The HIPAA auditors are hoping to get contact information for two points of contact at the "business associate" companies.

Officials are starting to give health insurers, hospitals and other “covered entities” more information about how the new round of health information privacy and data security audits are working.

See also: Lawyer: HIPAA auditors may target ‘good citizen’ entities

The agency conducting the audits, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), has published a template the covered entities that get audited can use to list their business associates.

For a health insurer, the list of business associates could include insurance agents and brokers as well as benefit plan administrators.

HHS OCR auditors recently started a round of Health Insurance Portability and Accountability Act (HIPAA) Phase 2 audits, to see how well covered entities and business associates are following the rules that are supposed to keep people’s protected health information (PHI) safe.

HHS OCR officials say in a discussion of the business associate list template that only “selected auditees” will be asked to “identify and provide detailed information regarding their business associates.”

“The information collected by OCR will be used to help identify business associates for the Phase 2 audits,” officials say.

If an insurer has to list its business associates, it will be asked to provide the telephone number, postal address, email address and fax number for at least two contact people at each business associate entity.

The HIPAA “health plan” definition includes long-term care insurance arrangements and Medicare Advantage plans as well as to major medical plans. The definition appears to exclude health plans that focus on selling dental insurance, disability insurance and other “excepted benefits” typically excluded from HIPAA mandates.

HHS OCR conducted an earlier round of HIPAA privacy and data security audits a few years ago. During the first round of audits, the agency focused on auditing covered entities, and it said it was more inclined to help the covered entities do a better of protecting health information than punishing entities with compliance problems.

This time around, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) is asking HHS OCR to impose more penalties.

See also:

New wave of health privacy audits could hit YOU

China’s hack of U.S data tied to health care record thefts

  

Have you followed us on Facebook?