Most employers have become accustomed to the IRS and Department of Labor periodically auditing their qualified retirement plans. Now, employers must also be ready for HIPAA audits.
Most employers were required to comply with the HIPAA privacy rules in 2003 and 2004. These compliance efforts involved preparing and issuing a Notice of Privacy Practices. As part of this process, employers followed the flow of protected health information through their organization, including the manner in which health information was shared with outside vendors. They executed business associate agreements with vendors, including insurance brokers, third-party administrators, flex plan administrators and legal counsel. Most employers undertake detailed efforts to ensure employees' PHI is safeguarded to comply with the HIPAA privacy rules.
In 2005 and 2006, employers expanded their HIPAA initiatives to protect all electronic PHI under the legislation's security rules. These compliance efforts involved reviewing electronic communications with all vendors and implementing encrypted emails and enhanced password protections to obtain access to electronic PHI. Business associate agreements were also updated.
As a result of the Health Information Technology for Economic and Clinical Health Act of 2009, covered entities are required to provide notification to affected individuals and to the Health Secretary following the discovery of an unsecured PHI breach. Employers once again re-evaluated the manner in which they communicated with vendors and updated business associate agreements for HITECH. Given that the initial business associate agreements were executed in 2003-2004, and amended for the security rules in 2005-2006, most employers created new and improved agreements to use with vendors before the Feb. 17, 2010, the HITECH compliance deadline.
In November 2011, the Office for Civil Rights (within HHS) implemented a HIPAA audit program for entities covered under HITECH. The program's pilot phase ended in December 2011. OCR hired accounting firm KPMG to conduct the HIPAA audits. If you were one of the lucky 150 covered entities, including employers sponsoring health plans, you've already received a letter from KPMG requesting documents within 10 business days. Employers are expected to have 30-to-90 days notice before an onsite visit by KPMG, and audits are expected to last from three to 10 business days. After completing an onsite visit, KPMG will provide a draft report for review and comment. The covered entity will have 10 business days to review the report, and a final report will be submitted to OCR.
It's too early to draw any conclusions from the audit program. OCR may conduct follow-up compliance reviews if significant errors are identified. OCR will also use the audit results to help establish best practices, where possible.
The OCR audits are not the first efforts at HIPAA compliance. OCR has received more than 64,000 complaints since April 2003. OCR has both required covered entities to change their privacy and security practices, and has also assessed civil penalties for non-compliance. OCR also forwards complaints involving potential criminal violations to the FBI.
Under the HITECH breach notification provisions, covered entities must notify affected individuals, the government, and in some circumstances the media, when there is a breach of unsecured PHI. The notification requirements should be contained in all business associate agreements. OCR is required to submit an annual report to Congress identifying the breaches that have occurred. The most recent report for large scale breaches in 2010 showed that the most common types of breaches involve theft of paper records or electronic media (back-up tapes, laptop computers, smartphones, flash drives), loss of paper records or electronic media, unauthorized access to, use or disclosure or PHI, human or technology errors (misdirected mailings or emails), and improper disposal of records.
OCR expects to issue additional guidance under HITECH in 2012, which will address restrictions on marketing communications, changes to individual rights and new rules for business associate agreements, as well as guidance under the Genetic Information Nondiscrimination Act. This guidance is expected to necessitate further changes to privacy and security policies, as well as business associate agreements.
Contributing Editor Frank Palmieri, CPA, JD, LL.M (Taxation) is a partner with the law firm of Palmieri & Eisenberg, with offices in Princeton, N.J., and Alexandria, Va. He is a fellow in the American College of Employee Benefits Counsel.
