The coming wave of Health Insurance Portability and Accountability Act (HIPAA) may not really be all that big of a deal for most of the audit targets.

See also: Feds start picking HIPAA audit targets

In a recent interview, Colin Zick, a partner at Foley Hoag and chair of the firm’s privacy and data security practice, talked about reasons to view the HIPAA Phase 2 audits more as an ordinary compliance event than a reason for terror.

Zick typically works with health insurers and the other kinds of large organizations that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) classifies as “covered entities” for purposes of enforcing HIPAA, not the mom-and-pop insurance agencies and insurance brokerage firms that might have HIPAA “business associate” agreements with the covered entities.

HHS OCR recently explained how it will identify the targets for a new round of HIPAA audits. The main targets will apparently encompass covered entities including health insurers. The HIPAA auditors will ask the covered entities audited to list about their business associates, then audit some of the business associates.

For a health insurer, the list of business associates usually includes insurance agents, brokerage firms, plan administrators and, in some cases, professional services firms. Zick noted that Foley Hoag sometimes acts as a business associate because it receives sensitive health information from clients in connection with legal work.

For most health insurers, at least, getting through a HIPAA audit “should be like falling off a log,” Zick said. “We’re in the confidential information business.”

Read on for three ideas about why the HIPAA Phase 2 audits may be neutral event, or even a positive event, for many of the impacted insurance advisors. 

Telephone, for HHS OCR communications

1. Health insurers already understand the HIPAA rules very well.

Bill Clinton signed the bill that created HIPAA Aug. 21, 1996. HHS has been working on HIPAA implementation regulations and guidance for decades.

For the health insurers, at least, HIPAA health information protection rules that might look complicated and harsh to outsiders are a known thing, Zick said.

“Everybody knows what you’re supposed to do,” Zick said. “It’s been 20 years … This is not brain surgery.”

Auditors are likely to ask the cover entities about the sorts of things they do all the time, every day, Zick said. 

Health insurers’ long, broad experience with HIPAA compliance means that insurers, and former insurance company data security advisors, may be in a good position to help agents and brokers understand and meet the OCR requirements.

See also: HIPAA Phase 2 audits: How will insurers name agents’ names?

 Blurriness, to represent how confusing cyber security can be

2. Officials at OCR do recognize that data security is hard, and that mistakes happen.

OCR officials know first-hand that compliance with data security requirements can be challenging, even for data security specialists.

In 2013, an OCR sister agency, the HHS Office of Inspector General, found that OCR had bad data security.

See also: Data security office has bad data security

OCR recognizes in its standards that mistakes happen, and that, for example, employees sometimes lose laptops, Zick said.

What OCR officials will want to see is evidence that covered entities and business associates have policies and programs in place to minimize the risk of health information incidents, and to minimize the impact when human errors or difficult-to-foresee circumstances lead to incidents, Zick said.

HIPAA data security lock

3. Being a good HIPAA citizen is good for you, too.

Interpreting the government’s rules when an insurer is a covered entity or when an insurance producer is a business associate can be tricky.

Producers who sell health-related products for certain types of insurers may not technically fall under the reach of the HIPAA requirements, Zick said.

Zick argued that, whenever any entity is doing anything that looks as if it could possibly involve HIPAA standards, the entity ought to comply with the HIPAA standards.

“It’s hard to go wrong if you’re treating information up to that high standard,” Zick said. “You went over and above [the requirements]. Isn’t that a good thing?”

Most insurance advisors want to keep their own confidential information secure, and their own systems safe. Working hard on HIPAA compliance might be one way to achieve those goals. 

See also:

Lawyer on HIPAA Phase 2 audits: Take the rules seriously

Are You Sure Your Clients Are Really Protected?

 

Have you followed us on Facebook?

 

Image: Colin Zick (Foley Hoag photo)