New HIPAA Audit Program for Group Health Plans: Don’t Get Caught Unprepared
The U.S. Department of Health & Human Services’ Office of Civil Rights (“OCR”) announced in March that, as part of its continued efforts to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules, it is beginning a new phase of audits of covered entities and their business associates. Although your eyes may have glazed over this announcement, and HIPAA audits may be about as interesting to you as the active ingredients in paprika, these audits need to be taken very seriously. The consequences of non-compliance can be incredibly expensive. Do not be caught flat-footed here. In an effort to help you understand why this issue is so important, the following questions and answers provide some basic information about these audits and a list of steps to follow in case you get the most unwelcome letter from OCR.
To view this Alert in PDF, click here.
1. Who is at risk for an audit?
Most of us do not like the word “audit,” so the first question on your mind is probably, “Does this affect my company?” Unfortunately, if you sponsor a self-funded group health plan, you could be affected. By “self-funded group health plan,” we are most commonly referring to a self-funded medical plan or a self-funded dental plan (although a self-funded vision or prescription drug plan also falls within this scope). However, don’t forget that if you offer a health flexible spending account, it is also at risk for an audit. Moreover, if you sponsor a fully insured group health plan from which you receive “protected health information” or “PHI,” you are likewise affected by OCR’s announcement and will be at risk for an audit.
2. What does it mean if my company is “at risk” for an audit?
OCR, in what it is calling the “2016 Phase 2 HIPAA Audit Program,” will review the policies and procedures adopted by covered entities and their business associates to ensure that they meet selected requirements of the HIPAA Privacy, Security, and Breach Notification Rules. We have always stressed the importance of having written HIPAA policies and procedures in place, but with this compliance issue now on OCR’s radar, it is now more important than ever. Further, OCR is only giving companies 10 business days to respond to its requests upon audit. That is a very short period of time, even for those of you with written policies and procedures already in place.
3. What information will be requested on audit?
As noted above, OCR will request to see your HIPAA policies and procedures. That is somewhat of a “loaded” request because policies and procedures address many different aspects of HIPAA medical privacy. For example, you are responsible for training all appropriate employees on the HIPAA rules. You also must document and report any “breaches” of PHI. Your policies and procedures require (or at least should require) you to have business associate agreements in place with all your business associates. This means you ought to be able to put your hands on those agreements pretty quickly. Here is an example of an audit inquiry from OCR’s audit protocol with regard to business associates:
Does the covered entity [which is your group health plan] enter into business associate contracts as required? Do these contracts contain all required elements? Inquire of management how the entity identifies and engages business associates.
Obtain and review policies and procedures related to the identification of business associates and the creation and establishment of business associate agreements. Evaluate whether the policies and procedures accurately identify business associates and establish business associate agreements consistent with the established performance criterion.
Technical Assistance: if available, review the entity’s template business associate agreement and provide technical assistance as to its contents.
4. How will we know if we are going to be audited?
You should watch for an e-mail from OCR. If you have not received an e-mail from OCR, you need to check your spam and junk folders. OCR expects you to do this. Then, you should include OCR (OSOCRAudit@hhs.gov) as an approved sender so that any future email does not go to your spam or junk folders.
OCR will begin the audit process by attempting to verify a covered entity’s address and contact information via email. You will need to respond to such a request in a timely manner. Once contact information is received, you will get a questionnaire that OCR is using to compile some basic data. This data will be used along with other information to create potential audit subject pools. If you do not respond to OCR’s request, your chances of being audited actually go up considerably, and OCR will use publicly available information to create its audit pools.
5. What steps should my company take right now?
Every employer with a self-funded group health plan (including a health flexible spending account) or a fully insured group health plan from which PHI is obtained, should take the following steps in order to avoid being caught by surprise should an audit occur:
(a) Determine if you have any plans that are at risk for an audit. As described earlier, all self-funded group health plans (medical, dental, vision, prescription, health flexible spending accounts, etc.) and fully insured group health plans that handle PHI are at risk for an audit.
(b) Check your inbox, spam, and junk folders for any correspondence from OCR. Include OCR (OSOCRAudit@hhs.gov) as an approved sender so that any future e-mail does not go to your spam or junk folders.
(c) If you have one of the above described plans, make sure that you have written HIPAA policies and procedures in place.
(i) If you do not have HIPAA policies and procedures, you can contact us (information below) and we can help you with drafting them. They will provide you with a roadmap for ensuring you meet your compliance obligations (training, documentation, etc.).
(ii) If you do have policies and procedures in place, take some time to refresh yourself on those policies and procedures. Are they being followed? Have the right employees been trained? Have you conducted a security risk analysis? Are breaches of PHI documented and recorded? Is the privacy notice properly distributed?
(d) Make sure you know who your business associates are and make sure you have signed business associate agreements with them.
While many of us have been focused on the Affordable Care Act and all the changes that accompanied it, the government has been active on other fronts affecting employer-provided benefits. If you are providing self-funded group health coverage to your employees – including major medical coverage or even a health flexible spending account – or if you are providing fully insured coverage but you receive PHI, you also need to pay attention to the HIPAA Medical Privacy, Security, and Breach Notification regulations. Unlike, say, the IRS, OCR currently has plenty of funding and has been quite aggressive in its enforcement practices. OCR’s latest round of audits is well underway and the last thing you want is to be discovered out of compliance with these important HIPAA rules.