Insurance agents who handle consumers’ health information could face a wave of federal privacy audits in the next year or two.
Angela Hoteling-Rodriguez of MedAmerica Insurance Company and Stephen Serfass of Drinker Biddle Reath LLP talk about the possibility in a slide deck they prepared for the Intercompany Long Term Care Insurance Conference, which is taking place this week in San Antonio, Texas.
Lawyers have been warning clients for years about efforts by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) to organize a tough new round of health privacy compliance audits.
What’s different this year is that HHS OCR’s own auditor, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG), recently blasted the HHS OCR health privacy compliance enforcement program.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) expanded the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy requirements, and it called for the U.S. Department of Health and Human Services (HHS) to look hard for non-compliance.
In September, HHS OIG accused HHS OCR of waiting passively for complaints to come in; of failing to record small breaches; and of failing to document corrective actions in 74 percent of the health privacy violation cases analyzed, according to Hoteling-Rodriguez and Serfass.
HHS classifies insurers that handle protected health information as “covered entities.” It classifies agents and brokers who touch the data as “business associates.”
HHS OCR has imposed about $30 million in privacy violation penalties on hospitals, medical practices, health insurers and other “covered entities” and “business associates” since 2008, but, when it conducted its first phase of audits, it focused mainly on seeking ways to help covered entity do a better job of protecting health information.
When HHS OCR conducted the first phase of 135 audits, it looked at the covered entities, not at the business associates, according to Hoteling-Rodriguez and Serfass.
Hoteling-Rodriguez and Serfass said they believe business associates likely will be included in the “Phase 2″ health privacy audits.
To get ready for the “Phase 2″ audits, HHS has increased the annual HHS OCR budget. HHS OCR has added 18 full-time staff members, and officials have indicated that the Phase 2 audits will begin early this year.
Privacy compliance watchers are expecting HHS OCR to conduct 200 desk audits and 24 on-site audits this year.
The audits will look at patients’ access to electronic health information and breach notification, as well as protection of patient privacy rights, according to Hoteling-Rodriguez and Serfass.
Are you following us on Facebook?