Federal officials plan to start calling insurers’ ‘business associates’ in September

BY ALLISON BELL

Federal health data cops are setting up a compliance lottery you might prefer to skip.

Earlier this month, the health data cops — officials at the Office for Civil Rights, an arm of the U.S. Department of Health and Human Services — started a major wave of audits of hospitals, group health plans, insurers and other entities directly covered by the Health Insurance Portability and Accountability Act privacy and data security rules.

Officials from the Office for Civil Rights are asking for big batches of information from the HIPAA-covered entities. One item on the auditors’ document-demand list is contact information for the covered entities’ business associates.

For an insurer, the list of business associates could include insurance agents and brokers.

For a group health plan, the list could include agents, brokers and benefit plan administrators and consultants.

Federal officials want to use the business associate lists to choose targets for a wave of business-associate HIPAA audits.

Federal officials conducted a smaller, relatively casual round of audits of covered entities in 2012, to look for ways to help covered entities and business associates understand and comply with HIPAA rules.

An official who’s supposed to keep tabs on HHS, the HHS inspector general, blasted officials the Office for Civil Rights for going too easy on the covered entities. Observers are expecting the current “Phase 2” round of audits to be tougher.

During a recent Phase 2 audit webinar, officials from the Office for Civil Rights said audits could lead to legal action.

“OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of [protected health information] are revealed through the audit,” officials say in a webinar slidedeck.

Here’s a look at some of the new details officials from the Office for Civil Rights revealed at the webinar, based on the slidedeck and a collection of written answers to webinar participants’ questions:

1. A desk audit has nothing to do with the condition of your desk.

When Office for Civil Rights officials conduct a desk audit, they ask the targeted entity to answer questions and send it many documents.

The officials conducting the Phase 2 audits sent requests for documents to 167 covered entities July 11.

The auditors will look to see how each audited entity is complying with either the HIPAA security standards, or the HIPAA privacy and data breach requirements, but not both, according to the slidedeck.

If officials conduct a desk audit of a group health plan’s compliance with the privacy rules, for example, the auditors will look to see whether the entity has a privacy practices notice that includes all of the required elements. Auditors will also to see whether the entity posts the notice on its website in the right way.

In many cases, auditors will ask entities for screen shots of their computer screens. Officials took up several webinar slides showing the webinar attendees what the screen shots should look like.

2.  Investigators could talk to a few dozen business associates.

At the webinar, Office for Civil Rights officials said they will conduct a total of 200 to 250 desk audits.

Subtracting 167 from those figures suggests that the federal officials could end up conducting desk audits of 33 to 83 business associates.

Officials plan to begin the business associate desk audits in late September.

During the webinar, a representative from an insurer noted that the insurer has business associate agreements with tens of thousands of insurance agents. Federal officials said the insurer should send it all available contact information for as many of the agents as possible.

Federal officials hinted that they could audit some business associates even if those associates have no connection with a covered entity being audited. Officials said the business associate selection pool will be “largely drawn” from the lists provided by the covered entities being audited. The wording implies that some associate names in the selection pool could come in from other sources.

Some of the covered entities and business associates could get extra attention from the Office for Civil Rights.

“Comprehensive onsite audits of both [covered entities] and [business associates] will begin in early 2017,” according to the webinar slidedeck.

3. The covered entities getting audited do not have to say anything about that to their business associates.

The covered entities audited were supposed to send the requested documents, including business associate lists, to the auditors by July 22.

One webinar attendee asked if a covered entity being audited should notify its business associates.

Officials told the attendee: “This is not a required element of the audit program.”