Insurance agents who handle consumers' health information could face a wave of federal privacy audits in the next year or two.
Angela Hoteling-Rodriguez of MedAmerica Insurance Company and Stephen Serfass of Drinker Biddle Reath LLP talk about the possibility in a slide deck they prepared for the Intercompany Long Term Care Insurance Conference, which is taking place this week in San Antonio, Texas.
Lawyers have been warning clients for years about efforts by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) to organize a tough new round of health privacy compliance audits.
What's different this year is that HHS OCR's own auditor, the U.S. Department of Health and Human Services Office of Inspector General (HHS OIG), recently blasted the HHS OCR health privacy compliance enforcement program.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) expanded the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy requirements, and it called for the U.S. Department of Health and Human Services (HHS) to look hard for non-compliance.
In September, HHS OIG accused HHS OCR of waiting passively for complaints to come in; of failing to record small breaches; and of failing to document corrective actions in 74 percent of the health privacy violation cases analyzed, according to Hoteling-Rodriguez and Serfass.
HHS classifies insurers that handle protected health information as "covered entities." It classifies agents and brokers who touch the data as "business associates."
HHS OCR has imposed about $30 million in privacy violation penalties on hospitals, medical practices, health insurers and other "covered entities" and "business associates" since 2008, but, when it conducted its first phase of audits, it focused mainly on seeking ways to help covered entity do a better job of protecting health information.