In December 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Health Insurance Portability and Accountability Act (HIPAA) Audits Industry Report, which contains findings from 207 audits of healthcare providers and covered entities conducted between 2016 and 2017.
The report surveyed seven key elements required of HIPPA compliance including: notice of privacy practices, electronic notice/provision of notice, right of access, timeliness of notice of breach notification, content of breach notification, breach notification by a business associate to a covered entity, security risk analysis, and security risk management. The audits revealed that most healthcare providers and covered entities failed to implement effective risk analysis and risk management activities to protect electronic protected health information (ePHI).