3 reasons HIPAA audits might not be that bad

The coming wave of Health Insurance Portability and Accountability Act (HIPAA) may not really be all that big of a deal for most of the audit targets.

In a recent interview, Colin Zick, a partner at Foley Hoag and chair of the firm’s privacy and data security practice, talked about reasons to view the HIPAA Phase 2 audits more as an ordinary compliance event than a reason for terror.

Zick typically works with health insurers and the other kinds of large organizations that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) classifies as “covered entities” for purposes of enforcing HIPAA, not the mom-and-pop insurance agencies and insurance brokerage firms that might have HIPAA “business associate” agreements with the covered entities.

HHS OCR recently explained how it will identify the targets for a new round of HIPAA audits. The main targets will apparently encompass covered entities including health insurers. The HIPAA auditors will ask the covered entities audited to list about their business associates, then audit some of the business associates.

For a health insurer, the list of business associates usually includes insurance agents, brokerage firms, plan administrators and, in some cases, professional services firms. Zick noted that Foley Hoag sometimes acts as a business associate because it receives sensitive health information from clients in connection with legal work.

For most health insurers, at least, getting through a HIPAA audit “should be like falling off a log,” Zick said. “We’re in the confidential information business.”

Read on for three ideas about why the HIPAA Phase 2 audits may be neutral event, or even a positive event, for many of the impacted insurance advisors.

1. Health insurers already understand the HIPAA rules very well.

Bill Clinton signed the bill that created HIPAA Aug. 21, 1996. HHS has been working on HIPAA implementation regulations and guidance for decades.

For the health insurers, at least, HIPAA health information protection rules that might look complicated and harsh to outsiders are a known thing, Zick said.

“Everybody knows what you’re supposed to do,” Zick said. “It’s been 20 years … This is not brain surgery.”

Auditors are likely to ask the cover entities about the sorts of things they do all the time, every day, Zick said.

Health insurers’ long, broad experience with HIPAA compliance means that insurers, and former insurance company data security advisors, may be in a good position to help agents and brokers understand and meet the OCR requirements.

Blurriness, to represent how confusing cyber security can be

2. Officials at OCR do recognize that data security is hard, and that mistakes happen.

OCR officials know first-hand that compliance with data security requirements can be challenging, even for data security specialists.

3. Being a good HIPAA citizen is good for you, too.

Interpreting the government’s rules when an insurer is a covered entity or when an insurance producer is a business associate can be tricky.

Producers who sell health-related products for certain types of insurers may not technically fall under the reach of the HIPAA requirements, Zick said.

Zick argued that, whenever any entity is doing anything that looks as if it could possibly involve HIPAA standards, the entity ought to comply with the HIPAA standards.

“It’s hard to go wrong if you’re treating information up to that high standard,” Zick said. “You went over and above [the requirements]. Isn’t that a good thing?”

Most insurance advisors want to keep their own confidential information secure, and their own systems safe. Working hard on HIPAA compliance might be one way to achieve those goals.