Chernoff Diamond-Benefits and Risk Management Consultants
Insights & Implications;

printer friendly page

HIPAA AUDITS TO BEGIN

December 2011

INSIGHTS
As required by law under The Health Information Technology For Economic And Clinical Health Act (HITECH), the Department of Health and Human Services (HHS) is required to audit Covered Entities including group health plans and Business Associates (organizations who provide services to Covered Entities such as administrators, accountants, brokers, and advisors) to ensure compliance with the HIPAA Privacy, Security and Breach Notification requirements.  The Office for Civil Rights (OCR), a division of HHS has announced they will begin conducting audits of up to 150 Covered Entities under a pilot program from November 2011 through December 2012.

IMPLICATIONS
Fully insured and self-funded group health plans (medical, dental, vision, prescription drug, healthcare flexible spending accounts, long term care and certain employee assistance programs) are subject to the HIPAA Privacy and Security rules. While the initial pilot program is slated to audit a handful of Covered Entities, and the probability of your benefit plan being audited is rather slim at the moment, it does remind us that employers and plan sponsors should vigorously review and implement appropriate privacy and security measures to safeguard Protected Health Information (PHI), such as group health plan and census data. Furthermore, OCR as well as State Attorneys General may impose civil and/or criminal penalties for failure to comply with the HIPAA Privacy and Security Rules. As such, we remind you that:

  • HIPAA audits are required under the law and your plans may someday be selected for audit,
  • A HIPAA privacy and/or security breach can be stressful, time-consuming and expensive, and
  • Penalties can be costly ranging from $100 per violation to $1.5 million per calendar year.

The OCR HIPAA Audit Program
According to OCR, the pilot audit program will be used to review and assess compliance efforts by Covered Entities in order to identify best practices as well as risks and potential areas of concern. This initial audit program is primarily considered to be a compliance improvement activity to assist in developing technical assistance and corrective measures as opposed to an enforcement and penalty exercise. It should be noted that numerous HIPAA breaches have already occurred affecting millions of individuals. The authorities hope these audits may help uncover reasons for these troubling facts and use the information to develop tools to better protect our personal health information.

OCR has indicated they will select from among all types of Covered Entities including providers of health services, healthcare clearinghouses, and health plans of all sizes and functions for this initial audit program. Business Associates will be included in future audits. OCR expects the process to begin in November 2011 with all initial audits concluded by December 2012.  

How The Program Will Work
OCR has announced the audit procedures will generally be as follows:

  • OCR will issue an audit notice to the Covered Entity (i.e. plan sponsor).  HIPAA privacy and security documentation such as policies and procedures will need to be provided within 10 business days of the request for information.
  • Auditors will conduct a site visit to observe procedures and interview key personnel in order to assess compliance efforts.  OCR expects to notify the Covered Entity between 30 and 90 days prior to the site visit and anticipates the visit to last between 3 and 10 business days.
  • The auditor will prepare a draft report summarizing the audit procedures, initial findings, and what actions the Covered Entity is taking to make necessary and recommended changes.  The Covered Entity will have 10 business days to comment on the initial draft report.
  • A final audit report will be prepared within 30 business days after receipt of any feedback which will then be submitted to OCR.

More information about the HIPAA Privacy and Security rules may be found on the HHS website, Office For Civil Rights under Guidance Materials For Covered Entities.

HIPAA Compliance
Benefit plan sponsors should review HIPAA policies and procedures to ensure that physical, technical and administrative measures are put in place to safeguard PHI.  HIPAA requires that you:

  • Designate a Privacy and Security Officer to create and enforce policies and procedures to comply with the respective HIPAA rules,
  • Take measures to mitigate the risk of improper use and disclosure of PHI, and
  • Implement training programs for staff members who have access to PHI.

Our consulting team is available to help you assess overall HIPAA compliance gaps, provide HIPAA training to key personnel as well as review and offer risk mitigation techniques and services including liability protection.

ADDITIONAL INFORMATION
For specific questions concerning information contained in this INSIGHTS & IMPLICATIONS, please contact your Chernoff Diamond consultant.

Information contained in this INSIGHTS & IMPLICATIONS is not intended to render tax or legal advice. Employers should consult with qualified legal and/or tax counsel for guidance with respect to matters of law, tax and related regulation. Chernoff Diamond provides comprehensive consulting and administrative services with respect to all forms of employee benefits, risk management, qualified and non-qualified retirement plans, private client services, and compensation and human resources. For additional information about our services, please contact us at 516.683.6100 or .(JavaScript must be enabled to view this email address).