Today marks another article, this time by Michael A. Igel an attorney with Trenam Kemker, that again reminds businesses the need to prepare for enforcement of laws and regulations governing employee benefits.
Igel discusses the US Department of Health & Human Services Office for Civil Rights (OCR), which oversees HIPAA enforcement, award of a $9.2 million dollar contract to KPMG to develop the “HIPAA Audit Program” and to conduct the related audits.
For 2012, the goal is to audit 115 covered entities (employer health plans, providers, business associates, etc.) for compliance with HIPAA’s privacy, security and breach notification rules.
Based on similar programs that the federal government has started before (e.g., Medicare over payment recovery audit program) , it’s expected that the expansion of the HIPAA Audit Program will be forthcoming sometime after December 2012 (the end of the pilot time frame).
Igel goes on to say, “Health care reform strengthened the enforcement of HIPAA, expanded penalties and consequences of violations, and, most notably, imposed new requirements on covered entities and business associates.”
While most employers have historically believed that the government doesn’t really enforce many of the laws affecting covered entities, Igel listed the following examples of HIPAA enforcement actions as evidence that employers should begin preparing for audits now:
- Massachusetts General Hospital – $1 million dollar settlement and three-year Corrective Action Plan for loss of PHI;
- Cignet Health – $4.3 million settlement for refusing patient access to medical records;
- UCLA Health System – $865,000 settlement and Corrective Action Plan for allowing unauthorized access to PHI;
- Phoenix Cardiac Surgery, P.C. – $100,000 settlement and one-year Corrective Action Plan for unlawfully disclosing PHI and for failing to have adequate HIPAA safeguards;
- Accretive Health, Inc. – In the first enforcement action against a business associate, the Minnesota state attorney general filed a civil lawsuit against Accretive Health, Inc. for several business associate-related HIPAA violations;
- Blue Cross Blue Shield of Tennessee – $1.5 million settlement and a Corrective Action Plan in the first enforcement action stemming from a covered entity’s self-disclosure of a HIPAA violation.
Igel closes with the urging of the reader that “It is essential that all covered entities and business associates ensure compliance with HIPAA’s privacy and security regulations.”
Source: JD Supra