Updated: Dec 15, 2020
HHS has released two reports to Congress regarding HIPAA compliance and breaches of unsecured protected health information (PHI). The compliance report notes that hundreds of cases resulted in corrective actions, and 11 investigations resulted in either corrective action plans or civil monetary penalties totaling more than $28 million.
These reports serve as a reminder and a warning for covered entities and business associates to comply with HIPAA Privacy and Security.
As a covered entity (health plans are considered covered entities), an employer is significantly exposed to fines and penalties for HIPAA violations and breaches due to enforcement with HHS. At a high level, here is a list of requirements for covered entities:
Required business associate agreements (BAAs) with all outside entities handling protected health information (PHI) need to be in place and up-to-date
Notice of privacy practices needs to be distributed to plan participants
Plan must be compliant with EDI and security requirements governing electronic information.
Plan must also be compliant with other applicable laws regarding release of personal financial or medical records or PHI (e.g., Gramm-Leach-Bliley Act)
Risk assessment must be conducted
Training of employees at least once per year
HIPAA Privacy and Security Officers must be appointed
Policies and Procedures must be in place
In our experience, most health plans are not complying with HIPAA Privacy or Security rules, and as a result are putting the organization at risk for intrusive investigations and possible money penalties. Thus, let this report serve as an encouragement to comply with HIPAA and ensure PHI is handled properly.