HIGHLIGHTS:

  • The Department of Health and Human Services' Office for Civil Rights (OCR) announced that Phase 2 of its HIPAA audit program is underway.
  • These audits could involve onsite assessments or desk audits, and will be completed by the end of 2016.
  • Entities should begin taking steps now in order to prepare for these audits and to mitigate potential risks.

Health Insurance Portability and Accountability Act of 1996, as amended, (HIPAA) audits could be right around the corner for self-funded employee health plans. The Department of Health and Human Services' Office for Civil Rights (OCR) announced on March 21, 2016, that Phase 2 of its audit program has commenced. These audits could involve onsite assessments or desk audits, and will be completed by the end of 2016. Letters have already gone out to some potential audit targets. These letters, which are automated email communications, request confirmation of the entity's identity and contact information. Any covered entity or business associate is eligible to be audited. If an entity does not respond to the initial information request, it may still be selected for audit.

Question-and-answer guidance issued by the OCR indicates that auditors will not be looking at state-specific privacy and security rules; they will only be looking at an entity's compliance with HIPAA. However, HIPAA provides that more stringent state laws will preempt HIPAA, so it is important to confirm that the entity complies with the more stringent state laws if applicable. The guidance also indicates that the OCR will not audit entities with open complaint investigations or compliance reviews. As part of these audits, the OCR may request a number of documents from selected entities, including, but not limited to, HIPAA privacy and security policies, business associate agreements, breach notification statements and other HIPAA documentation.

Covered entities and business associates should take steps to prepare in case they are audited. A pre-audit screening questionnaire, which could get caught in spam filters, will require covered entities to identify their business associates. The OCR is encouraging covered entities to get this list ready so they are able to respond to the request or be in a position where they could prepare such a list in short order – possibly in as few as 10 days. Covered entities and business associates may also benefit from reviewing the OCR's old audit protocol to ensure that they have documentation to demonstrate compliance with each of HIPAA's requirements. Note, however, that the old audit protocol was not updated to reflect HIPAA's Omnibus Rule, issued in January 2013. The OCR has stated that it anticipates issuing a new audit protocol that is updated to reflect the Omnibus Rule in the near future.

In order to prepare for these audits and to mitigate potential risks, entities should begin taking these steps now:

  • confirm that all required HIPAA privacy and security policies are implemented and have been updated to address items introduced in the Omnibus Rule
  • confirm that all business associate agreements are accessible and have been amended to ensure that they are in compliance with the Omnibus Rule
  • confirm that the entity's Notice of Privacy Practices is up to date and is provided in a timely manner to all required individuals
  • provide regular training to covered members of the entity's workforce to ensure that they are aware of HIPAA's privacy and security regulations, and the obligations imposed by both
  • ensure that plan documents have been amended to incorporate the appropriate HIPAA provisions and that the plan sponsor has provided the required certification to the plan
  • conduct and document an updated security risk analysis; if deficiencies exist, correct them and document how risks are mitigated
  • review and update template breach notification statements to ensure that they are in compliance with the Omnibus Rule

Although employers, as such, are not covered entities subject to HIPAA, employer-sponsored health plans must comply. In light of this new phase of the OCR's audit program, now would be the proper time for an employer to ensure that its HIPAA compliance program is up to date.