Officials are starting to give health insurers, hospitals and other “covered entities” more information about how the new round of health information privacy and data security audits are working.
See also: Lawyer: HIPAA auditors may target ‘good citizen’ entities
The agency conducting the audits, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), has published a template the covered entities that get audited can use to list their business associates.
For a health insurer, the list of business associates could include insurance agents and brokers as well as benefit plan administrators.
HHS OCR auditors recently started a round of Health Insurance Portability and Accountability Act (HIPAA) Phase 2 audits, to see how well covered entities and business associates are following the rules that are supposed to keep people’s protected health information (PHI) safe.
HHS OCR officials say in a discussion of the business associate list template that only “selected auditees” will be asked to “identify and provide detailed information regarding their business associates.”
“The information collected by OCR will be used to help identify business associates for the Phase 2 audits,” officials say.
If an insurer has to list its business associates, it will be asked to provide the telephone number, postal address, email address and fax number for at least two contact people at each business associate entity.