Is Your Agency Ready for a HIPAA Audit?

In August 2013, the Big “I” Agents Council for Technology published information about the HIPAA Omnibus Rule—a sweeping change to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that clearly defines compliance levels required by business associates. The article noted that “the HIPAA Omnibus Rule promises to bring a much higher degree of enforcement attention on independent agencies. The HHS is now required to conduct periodic audits of both Covered Entities and Business Associates for compliance with HIPAA.”

A business associate must comply with the technical, administrative and physical safeguard requirements under the security rule and is now directly liable for violations. In addition, a business associate must comply with the use or disclosure limitations expressed in contracts or agreements and, again, is directly liable for violations.

What does this have to do with you? Insurance agents and agencies that write group health insurance policies are business associates. Just check your agreements with health insurance carriers—they clearly contain a business associate agreement, meaning your agency is obligated to implement HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) rules and regulations by contract.

Last year, the U. S. Department of Health and Human Services’ Office of Human Rights (OCR) conducted pilot audits that showed a high non-compliance rate with HIPAA standards. Afterwards, the OCR announced it would move into the second phase of the audit process. In this upcoming round of audits, the OCR will evaluate submitted data, forcing fines and penalties to swiftly rise to the tens and hundreds of thousands of dollars for failure to meet certain HIPAA and HITECH provisions. The ORC is expected to select about 400 covered entities for these audits, and approximately 50 will be business associates. That means the ORC could feasibly tap some agencies in the process.

Has your agency taken the appropriate steps necessary for HIPAA and HITECH compliance? Are your business associate agreements in place?

Be prepared. The next round of audits could include you.

For more information on HIPAA compliance, search “HIPAA” in the upper right corner here or on the Big "I" website.

Judi Newman and Bill Larson are the founders of NetGen, an organization committed to assisting agencies in achieving compliance with state and federal privacy and security rules and requirements.

HIPAA Timeline

1996: HIPAA becomes law to allow for portability of health insurance coverage

2003: privacy implementation for other than small health plans

2004: privacy implementation for small health plans (less than 500 participants)

2005: implementation of security standards by health plans over $5 million of annual premium or claims payments

2006: implementation of security standards by health plans under $5 million of annual premium or claims payments

2009: American Recovery and Reinvestment Act creates HITECH and new security breach notification obligations

2010: business associates agreements required

2013: Omnibus Rule of 2014 changes requirements for business associates

2014: first round of pilot HIPAA audits

2015: second phase of HIPAA audits to include business associates —J.N. & B.L.