Benefits Buzz

HIPAA Audits are Coming

Posted on April 18th, 2016

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the privacy and security of protected health information (PHI). HIPAA initially only applied to covered entities, which consist of health plans, health care providers and health care clearinghouses. In 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH extended the privacy and security requirements of HIPAA to business associates, which consist of individuals or entities who perform certain functions on behalf of a covered entity. Business associates can include, but are not limited to, insurance producers, third-party benefit administrators and law firms who perform services to a health plan which involve access to PHI.
HITECH also requires the federal government to perform periodic audits to ensure applicable individuals and entities are complying with the privacy, security and breach notification requirements set forth in the HIPAA law. These audits are to be conducted by the Office of Civil Rights (OCR), a division of the Department of Health and Human Services (HHS). 
Phase one of the audits occurred in 2011 and 2012. The OCR audited 115 covered entities as part of the process, which were mostly larger covered entities. The OCR recently announced that they will begin phase two of the auditing process. Phase two will consist of auditing a much broader range of covered entities, and the OCR will also include an audit of some business associates as part of the process. 
The OCR has indicated most (but not all) of the phase two audits will be “desk audits.” That means the OCR will reach out to covered entities and business associates requesting them to provide certain information as it relates to HIPAA. For example, they may request a copy of the written privacy and security policies and procedures that a covered entity or business associate has in place. The OCR also did indicate that some audits will be conducted on-site, but it appears the bulk of the reviews will be desk audits. 
In preparation for a potential audit, here are a few key tips for covered entities and business associates:
  1. Understand if you are a covered entity or business associate: As an example, employers who sponsor self-insured group health plans will be deemed covered entities. Insurance producers who provide service and support to their health plan clients are business associates. 
  2. Review written policies and procedures: At minimum, on an annual basis review and update your written policies and procedures which are in place to protect the privacy and security of PHI. If you don’t have any policies and procedures in place, now would be a good time to put those in writing.
  3. Adhere to your policies and procedures: It’s not that uncommon for an entity who is subject to HIPAA to have a great set of written policies and procedures, but those policies and procedures aren’t followed in the day-to-day business practice. Educate, train, audit, and enforce your own internal policies and procedures, and document the results.    
Don’t be scared of an audit, be prepared for an audit! It makes good business sense. 
Subscribe to this blog at the top left navigation by entering your email address to learn more with Flexible Benefit Service LLC (Flex).
The materials contained within this communication are provided for informational purposes only and do not constitute legal or tax advice.   

Tag Cloud



Stay Connected