A few weeks ago I had the pleasure of attending a conference by OCR and NIST about HIPAA.  Among all my notes, this once section stood out — current audit results from OCR.

Over the summer, OCR sent self assessment emails to Covered Entities.  So far, OCR has completed 166 of 803 audits.  We’ll see the final results early next year.

The second part of the audit program is auditing Business Associates.  OCR is currently whittling down 20,000 potential Business Associates.  We’ll keep up on this and let you know the results.

The things OCR was looking at closely were Risk Assessments, Risk Management Plans and Breach Notification Policies.

So far, they have had a lot of negligent offices.

A few items that were repeated incorrectly:

-Breach Notification letters were missing a date.

-Notice of Privacy Practices weren’t current and missing Access Rights

-Website posting of Notice of Privacy Practices was not prominent.  Most were missing and those that were posted were hidden under Policy, Legal or Website Privacy Policy.

Looking at this list is fairly frustrating, since they are pretty easy to do correctly.  I can only assume that the errors happened due to DIY compliance.