Providers stumble after recent HIPAA audits

When it comes to securing and protecting patient health information, physician practices with fewer than 50 providers fared the worst in a recent audit by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

In fact, Linda Sanches, MPH, an OCR senior adviser, reports that only two of the 64 healthcare providers in the audit passed without problems.

While OCR’s audit on privacy and security also included health plans and healthcare clearinghouses, the report says that significant compliance issues exist among physician practices.

OCR evaluated practices related to security (administrative, physical and technical safeguards), breach notification, and privacy [access to patient health information (PHI), administrative requirements, uses and disclosures of PHI, etc.]. Security problems accounted for 60% of the findings and observations. Data privacy problems were noted in 30% of the audits, while only 10% were attributed to data breach notifications.

Small practices, OCR notes, “struggled with all three audit areas.”

Nearly 50% of the smaller practices posted negative findings and observations related to compliance of uses and disclosure of PHI, another 30% were dinged for not having acceptable administrative requirements in place, 30% had compliance problems related to patient access, and another 31% had findings and observations related to notice of privacy practices for PHI.

Many of the audit problems, Sanches says, were triggered simply because providers were unaware of the requirements. She urged physicians to evaluate the regulations and conduct a compliance assessment to help protect PHI from breaches.