November 30, 2021

Volume XI, Number 334


November 29, 2021

Subscribe to Latest Legal News and Analysis

Plan Sponsors Beware: Health and Human Services Announces Phase II HIPAA Audits

On March 21, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the commencement of its Phase II Health Insurance Portability and Accountability Act (HIPAA) audit program. Phase II marks the second part of OCR’s efforts to satisfy an obligation mandated by Congress under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The program is significant for covered entities such as group health plans and business associates, as either may be contacted through the audit effort.

How will Phase II proceed?

OCR will address Phase II in three stages.

  1. Stage 1 involves a desk audit of covered entities. OCR anticipates that Stage 1 will be completed by the end of 2016.

  2. Stage 2 will be a desk audit of business associates.

  3. Stage 3 will include on-site audits of both covered entities and business associates. Inclusion in Stages 1 or 2 will not preclude a covered entity or business associate from being subject to Stage 3.

On March 21, OCR sent e-mail correspondence to covered entities to confirm contact information. A model copy of the letter is available at Covered entities should understand that failing to respond to the letter will not avoid the audit. Rather, due to truncated response times when the audit begins, failure to respond may actually hurt the covered entity’s ability to respond timely to the questions given that audit responses will be due 10 business days following request. OCR encourages covered entities to review spam filters to determine if the e-mail was caught. However, covered entities should also be warned that the compliance industry suspects the e-mail delivery might trigger phishing scams.

The actual audit protocol is expected to be published shortly. That said, OCR is expected to focus on covered entity compliance with privacy (specifically, compliance with the notice of privacy practices and access requirements), security (specifically, compliance with risk analysis requirements) and breach notification rules. OCR is also anticipated to collect the identity of business associates retained by the audited covered entity.

What should plan sponsors do?

Plan sponsors should ensure that they have not received an audit request, including by checking spam filters. Those that have received an audit request should prepare to respond to the audit, including involvement of legal counsel, applicable consultants and business associates. OCR’s expectation is that plan sponsors are currently compliant and able to respond to the audit in 10 business days. Certain proactive steps can be taken to ensure that OCR’s expectations can be met; however, time is of the essence.

What should business associates do?

Phase II makes it clear that business associates are also in the crosshairs. Moreover, it appears the risk of selection is greater for business associates that serve plan sponsors who have also been selected for audit. It is unclear at this time whether business associates will be selected before the end of Stage 1; however, business associates are well advised to ensure their records are in order.

What if my organization is not selected for a Phase II audit?

Entities not selected for audit should still take the opportunity to review their policies and protocols. Phase II’s processing does not preclude OCR from investigating other complaints and/or conducting other audits of covered entities or business associates.

©2021 MICHAEL BEST & FRIEDRICH LLPNational Law Review, Volume VI, Number 83

About this Author

Kirk Pelikan, Michael Best Law Firm, Labor and Employment Attorney

Kirk’s practice focuses on legal issues related to all aspects of the employment cycle, from hiring through termination and severance. Substantially experienced in both benefits and employment law, Kirk is well positioned to help clients respond to the opportunities, vulnerabilities and benefit ramifications of particular employment decisions.

Kirk’s focus includes:

  • Developing and maintaining effective compliance strategies related to defined benefit plans, defined contribution plans, executive...

Charles Stevens, Michael Best Law Firm, Labor and Employment Attorney

A persuasive advocate, Charlie vigorously defends employers and benefit plans in courts and other forums. He excels at assessing and fixing problems that arise with employee benefit programs and providing a strategically driven approach to benefits compliance and risk management planning.

As exclusive employee benefits counsel to many nationwide employers, Charlie’s practice focus extends to:

  • Counseling on Affordable Care Act (ACA) compliance and strategic planning, particularly with respect to contingent...