Earlier this month, OCR revealed some preliminary results of these pilot audits at a National Institute of Standards and Technology conference. OCR presented audit results for 20 covered entities. The audits revealed a number of common issues, including the following:
– Lack of written policies and procedures
– Missing business associate contracts
– Improper use and disclosure of information concerning deceased patients
– Failure to verify the identity of the person requesting health information
– Improper disclosures in response to judicial subpoenas and administrative requests
– Denials of patients’ access to their own records
– Lack of ongoing privacy training
– Minimal monitoring of employees’ access to electronic patient records
– Lack of contingency plans in cases of emergencies in order to access electronic records
http://www.garfunkelwild.com/ClientAlerts/AlertPDF/2012/OCRHIPAAAuditResults-OCRpdf.pdf
