Insurers and insurance brokers could face fines over what seem to be strange, or even unfair, health privacy and data security cases, and that’s how the system works.
Stephen Serfass, a partner in the Philadelphia office of Drinker Biddle & Reath, said the covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) health information rules need to learn how the U.S. Department of Health and Human Services Office for Civil Rights sees the rules.
When it comes to deciding how reasonable OCR HIPAA enforcement is, “beauty is in the eye of the beholder,” Serfass said in an interview.
Some decisions to find an entity responsible for a violation “could lead you to scratch your head,” Serfass said.
But Serfass, a member of Drinker Biddle’s privacy and data security group, said some of the head scratchers could be a sign that OCR believes the breach described is a symptom of an entity’s deeper health information protection problems.
“These privacy and data security requirements are meant to be taken very seriously,” Serfass said.
The U.S. Department of Health and Human Services (HHS), the parent of OCR, classifies issuers of major medical insurance and long-term care insurance (LTCI) as covered entities for HIPAA purposes. Any vendors or other entities that share protected health information with covered entities are the entities’ business associates.
For health and LTCI insurers, the list of business associates includes agents and brokers.
A few years ago, OCR organized a wave of audits that focused more on gathering information and educating covered entities than on imposing penalties. OCR is now organizing a second round of audits, the HIPAA Phase 2 audits. The HHS Office of Inspector General has been pushing OCR to be tougher on entities with violations.
OCR seems to be in the early stages of developing the audit target lists, Serfass said.
“A business associate could certainly be the target of an audit,” Serfass said.