HIPAA Audits: Ready or Not, Here They Come!

Spring 2016Articles For Your Benefit

On March 21, 2016, the Office of Civil Rights (OCR) announced it will launch a second round of HIPAA audits in 2016. As with the first round of audits, in round two, OCR will be reviewing compliance with HIPAA privacy, security and breach notification rules. New for this round, the 2016 audits will focus on both covered entities, including group health plans, and their business associates.

The round two audits will occur in three phases: (1) desk audits of covered entities; (2) desk audits of business associates; and, finally (3) onsite reviews. It is reported that OCR will conduct about 200 total audits, the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email. Group health plans should be on the lookout for automated emails from OCR, which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your group health plan will be audited. The purpose of the questionnaire is to gather information about entities and their operations (e.g., number of employees, level of revenue, etc.). The questionnaire will also require a group health plan to identify all of its business associates. Therefore, plan administrators who have not inventoried business associates should do so now.

Entities that fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Group health plans and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA standards and specifications can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (PHI); and
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, we strongly recommend that you contact a member of the Fox Rothschild Employee Benefits & Compensation Department immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties. For reference and to use as a guide, the following is a HIPAA compliance checklist for group health plans:

  • Identify all your self-insured group health plans (e.g., medical, dental, vision, EAP, health FSA, HRA).
  • Identify all your fully insured group health plans and ensure that they do not receive protected health information, other than for limited purposes (PHI).
  • Determine whether for HIPAA purposes the group health plans are a hybrid entity, part of an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Ensure the self-insured group health plans were amended to put in place a firewall between the plan and plan sponsor and that the list of workforce members who can access PHI on behalf of the plan is accurate.
  • Ensure that a certification of plan amendment is in place.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of participant rights.
  • Determine where PHI is located, whether hard copy, electronic or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for the group health plan.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Distribute a notice of privacy practices to participants and post it on an intranet site if benefits information is commonly posted there.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Maintain HIPAA compliance documentation in written or electronic form for at least six years from the date the document was created or last in effect.