Ask anyone to choose a root canal or an IRS audit and the choice will be no surprise – root canal. Many employers would choose a root canal over a Department of Labor (DOL) health plan audit, too.
A DOL health plan audit can be triggered by a complaint or luck! In any event, notice of a DOL health plan audit calls for immediate attention from the employer.
The scope of documents that the DOL can review is broad, in large part due to the DOL’s responsibility to enforce a number of complex laws including:
In fact, the appendix to one DOL audit request listed 26 items for the employer to provide. Employers generally have 30 days to assemble the documentation requested for the audit.
If this information sounds like a really bad dream, the DOL has provided a lifeline. This lifeline is the self-compliance tool that is intended to help employers assess whether their plans are in compliance with the various laws. As importantly, assembling the documentation called for by the compliance tool would go a long way to making a health plan audit request more manageable.
Warning, this tool is comprehensive with 68 pages covering 93 questions!
Which brings back the idea of choices. Which is preferable, assembling the documents called for in the self audit over a period of weeks or months or scrambling when a DOL auditor is knocking on the door?
HIPAA’s privacy and security requirements have been a part of the health insurance and insurance broker lexicon for many years. Most health insurance brokers have signed at least one – and often multiple – BAAs (Business Associate Agreements) over the course of the years. HIPAA HITECH, enacted into law in 2009 increased the responsibilities for business associates and statutorily obligated a business associate with HIPAA privacy and security provisions. Business associates have been required to comply with these provisions since September 2013 when rules implementing the law became final.
For the first time a business associate has settled a HIPAA case with the HHS Office of Civil Rights (OCR). Catholic Health Care Services of the Archdiocese of Philadelphia has this dubious distinction and has agreed to pay $650,000 to settle a case with OCR that resulted from the theft of a cellphone.
A cellphone that was neither password protected nor encrypted was stolen. This phone contained PHI including social security numbers, names of family members and information regarding diagnosis, treatment, medical procedures and medication information.
As a part of the settlement of the case, the business associate had to agree to a corrective action plan. This plan can serve as a good checklist for all business associates to measure their HIPAA compliance efforts.
The corrective action plan includes:
- Risk analysis and risk management to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI
- Documentation of security measures that are implemented to reduce the identified risks
- Revision and maintenance of written policies and procedures necessary to keep PHI secure
- Communication of the updated policies and procedures to all employees on a timely basis
- Written or electronic compliance certification from all employees stating that they have read, understand and will abide by the policies and procedures
- Barring employees who have not signed or certified that they will comply with the procedures from having access to ePHI.
Among the more prescriptive aspects of the correction action plan is a lengthy list of the “minimum content” of the policies and procedures. These include:
- Policies regarding encryption of ePHI.
- Policies regarding password management.
- Policies regarding security incident response.
- Policies regarding mobile device controls.
- Policies regarding information system review.
- Policies regarding security reminders.
- Policies regarding log-in monitoring.
- Policies regarding a data backup plan.
- Policies regarding a disaster recovery plan.
- Policies regarding an emergency mode operation plan.
- Policies regarding testing and revising of contingency plans.
- Policies regarding applications and data criticality analysis.
- Policies regarding automatic log off.
- Policies regarding audit controls.
- Policies regarding integrity controls.
Brokers have taken important steps that recognize their responsibilities when handling personal health information (PHI) as HIPAA requires. This includes physical changes to offices to secure information, adoption of encrypted email and other measures.
However, now may be a good time to review the steps taken with an eye to what may have been overlooked or where more robust action is necessary. The steps of this corrective action plan are a good start to a thorough review. After all, the last few years have seen significant changes in the use of electronic mobile devices, including an explosion of employees using their own devices for work-related purposes.
For more information on HIPAA requirements click here.
It seems a day doesn’t pass without a news item regarding a data breach of some kind. To that end, HHS’ Office of Civil Rights (OCR) recently announced a new phase in its efforts to audit and assess compliance with the HIPAA Privacy, Security and Breach Notification Rules.
Phase 1 of the audit program was a pilot program to assess how covered entities implemented controls and processes to protect health information. OCR measured 115 covered entities against a set of protocols. Business associates were not audited in the Phase 1 program.
Covered entities include health care providers, health plans including insurers and company health plans and health care clearinghouses. A “business associate” is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Health insurance brokers are typically business associates under HIPAA.
Phase 2 of the HIPAA audit program is launching this year. OCR will focus on desk audits of covered entities and their business associates. In some cases, on-site audits will also be conducted. In auditing business associates, OCR will consider risk analysis, risk management and timeliness and content of breach notification to covered entities.
The audit process begins with an email that is sent to covered entities and business associates to gather contact information. This email is followed by a pre-audit questionnaire. The questionnaire asks about the size, type and operations of potential audit targets. Pre-audit surveys should be responded to within 10 days.
If an entity doesn’t respond, then OCR will use publically available information to identify information about the audit target. So, merely not replying to an OCR email is insufficient to avoid a compliance review. OCR’s phase 2 audit announcement instructs covered entities and business associates to check their spam folders for OCR communications.
The audit pre-screening questionnaire can be reviewed here.