The coming wave of Health Insurance Portability and Accountability Act (HIPAA) may not really be all that big of a deal for most of the audit targets.
See also: Feds start picking HIPAA audit targets
In a recent interview, Colin Zick, a partner at Foley Hoag and chair of the firm’s privacy and data security practice, talked about reasons to view the HIPAA Phase 2 audits more as an ordinary compliance event than a reason for terror.
Zick typically works with health insurers and the other kinds of large organizations that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) classifies as “covered entities” for purposes of enforcing HIPAA, not the mom-and-pop insurance agencies and insurance brokerage firms that might have HIPAA “business associate” agreements with the covered entities.
HHS OCR recently explained how it will identify the targets for a new round of HIPAA audits. The main targets will apparently encompass covered entities including health insurers. The HIPAA auditors will ask the covered entities audited to list about their business associates, then audit some of the business associates.
For a health insurer, the list of business associates usually includes insurance agents, brokerage firms, plan administrators and, in some cases, professional services firms. Zick noted that Foley Hoag sometimes acts as a business associate because it receives sensitive health information from clients in connection with legal work.
For most health insurers, at least, getting through a HIPAA audit “should be like falling off a log,” Zick said. “We’re in the confidential information business.”
Read on for three ideas about why the HIPAA Phase 2 audits may be neutral event, or even a positive event, for many of the impacted insurance advisors.
1. Health insurers already understand the HIPAA rules very well.
Bill Clinton signed the bill that created HIPAA Aug. 21, 1996. HHS has been working on HIPAA implementation regulations and guidance for decades.
For the health insurers, at least, HIPAA health information protection rules that might look complicated and harsh to outsiders are a known thing, Zick said.
“Everybody knows what you’re supposed to do,” Zick said. “It’s been 20 years … This is not brain surgery.”
Auditors are likely to ask the cover entities about the sorts of things they do all the time, every day, Zick said.
Health insurers’ long, broad experience with HIPAA compliance means that insurers, and former insurance company data security advisors, may be in a good position to help agents and brokers understand and meet the OCR requirements.
2. Officials at OCR do recognize that data security is hard, and that mistakes happen.
OCR officials know first-hand that compliance with data security requirements can be challenging, even for data security specialists.