The bad news:
- (Unsurprisingly,) Most covered entities failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
- Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
- Most covered entities failed to provide all of the required content for breach notification to individuals.
The Security Rule bad news:
- Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
For audits, the past is prologue. Violations found in an audit result in greater enforcement activity in the years to come to curb those violations. It is therefore likely that OCR HIPAA enforcement in 2021 will be investigating organizations for Notices of Privacy Practices and breach notification violations.
OCR will also be on the lookout for violations of the Security Rule requirements for risk analysis and risk management, as well as the requirements to track and inventory network devices. The remaining six entities fined in 2019 are keenly aware of this; each one received a hefty monetary fine for not meeting these requirements.