Since 2003, insurance agents and brokers have been required by law to meet Health Insurance Portability and Accountability Act of 1996 (HIPAA) guidelines, as all business associates must meet the same standards as covered entities.
Phase 1 audits focused exclusively on covered entities; however, phase 2 audits are set to focus on both covered entities and business associates, to ensure full compliance with HIPAA guidelines across all of the health care sector.
The Office for Civil Rights (OCR), an arm of the U.S. Department of Health and Human Services (HHS), is responsible for the phase 2 audits. Although the phase 2 audits have been delayed until OCR is able to implement a new Web portal through which entities can submit information, the audits could begin at any time. OCR has merely advised that covered entities and business associates need to “stay tuned.”
See also: Office preps for HIPAA privacy audits.
With this in mind, insurers and brokers will need to ensure they are prepared for the phase 2 audits, as OCR will select and send requests for information to a selection of covered entities, who will be asked to provide contact information for the health insurance organizations and insurance brokers associated with their organizations. OCR will then randomly select a number of business associates that will be required to participate in the phase 2 audits.
Preparing for phase 2 audits
The phase 2 audits will target HIPAA standards that were sources of high numbers of non-compliance in the phase 1 audits. The phase 2 audits of business associates will focus on risk analysis, risk management, and the reporting of HIPAA breaches to covered entities.
Training on HIPAA is required by law, and all staff that come into contact with protected health information (PHI) will need to demonstrate that they are able to meet HIPAA data security standards.
For employees in an organization who are responsible for creating policies and procedures, and/or employees who implement and supervise the HIPAA rules, a high level of training is recommended.
This would include:
- Business owners.
- Executives, managers and officers.
- HR managers.
- IT managers (including contracted employees).
- Any other employee involved with implementing HIPAA.
In addition to this, training should be provided for any employee that comes into contact with PHI, including:
- Administrative assistants and receptionists.
- Supervisors and line managers.
- HR staff.
- IT staff.
- Any other employees who may come in contact with PHI.
Organizations will need to be able to confirm that sufficient training on the HIPAA standards (that are necessary or appropriate for a workforce member to perform his/her job duties) has been provided.
See also: Data security office has bad data security.
Another part of the audit projected to be included in the phase 2 audits relates to the risk analysis and management of transmission and encryption of electronic PHI (ePHI). This is expected to be included in the audit due to the high percentage of breaches that occur during the transmission of data, and the loss and theft of portable devices.
Organizations will need to demonstrate that sufficient encryption is in place for all ePHI transmission, and that staff are trained to ensure that encryption is used end to end, across all devices.
HIPAA audit preparation checklist for business associates
To ensure that they are prepared for a potential phase 2 audit, insurers and brokers should take the following steps:
- Ensure that a comprehensive assessment of potential security risks and vulnerabilities to the organization (a risk assessment) has been completed, and be able to confirm that all action items identified in the risk assessment have been completed or are on a reasonable timeline to be completed.
- If the organization has not implemented any of the security standards’ addressable implementation standards for any of its information systems (such as the encryption of ePHI), confirmation will be required to ensure that the organization has documented the reason that any such addressable implementation standard was not reasonable and appropriate and details on alternative security measures that were implemented.
- Ensure a breach notification policy has been implemented by the organization, and that covered entities are aware of this policy.
- In addition to a website privacy notice, business associates should ensure that they have a notice of privacy practices in place that complies with HIPAA standards.
- Ensure that the organization has reasonable and appropriate safeguards in place relating to the storage of all forms of PHI, including a facility security plan for each physical location that stores or otherwise has access to PHI (in addition to any security policies that require a physical security plan).
- Ensure that appropriate levels of training have been provided to all staff who come into contact with PHI.
- Confirm that the organization maintains an accurate inventory of information system assets, including mobile devices (also applicable to a bring your own device environment)
- Confirm all systems and software that transmit electronic PHI within the organization employ encryption technology, or provide a documented the risk analysis supporting the decision not to employ encryption.
- Provide evidence that shows a full review of HIPAA security policies has been conducted to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.) to meet HIPAA compliance.
OCR may not have announced the date that phase 2 audits will begin, but officials there are likely to move forward with entity selection and requests quickly once a date is confirmed. Business associates should therefore be using this time to ensure that they are fully prepared.
See also: Small breach, big lesson in backpack.