OCR Releases Report Summarizing HIPAA Privacy and Security Compliance Failures
The National Law Review
Joseph J. Lazzarotti
In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year. The Report examines OCR’s findings from HIPAA audits the agency conducted during 2016-2017 of 166 healthcare providers and 41 business associates. The audits were intended to examine mechanisms for compliance, identify promising practices for protecting the privacy and security for health information, and discover vulnerabilities that may be have been overlooked by OCR enforcement activity. It is the OCR’s hope that insights from the Report will enhance industry awareness of compliance obligations and assist the OCR in developing tools and guidance to assist industry compliance, self-evaluation, and prevent data breaches.
The Report looked at seven components of HIPAA compliance by covered entities:
1. Privacy Rule:
– notice of privacy practices/content requirements
provision of notice
– electronic notice (website posting)
– right of access
2. Breach Notification Rule:...