Phase 2 of the U.S. Department of Health and Human Services Office for Civil Rights’ (“OCR”) HIPAA audit program is in process. Unlike OCR’s initial Phase 1 Pilot audits, which addressed only Covered Entities, Phase 2 also focuses on Business Associate compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. These audits seek to enhance industry awareness of HIPAA compliance obligations and the information obtained will be used to develop OCR’s permanent audit program. All Covered Entities and Business Associates are eligible to be audited.
Employer-sponsored plans providing health care benefits are generally considered to be Covered Entities, and this may include arrangements such as health care flexible spending accounts. Some employers with insured health care plans may be successful in taking a “hands off” policy as part of a strategy for avoiding the need to take the many steps necessary to satisfy the rules. But others with insured health care plans, and employers with self-insured plans (unless self-administered and with fewer than 50 participants), need to take the steps necessary to ascertain that the Covered Entity, its Business Associates, their subcontractors, and the employer are complying with the applicable rules. In essence, they need a HIPAA compliance program.
OCR has assessed some substantial penalties against a number of organizations, including non-profit organizations. While we have not yet seen penalties assessed with respect to employer-sponsored health care plans, that does not mean these arrangements are immune from audit or investigation. Further, in the event of a privacy or data security incident, the response team needs to have in place and be ready to execute its incident response plan. No one wants to experience the consequences with failing to properly investigate a privacy or security incident that turns out to be a breach.