The Department of Health and Human Services (HHS) and its internal agency, the Office for Civil Rights (OCR) oversees HIPAA privacy and security regulations. The agency has announced a new HIPAA audit initiative that particularly affects sponsors of self-funded group health plans in their capacity as “covered entities” under the privacy law. HHS will broadly review covered entity compliance with HIPAA’s privacy, security, and breach notification rules. HHS plans about 200 random HIPAA audits for 2016 under what it calls “phase two” of its legislatively mandated audit obligation. Although audits are said to be random, factors including industry, private or public status, and geography typically impact audit targeting. 

Why are self-funded plans targeted? 

Under HIPAA, self-funded group health plans are considered “covered entities” in much the same way as a medical practice or hospital.  Employers, in their role as group health plan sponsors, must adopt policies and procedures for HIPAA compliance and take an array of other key steps. With the renewed HIPAA audit focus, self-funded plans are encouraged to review compliance duties this year ahead of any potential audit exposure.

The good news is that if selected for an audit prior to implementing all of the HIPAA rules, HHS often directs compliance corrections without assessing dollar penalties if an organization can demonstrate good faith efforts.

For concerned plan sponsors, HUB International suggests you meet with a HIPAA advisor or your legal counsel regarding what you need to do become HIPAA-compliant. Highlights of HHS’ newly announced audit protocols can be found below.

Process / Timeframes

  • Focus on “desk audit” preparation (i.e., a review of records an auditor is likely to request).
  • Be aware of HHS audit notification via email. 
  • HHS typically requires a ten-day response time.
  • Plan sponsors may track submitted audit-related documentation via a new online portal.
  • Auditors will issue a preliminary finding and allow ten business days to respond. HHS usually finalizes audit reports within 30 days.
  • On-site audits include an initial appraisal conference, followed by 3-5 days of on-site review. 
  • Audit red flags may result in further HHS investigation with possible applicable penalties.
  • HHS appears to center audit focus on HIPAA Security. Anticipate careful review of organizational information systems that house health plan-related information (i.e., hardware, software, information, data, applications, communications, and people).

Next Steps

  • Employers with self-funded plans must be HIPAA-compliant, even if they do not engage regularly with Protected Health Information (PHI). Self-funded plans include components offered alongside insured plans, such as Flexible Spending Accounts (FSA), Health Savings Accounts (HSA), Health Reimbursement Arrangements (HRA) and Employee Assistance Programs (EAP) not tied to a Long-Term Disability plan.
  • Any employer with a self-funded component should read this information and the information on the HHS OCR website to ensure compliance. Be sure to always document compliance. Compliance will include: conducting a risk assessment, having HIPAA Policies & Procedures, HIPAA training, distribution and posting of the HIPAA Notice of Privacy Practices and utilizing HIPAA Authorization forms, when necessary, and reporting when there are breaches of unsecured PHI.
  • Updated Audit Protocol — reflecting the HIPAA omnibus rule recently posted on the OCR website.
  • Covered entities and business associates should check their HIPAA compliance rules and implement necessary policies and procedures and conduct training and risk assessments now! Once contacted by the OCR there will be little time to create them in time to respond to the request for information.
  • Communications from OCR will come via email and may be incorrectly classified as spam. Be sure to check your junk or spam email folders for any emails from OCR.
  • OCR cautions that entities failing to respond to OCR’s information requests may still be selected for an audit or subject to a compliance review.
  • See the updated HHS OCR audit program webpage with a link to its audit pre-screening questionnaire. The audit program page also includes a sample template for disclosing information about business associates during an audit.
  • For complete details, see: