HIPAA Policies and Procedures… Are You Really Prepared?

Since March 23, 2010, most employee benefit plan sponsors have focused their regulatory attention on the Affordable Care Act (ACA), and for good reason! The Affordable Care Act has required extensive changes to the way employers and insurance companies offer benefits.

With so much attention focused on the ACA and the employee benefit purchasing process, many plan sponsors have relegated other important Department of Labor (DOL) and Internal Revenue Service (IRS) compliance matters to the back seat. One key area that may have been forgotten is the Privacy Rules of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rules should especially be a concern for plan sponsors that offer a self-funded benefit plan as these plans fall within the HIPAA definition of a “covered entity”. The HIPAA requirements for full insured plans typically falls to the insurance companies since they are the party that creates and receives Protected Health Information (PHI).

Under HIPAA, a covered entity is subject to many administrative requirements including, but not limited to:

• Appointing a Privacy Officer
• Implementing policies and procedures designed to ensure compliance within the HIPAA rules
• Preparing and distributing a Notice of Privacy Practices
• Entering into Business Associate Agreements with third parties that perform duties on behalf of the plan
• Training workforce members that come in contact with PHI

In 2009, The HITECH Act added some teeth to HIPAA enforcement. HITECH implemented tougher notification requirements to affected individuals and to the Health and Human Services (HHS) Health Secretary upon discovery of a breach in private health information. HITECH created the toughest privacy enforcement vehicle when it outlined potential penalties that could be assessed.

HITECH requires HHS and the Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy Rules. In 2011 and 2012, the Office of Civil Rights implemented a pilot audit program to assess the controls and processes implemented by covered entities to comply with HIPAA’s requirements.

The Office of Civil Rights recently launched phase two of the audit process. The OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types, and determine which entities are appropriate to be included in potential audit pools. These audits will primarily be desk audits, although some on-site audits will be conducted. The OCR views these audits as an opportunity to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through previous complaint investigations. The OCR will then provide guidance targeted to compliance challenges that were identified.

But what happens when even the best policies and procedures fail? Every year, millions of records are pushed out into the cyber world. Some of them never reach their intended recipient. Plan sponsors have an incredible responsibility to protect the data of their employees and families. Employers with even the best HIPAA policies should add cyber liability coverage as part of their risk management strategy.

Cyber liability coverage is now considered essential by most employers. A well-crafted cyber liability policy will provide coverage for crisis management services from professionals with expertise if an information breach occurs.

Almost every state has some type of requirement that employers are legally obligated to comply with in the event of a data breach. Typically, employers will be required to notify all of the potentially affected individuals, and must offer free credit monitoring services for a specified number of years. A cyber liability policy can provide protection to the employer for these first-party costs. Additionally, a cyber liability policy can offer protection for third-party claims alleging the employer was negligent in their duty to properly protect personal information. Employers need to continue to focus on the present compliance regulations including business associate agreements, HIPAA provisions, and security policies. Cyber insurance policies are not standard policies and can vary greatly by insurance company, so it is important to contact your Risk Management professionals at The Fedeli Group for further information on cyber liability policies and compliance checklists.