Upcoming audits will determine whether you and your business associates are in compliance with the privacy, security, and breach notification standards.


Audits Renew Focus on HIPAA Provisions

  • Sarah Conroy
  • 5/27/2016

Update: 7/15/2016

Final participants for HIPAA Phase II audits were selected and notified by email on July 11, 2016. Selected organizations should have received an email from Since this address may not be a “trusted source,” this notification may be filed as junk or SPAM mail, so it is imperative to check all email folders. Upon verification of contact information, a notification letter will be sent that provides instructions, a timeline, and a unique link for the secure upload of all documents requested. An additional email will be sent requesting a list of business associates. The first round of audits will either focus on HIPAA privacy/breach requirements or the security rule; participants will supply policies related to these HIPAA components as requested. The deadline for returning this information is July 22, 2016. For further information, please visit

With the implementation of the ACA and other important employee benefits, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has fallen out of the spotlight. It’s time we take this guidance down from the shelf and revisit its provisions for those looking to understand how HIPAA relates to these new benefits. 

Phase II HITECH audits focus on secure patient information 

Under one of HIPAA’s amendments, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Department of Health and Human Services (HHS) has moved into Phase II of its audits of covered entities. The audits are being conducted by the Office for Civil Rights (OCR), a division of HHS, and are directed at any covered entities with contact information on file at HHS or OCR. However, any covered entity is subject to and should be prepared to undergo this audit. Business associates are also subject for audit, which includes any person or entity who, on behalf of a covered entity, uses or discloses individually identifiable health information such as data analysis, claims processing or administration, utilization review, or quality assurance reviews. 

These audits will be looking at whether you and your business associates are in compliance with the privacy, security, and breach notification standards. This will be important to plan sponsors who are also covered entities, as well as anyone with a wellness plan. Because business associates are now being treated like covered entities in relation to security and breach notification standards, revisiting HIPAA is particularly important. 

COBRA and secure medical records 

HIPAA is much more than the patient confidentiality form you sign at your doctor’s office; it has several provisions that have changed benefits coverage as well as medical record privacy, transmission, and storage. 

The first provision of HIPAA was designed to help bridge the gap when an employee moves from one job to another and requires that health plans produce certificates of creditable coverage for covered plan members who lost coverage. This provision acts as a companion to COBRA and a precursor to the ACA, and helps to eliminate the long waiting periods that were sometimes imposed on employer health plan coverages post-enrollment to manage risk and contain costs. 

Under a separate provision, HIPAA called on the HHS to standardize electronic data interchange to improve efficiency in health care delivery. This made HHS responsible for setting the electronic standards for transmission, and maintaining the confidentiality and security of patient, health, administrative, and financial data. HHS also created unique health identifiers for individuals, employers, health plans, and health care providers. 

The Department of Labor oversees health insurance portability and plan sponsorship. These privacy, security, and administrative standards apply to all health care organizations including all health care providers, health plans, public health authorities, health care clearinghouses, and self-insured employers. They also apply to life insurers, information systems vendors, various service organizations, and universities. 

GINA and ERISA compliance 

HIPAA covers more than just hospital systems. If you have a self-insured health plan, you’re part of HIPAA. Keep in mind that even if your plan does not rise to the level of a covered entity, there are other laws to consider that protect medical and other confidential information. Disability, worker’s compensation, and other data kept by your HR office have their own compliance requirements. Any health plan must track and offer certificates of creditable coverage, as well as COBRA. 

If your health plan is fully insured, most of the responsibility and burden will be borne by your health insurer. If you have separate wellness programs or additional plans such as an HSA or a vision plan, you may need to look more closely into whether you are in compliance with the Genetic Information Nondiscrimination Act (GINA) and Employee Retirement Income Security Act (ERISA). 

The GINA prevents employers from using genetic information in employment decisions of any type. If your organization is not subject to the full privacy standards of HIPAA, GINA governs wellness plans with regard to how information is segregated and protected. Your plan is also subject to ERISA, which enforces nondiscrimination and recordkeeping standards. It is important to keep these laws in mind whenever reviewing or considering adding benefits. 

HIPAA requires health information to be protected 

No one wants to lose a laptop that contains electronic protected health information (ePHI), and rendering data “unusable, unreadable, or undecipherable” creates the possibility of a violation of HIPAA law. There are also state remedies and, depending on the circumstances of the violation, there can be criminal charges. However, an encrypted laptop can reduce the risk of a breach, and ongoing enforcement, such as the randomly conducted HITECH audits, help to verify that covered entities are in continual compliance. 

If you are subject to HIPAA, your organization has had to develop new policies, processes, and procedures to ensure privacy, security, and patients' rights. Keep in mind that your employees and their families are the plan’s members and patients. Your processes and procedures should cover: 

  • Performing a comprehensive risk assessment
  • Building business associate agreements with business partners to support HIPAA objectives. 
  • Developing a secure technical and physical information infrastructure. 
  • Updating information systems to safeguard ePHI and enable use of standard claims and related transactions.
  • Training all workforce members on the HIPAA privacy compliance. Each new employee who works with ePHI should be trained, and employee workspaces should be continually checked and updated for ongoing protection.
  • Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a privacy officer and a security officer. You must have a chief privacy officer if you are a covered entity, even if that person wears more than one hat.

How we can help 

HIPAA has been around for a while, but information security and the structure of the health care industry have changed drastically over the years. If your organization faces the significant tasks of revising processes, procedures, and workspaces to comply with HIPAA standards, CLA can help you every step of the way.