The U.S. Department of Health and Human Services is required to periodically audit covered entities and business associates to determine if they comply with the requirements of HIPAA. In 2016 and 2017, HHS audited 166 covered entities and 41 business associates.
HHS concluded that most covered entities met the timelines required for providing notification of breaches to individuals who had their information compromised and most covered entities had a Notice of Privacy Practices that was distributed properly. However, it also concluded that most covered entities failed to meet other HIPAA requirements such as safeguarding PHI, ensuring individuals had a right to their own information, and providing the required information in a Notice of Privacy Practices. HHS also found that many covered entities and business associates did not implement proper risk analysis and risk management.
A copy of the Department’s findings may be accessed here.