Covered entities should take note of some key findings from audits conducted by the OCR in 2016 and 2017. OCR assessed covered entities’ and business associates’ compliance with selected provisions of HIPAA rules.1

OCR found material noncompliance with HIPAA’s Notice of Privacy Practices (NPP), along with right of access, breach notification, security risk analysis, and risk management requirements, says Jennifer L. Urban, JD, CIPP/US, partner with Foley & Lardner in Milwaukee.

The audit findings were published only recently, even though the noncompliance findings were from a few years ago. They remain relevant to today’s HIPAA compliance efforts. “A lot of organizations still struggle with doing risk analyses and building in the vulnerabilities and identified risks into their risk management plans,” Urban says. “That’s been a focus for many years, and that’s where most organizations failed in the audits.”

Implementing a good security program with risk analysis, security practices, and risk mitigation can be a safe harbor from penalties. “What’s most interesting to me in the findings from the audit is that people aren’t doing a very good job with the security analysis and risk mitigation plan, and they really should be focusing their efforts on those pieces,” Urban says. “The M.D. Anderson case and some recent legislation show that you can create a safe harbor if you put enough effort into that, even if it doesn’t make your HIPAA compliance foolproof.”

The audit findings also suggest covered entities should review their NPPs. Urban was surprised to see only 2% of those audited met the full content requirements. Access requirements were another area of concern. “OCR has been focusing a lot on patients being able to access their records. Under some proposed changes to the HIPAA rules, they’re focusing on providing broader access in quicker time frames,” Urban says. “OCR has had this information from the audits for some time now, and I think that’s one reason they have this access initiative now.”


  1. Department of Health and Human Services, Office for Civil Rights, Health Information Privacy Division. 2016-2017 HIPAA Audits Industry Report. December 2020.


  • Jennifer L. Urban, JD, CIPP/US, Partner, Foley & Lardner, Milwaukee. Phone: (414) 297-5864. Email: