Group Health Plan Sponsors Should Prepare for Possible HIPAA Audits, Contributed by Laura Miller Andrew and Kate Bongiovanni, Smith, Gambrell & Russell, LLP
The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) requires the U.S. Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities (health care providers, health plans and health care clearinghouses) and business associates are complying with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.1 As a result, HHS’s Office for Civil Rights (OCR) has recently commenced a pilot program to audit up to 150 covered entities to assess such entities’ compliance with the HIPAA privacy and security rules.2
Background on HIPAA Compliance and Group Health Plans
Since the implementation of the HIPAA administrative simplification provisions in 2003, most group health plans have been required to comply with HIPAA’s privacy standards for protected health information (PHI), which is defined as “individually identifiable health information” that is maintained or transmitted by a covered entity.3 Generally, “individually identifiable health information” is health information that is created or received by a health care provider, health plan, employer or health care clearinghouse that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual.4 In 2005, the HIPAA security standards became applicable to most group health plans, requiring group health plans to protect the availability, integrity, and confidentiality of PHI transmitted or maintained in electronic media.5 While most group health plans are subject to HIPAA’s privacy and security requirements as “covered entities,” self-administered, self-funded group health plans with fewer than 50 employees eligible to participate are not required to comply with HIPAA’s privacy and security requirements.6
Since the enactment of the HITECH Act, group health plan sponsors have been required to implement additional policies and procedures to identify breaches of unsecured PHI. Unsecured PHI has not been encrypted using a methodology approved by HHS.7 The HITECH Act also significantly expanded the HIPAA privacy and security requirements, particularly as they apply to business associates that perform a specific function on behalf of group health plans, such as claims administrators. In general, prior to February 2010, business associates were held responsible for compliance with the HIPAA privacy and security rules only through business associate agreements with covered entities. The covered entities, such as group health plans, remained primarily responsible for compliance with the HIPAA privacy and security rules, even if the business associate created and stored the majority of PHI for the group health plan (a typical scenario for a group health plan where the claims administrator handles most claims of participants). Since February 2010, many HIPAA security provisions and some HIPAA privacy provisions now apply directly to business associates in the same manner as those provisions apply to covered entities.8
The HITECH Act Audit Requirements
Included in the HITECH Act is a requirement that HHS conduct HIPAA compliance audits of covered entities and business associates.9 Coupled with this requirement are increased monetary penalties associated with a HIPAA breach, the amount of which are based on the culpability of the violator.10 Under the HITECH Act, penalties per individual violation range from a minimum of $100 to a maximum of $50,000.11 The maximum penalties for multiple violations range from $25,000 to $1.5 million.12
Notably, the HITECH Act specifically provides that a portion of the monies collected from these penalties can be used by HHS to fund additional compliance activities.13 Therefore, while HHS has always had the right to audit covered entities, until the HITECH Act, it generally did not have sufficient funds to undertake widespread audits of covered entities or business associates. HHS most often investigated covered entities based on complaints initiated by plan participants or publicized breaches of PHI. Now, HHS has the funds and the resources to begin systematic reviews of all types of covered entities and business associates, not just the covered entities and business associates afflicted by publicly-known compliance issues. As a result, it is critical that group health plans be vigilant in their protection of plan participants’ PHI (including electronic PHI) in accordance with the HIPAA privacy and security rules.
Objectives of the New HIPAA Audit Program
The majority of the information regarding the new HIPAA audit program is detailed on the HHS website regarding health information privacy.14 According to the OCR, the audit program will be used to assess HIPAA compliance efforts by a variety of covered entities, examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through HHS’s ongoing complaint investigations and compliance reviews.15 The OCR anticipates that the audit program will uncover the reasons why health information breaches are occurring, and will assist the OCR in creating tools for covered entities to better protect the health information that they use and disclose.
