The 2020 Industry Report of 2016-2017 HIPAA Audits

Although it has been a long time coming, results of HIPAA audits conducted in 2016 and 2017 were finally released to the public in December of 2020.

The Scope

In 2016 and 2017, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) performed audits of 166 covered entities and 41 business associates to check on compliance with selected provisions of the HIPAA Rules.

In the report, the Department of Health & Human Services outlines some of its findings, both good and bad, related to policy. This snapshot will look at some of the key findings from the report. Whether positive or negative, neither section is a reflection on all organizations audited.

HIPAA Compliance Audits

Photo Attribution: Ananieva Elena/

Top findings from HIPAA's Audit Report: The Good

Some examples of positive findings in the report include:

  • Met timeliness requirements for notifying necessary parties of a breach
  • Met requirement to clearly post notice of their privacy practices on their website

Top findings from HIPAA's Audit Report: The Bad

Some examples of negative findings in the report include:

  • Failures to present all required contents for a notice of privacy practices
  • Failures to implement the HIPAA Security Rule requirements for risk analysis and risk management
  • Failures to properly implement requirements for presenting patients with access to their health records. This includes action within 30 days and charging a reasonable cost-based fee
  • Failures to present all required documentation for breach notification to individuals

The Bottom Line: Always be Prepared

Is your company HIPAA compliant? If you work for a hospital, health care provider, health plan, or related business associate, your organization should always be prepared for a HIPAA compliance audit.

Organizations can reduce their risk of regulatory action through HIPAA compliance training programs. The U.S. Department of Health and Human Services (HHS) offers training information on their website and important tools to help you remain compliant and be prepared for audits, including this security risk assessment tool.

Read the full HIPAA Audits Industry Report published in December 2020.