The Office of Civil Rights is taking steps to enforce HIPAA compliance. The first OCR audits began in November 2011, and uncovered compliance issues, at a cost to covered entities. Most audits to date have been aimed at health care providers; however, health plans, particularly large health plans, are also at risk. The following three factors may play a role in if a group health plan will be selected for audit.
1. Reported Breaches. The HITECH Act imposed upon covered entities the requirement to report certain breaches of unsecured protected health information. In addition to notifying the affected party, the covered entity is required, in some circumstances, to notify the media and the Department of Health and Human Services of the breach. It is widely believed that covered entities with reported breaches are at greater risk for OCR audits.
2. Participant Complaints. Individuals who feel that their health plan is not following the requirements of HIPAA can report an incident to the OCR. This triggers an investigation by OCR into the plan's practices.
3. Random Selection. OCR will be randomly selecting covered entities for HIPAA audits.
Plans should take measures to make sure their HIPAA policies and procedures are up to date and their workforce is appropriately trained on HIPAA compliance. BAS' HIPAA Training Service can help employers meet their training responsibilities, through either in-house or on-line webinar training presentations. For more information, please contact Sales@BASusa.com.