At this time, it appears that the objective of the HIPAA audit program is to yield best practices with regard to HIPAA compliance, rather than to penalize covered entities for vulnerabilities that are uncovered during an audit. However, if a serious HIPAA compliance issue is discovered during an audit, the OCR will assess whether to open a separate compliance review to address the problem.16
Timing of the Audit Program
According to the OCR, the pilot audit program is a three-step process. First, the OCR will develop the protocols for the audits. Next, the OCR will initiate a limited number of audits in an “initial wave” to test the audit protocols. These initial audits began in November 2011. The results from these initial audits will assist the OCR in determining how to conduct future audits. Lastly, the OCR will begin conducting the full range of audits using the revised protocols. All audits in the pilot phase of the audit program will be completed by the end of December 2012.17
Entities Eligible for an Audit
According to the OCR, all covered entities and business associates are eligible for a HIPAA audit. The OCR is responsible for the selection of the entities that will be audited, which will include a broad range of covered entities in the health care industry. In fact, according to the OCR, the range of covered entities that will be selected for an audit will be as wide as possible, including all types and sizes of health service providers, health plans, and health care clearinghouses. Business associates will be included in future audits, presumably in the third phase of the program.18
Mechanics of the Audit Process
HHS has engaged KPMG LLP, a professional public accounting firm, to conduct the HIPAA audits.19 According to the OCR, KPMG LLP will use “generally accepted government auditing standards” in conducting the audits.20 Covered entities that are selected for a HIPAA audit will be informed by OCR via an initial notification letter, a sample of which has been posted on the HHS website.21 These entities will be requested to provide documentation of their HIPAA privacy and security compliance efforts to the audit contractor identified in the letter. The requested documentation must be provided within ten business days of the request for information. The notification letter will be provided to each covered entity that has been selected for a HIPAA audit between 30 to 90 days prior to an onsite visit by the auditors. (Every audit in the pilot phase of the program will include a site visit.) Site visits may take between three and ten business days, and will include interviews with key personnel and observations of the covered entities’ processes and operations to determine whether the entities are operating in compliance with HIPAA.22
At the conclusion of each site visit, the auditors will prepare a draft audit report describing how the audit was conducted, what the findings were, and what actions the covered entity is taking in response to those findings. Before the audit report is finalized, the covered entity will have ten business days to review the report and provide written comments back to the auditor regarding any concerns about the issues that were identified during the audit, as well as potential corrective measures that may be implemented to rectify such issues. A final report will be submitted to the OCR and will incorporate the steps the covered entity has taken to resolve any compliance issues uncovered during the audit.23
Preparing for a Potential HIPAA Audit
Because of the short turnaround time for a request for information in connection with a HIPAA audit, covered entities should review their HIPAA policies and procedures now, including their workforce training procedures, business associate arrangements, notices of privacy practices, and breach notification procedures, to ensure that they are accurate and up-to-date. For example, covered entities should ensure that they can provide evidence of compliance with the new breach notification rules that were implemented under the HITECH Act. HIPAA policies and procedures should include specific references and practices with regards to privacy and security breaches, and business associate agreements must be updated to reflect these practices and to allocate responsibility in the case of a breach. In addition, notices of privacy practices should be updated to include breach information and to reflect any changes in providers or procedures that have occurred since the implementation of the HIPAA privacy and security rules. Most importantly, covered entities should ensure that they treat the privacy and security of protected health information as a high priority. HIPAA compliance must not be limited to the creation of a HIPAA privacy and security policy that is contained in a binder on the shelf; it must be an ongoing important objective of the covered entity. Group health plan sponsors should take steps now to prioritize HIPAA compliance so that they are ready for a possible HIPAA audit.
Laura Miller Andrew is a partner in the Tax Section of Smith, Gambrell & Russell, LLP where she specializes in all major aspects of employee benefits law. Ms. Andrew concentrates her practice in health and welfare plan matters, including compliance with the health care reform legislation, ERISA, HIPAA, FMLA and COBRA, as well as other human resources and executive compensation matters. Ms. Andrew has written and lectured on many aspects of employee benefits and human resources, and is a frequent speaker on topics related to health care reform. She is admitted to practice in Florida and Georgia. She can be reached at firstname.lastname@example.org.
Kate Bongiovanni is an associate in the Tax Section of Smith, Gambrell & Russell, LLP where she practices in employee benefits law, with a specific concentration in health and welfare plan matters, including compliance with the health care reform legislation, ERISA, HIPAA, COBRA and other human resource matters. She is admitted to practice in Florida. She can be reached at email@example.com.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.