HIPPA Compliance Audit Reveals Critical Gaps

In a recent news article published by Click 2 Houston (https://www.click2houston.com/news/woman-finds-medical-records-with-patients-information-in-se-harris-county-dumpster ) a woman found medical records with patients information on it in a dumpster. This was here in Houston, TX. Thankfully no social security numbers were on these records but, this is still a gross violation of the HIPPA laws that are in place to protect patients information. 

In 2016 and 2017, the Department of Health and Human Services (HHS) conducted “desk audits” of 166 covered entities and 41 business associates. These audits focused on selected requirements of HIPAA’s privacy, security and breach notification requirements. Although HHS has not released its official findings from these audits yet, it has identified serious compliance gaps in the following areas:

  • Security risk analysis
  • Security risk management
  • Right of access to protected health information (PHI)

It is likely that HHS will issue more tools and guidance in the future to help entities understand their legal obligations and close these compliance gaps.

I'm surprised we don't see more news articles similar to this one, given the information coming from the HHS audit. 

Privacy Rule
The HIPAA privacy rule requires covered entities (that is, health plans, health care clearinghouses and covered health care providers) to comply with national standards for the protection of PHI. The privacy rule includes the following three main protections for PHI:
  • Use and disclosure rules—The privacy rule limits when an individual’s PHI may be used or disclosed by covered entities;
  • Individual rights—The privacy rule requires covered entities to provide individuals with certain rights with respect to their PHI, including the right to receive a notice of privacy practices (privacy notice) and inspect and receive copies of their own PHI;

Administrative safeguards—The privacy rule requires covered entities to develop written privacy procedures an implement appropriate safeguards for PHI.

According to HHS, the goal of its HIPAA audit program is improve compliance with the HIPAA rules. HHS intends to use information gathered from these audits to structure a permanent HIPAA audit program and develop tools and guidance to support compliance. Based on the audit findings, HHS may issue additional tools and guidance for covered entities on security analysis and management, as well as individuals’ right to access PHI.

Also, HHS continues to investigate covered entities for HIPAA violations and imposes costly outcomes for serious violations. 

There will be more details to come on this issue. Hopefully the protection of our PHI will improve!