for audit is to familiarize yourself with “Self-Audit For HIPAA Compliance – Is Your Practice Ready?”

Should you have any questions regarding HIPAA compliance, please contact Mathew Levy at 516-926-3320 or MLevy@weisszarett.com.

About the Authors: 

Mathew J. Levy is a Partner of the firm and co-chairs the Firm’s corporate transaction and healthcare regulatory practice. Mr. Levy has extensive experience in, defending healthcare professionals in actions brought by State licensing authorities and the Federal agencies (OIG, Medicare, OMIG, Medicaid, DEA, OSHA, OCR OSHA, Hospital Review Boards, Office of Professional Medical Conduct and Office of Professional Discipline.) Mr. Levy has successfully defended numerous healthcare providers in actions involving the US Attorney’s Office investigations, Medicare Fraud Waste and Abuse investigations, Medicaid Fraud Control Unit investigations, OPMC, OPD, Medicare, Medicaid as well as commercial insurance audits including Prepayment Review, Post Payment Review, Medicare Hearings and Hospital Discipline Investigations.

Mr. Levy has successfully structured and negotiated joint venture agreements, private equity transactions, venture capital transactions, stock purchase agreements, asset sale agreements, shareholders agreements, partnership agreements, employment contracts, managed care agreements and commercial leases. Among the areas in which he focuses are coordinating mergers and acquisitions, compliance programs, ambulatory surgery centers, the establishment of diagnostic and treatment centers, HIPAA privacy regulations, fee-splitting issues, Stark law issues, fraud and abuse rules and regulations and Medicare/ Medicaid, Oxford, Americhoice, Fidelis, Healthfirst and other third-party payor settlements.

Zoila Sanchez, J.D., M.P.H. joined the Firm full-time upon graduating with her Juris Doctor degree from the Maurice A. Deane School of Law at Hofstra University. During law school, Ms. Sanchez served as a Legal Clerk with the U.S. Department of Health and Human Services Office of Counsel to the Inspector General in Washington, DC, where her work focused on health care fraud and abuse.  In addition, Ms. Sanchez clerked for over a year at the Firm while in law school. Ms. Sanchez has experience in supporting the Firm’s business and health care law, and litigation practice areas.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.

ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.