Health Plans Struggle with HIPAA Compliance, Unprepared for Audit

January 14, 2020 - Many health plan group sponsors are struggling to remain or are not fully compliant with HIPAA rules. Further, those same healthcare organizations are not prepared for a HIPAA audit, according to new research from Buck.

Buck researchers conducted a HIPAA readiness survey of primarily group health plan sponsors to get a sense of the industry’s adherence to and awareness of the HIPAA rule, in response to the increase in HIPAA enforcement actions taken by the Department of Health and Human Services.

“Strong governance is essential to protecting information,” Laurie DuChateau, Buck’s US Compliance Consulting Practice Leader, said in a statement. “It’s risky for group health plan sponsors to be unprepared for a HIPAA audit or investigation as penalties for non-compliance can amount to millions of dollars.”

Under HIPAA, covered entities are required to implement processes to safeguard protected health information, including privacy and security policies that are periodically reviewed and or updated.

Typically, updates should occur when changes are made in HIPAA security regulations or with new state laws, as well as with technology, environmental, or business process changes. Organizations should also review those policies after a serious security violation or breach.

However, just 39 percent of respondents had conducted a review or update of their HIPAA privacy and security policies within the last year and 13 percent did not know when the policies were last updated. And 48 percent had not conducted a review between one and five years, or more.

What’s more, 42 percent of respondents did not know when their organization last conducted a risk or threat analysis, or last conducted an assessment more than one to five years ago.

“Not only does HIPAA require a risk/threat analysis to be performed, best practice dictates that one be conducted annually – especially with cyberattacks on the rise. Infrequent risk/threat analyses are one of the most common violations cited by OCR in their analysis of HIPAA audits,” researchers wrote.

Risk assessments ensure compliance with HIPAA, and the researchers noted it’s a cost-effective compliance mechanism. Failure to perform an analysis can lead to a breach deemed as “willful neglect,” which carries the highest monetary fines.

The report also found health plan sponsors are also predominantly neglecting workforce HIPAA training, with only 42 percent conducting training in the last year. Thirty-five percent had not provided staff with training in at least one to five years, while 10 percent did not know.

Notably, 13 percent of respondents said they only provided HIPAA training upon onboarding new employees. It’s concerning as reports show that education and training can reduce healthcare cyber risk.

Further, the vast majority of respondents said they either had not conducted an operational review to determine whether employees are following the areas covered in HIPAA training, as well as policies and procedures.

On the positive side, the majority of health plan sponsors (67 percent) maintain an inventory of all their business associates and maintain current business associate agreements. Just 13 percent do not have an inventory and only 3 percent do not have a BAA in place.

“It is important to retain a list of all current BAs and to read and understand the language in your BAAs,” researchers wrote. “The reality is when a breach or any other kind of security incident happens, you are at risk for what was declared in your BAA. In many ways, a BAA is a mechanism for transferring risk (and thus liability) from one entity to another.”

“Over the last few years, the HHS’ Office of Civil Rights has ramped up its investigations, resulting in some of the largest monetary settlements in HIPAA’s history,” DuChateau concluded. “Understanding and complying with the rules is the best way to prevent a breach and the only way to emerge successfully from a HIPAA audit.”