Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. These audits seek to enhance industry awareness of HIPAA compliance obligations and the information obtained will be used to develop OCR’s permanent audit program. All Covered Entities and Business Associates are eligible to be audited.

Employer-sponsored plans providing health care benefits are generally Covered Entities, and this may include arrangements such as health care flexible spending accounts. Some employers with insured health care plans may be successful in taking a “hands off” policy so as to avoid the need for the employer to take the many steps necessary to to satisfy the rules. But others with insured health care plans, and employers with self-insured plans (unless self-administered and with fewer than 50 participants), need to take the steps necessary to ascertain that the Covered Entity, its Business Associates, their subcontractors, and the employer are complying with the applicable rules.

OCR has assessed some substantial penalties against a number of organizations, including non-profit organizations. While we have not yet seen penalties assessed with respect to employer sponsored health care plans, that does not mean these arrangements are immune from audit. Further, in the event of a security incident, the security response team needs to be ready to execute its incident response plan. No one wants to be held accountable for failing to properly investigate a security incident that turns out to be a massive breach.