Scroll Top

HHS OCR HIPAA Audit Finds Less Than Lackluster Results


Majority were non-compliant for Access, Security Risk Management and Analysis

In 2016 and 2017, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) conducted audits of 166 covered entities and 41 business associates regarding compliance with selected provisions of the HIPAA Rules. The Report was released in December 2020.

OCR administers and enforces the HIPAA Rules (45 CFR Part 160) which establish requirements with respect to the use, disclosure, and protection of PHI  by covered entities and business associates; provide health information privacy and security protections; and establish rights for individuals with respect to their PHI. The Audit randomly selected 166 covered entities that represent a wide range of health care providers, health plans, and health care clearinghouses to better assess HIPAA compliance across the industry.

The results and methodology are listed below.

Audit by Covered entity Type

The vast majority of audited covered entities were health care providers (150 of the 166 total). See Figure 1. A wide range of health care providers were represented including practitioners, pharmacies, hospitals, health systems, skilled nursing facilities, and elder care facilities.

Audit Scoring System

The entity-specific final reports explained OCR’s analysis and rating of each entity’s compliance efforts for every audited element on a scale of 1 to 5. The scores identified OCR’s assessment of the comprehensiveness and effectiveness of entity activities. A rating of 1 reflects a high understanding and strong implementation of the audited elements. A 2 rating reflects activities that are largely in compliance, but reveal some weaknesses. A 3 or 4 rating reflects serious shortcomings in compliance efforts, and a 5 means no serious effort was taken by the entity.

Audit Results

BNR stands for Breach Notification Rule, P stands for Privacy Rule and S stands for Security Rule.


Based on its findings, OCR concluded that most covered entities met the timeliness requirements for providing breach notification to individuals, and most covered entities (that maintained a website about their customer services or benefits) also satisfied the requirement to prominently post their Notice of Privacy Practices (NPP) on their website.

OCR also found that most covered entities failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding protected health information (PHI), ensuring the individual right of access, and providing appropriate content in their NPP.

OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

Download the Report Directly from HHS Below.

Download Report


Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.