Back to Blog Home

HIPAA Audits of Covered Entities: Including Medical/Dental/Vision/Health FSA/HRA/Wellness/EAP Plans

The Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR) has begun a pilot audit program aimed at covered entities (and soon, business associates) regarding compliance with the HIPAA privacy / security / breach notification […]


The Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR) has begun a pilot audit program aimed at covered entities (and soon, business associates) regarding compliance with the HIPAA privacy / security / breach notification requirements.

More information about the audit program can be found at this HHS website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

Included in the audit will be health plans of all sizes.  Audits are starting this month, November 2011, and OCR expects to complete approximately 150 audits by December 2012.  At that point, OCR will revised its protocols and engage in a full range of audits.

These audits can lead to compliance reviews, and if HHS finds compliance failure, monetary penalties can be imposed.  Significantly, earlier this year, HHS begin imposing hefty penalties… the most severe case of a civil fine imposed on a health care provider amounted to over $4.3 million dollars.

Please make sure you review your current HIPAA practices and documentation to ensure they are all up to date.  HIPAA does not apply only to your group health plan, but also to other benefits such as dental, vision, wellness, health flexible spending accounts (FSAs), health reimbursement accounts (HRAs), and employee assistance programs (unless referral only).  This list is not exhaustive.

To begin, make sure the below documentation and procedures are up-to-date.  Many of these documents were required to be updated for security and then again under HITECH.  Please review your documents and practices to ensure you are in compliance with the most recent regulations.  [If you only have a fully insured plan, with no self-funded components or health FSAs, you will have to comply with some, but not all, of the below.]

-Written Policies and Procedures for Privacy and Security
These documents typically set forth the actions and additional policies/procedures you must put into place.  Numerous compliance mechanisms are set forth within.  Please ensure you have these documents, are following them and that they have been properly updated.

Please also ensure you have written designation of a Privacy / Security Official, written individual authorizations, and breach notifications.

-Notices of Privacy Practices (NPP)
Please ensure the NPP is timely distributed to participants and to new enrollees, and again within 60 days of any change to the notice.  Thereafter, you can distribute a Notice of Availability (i.e., a statement advising the participants that the NPP is available and how they can obtain a copy) every three years.

-Business Associate Agreements (BAA)
Please ensure you have updated BAAs with all of your business associates.

-Workforce Training
Please ensure you engage in workforce training with regard to the above HIPAA privacy and security measures.  Make sure you keep documentation that such training has occurred.

-Security Risk Assessments
Please review your security policies and procedures for required action items.

This list is not exhaustive but it is a good starting point.  OCR will likely look at Plan documentation and Plan Sponsor certification documents as well.

ERISA Audits
Additionally, the Department of Labor has been auditing various group health plans for compliance.  As with HIPAA, please review your documents, notices, and practices to ensure compliance with ERISA.  It is incredibly important to ensure you have ERISA compliant plans, SPDs, and that you are supplying accurate and timely notices to individuals.

Please note that ERISA does not only apply to your group medical plan, but also applies to dental, vision, health flexible spending accounts (FSAs), wellness, health reimbursement accounts (HRAs), and employee assistance programs (unless referral only), as well as various non-health benefits, such as disability, life, and accident plans.  This list is by no means exhaustive.  If you have a question as to whether a particular benefit is subject to ERISA, please feel free to contact us.  [Please also keep in mind that numerous other federal laws, such as COBRA, GINA, FMLA, and USERRA, apply to many of these benefits as well.]

With regard to group health plan audits, some of the items that have appeared on the Department of Labor’s checklist include the following:

-Signed plan documents and amendments
-Health plan booklets distributed to participants
-Signed trust agreements
-Signed annual Form 5500s and summary annual reports
-Summary plan descriptions (SPDs) distributed to participants
-Board resolutions or other corporate authority adopting plan documents
-Claims registers
-Information about preexisting condition exclusions (PCEs, if any) to plan participants (including general notice to enrollees, individual notices of exclusions, records of claims denied due to PCE, etc)
-Certificates of creditable coverage under HIPAA for those losing coverage
-Written procedures for participants to obtain certificates of creditable coverage
-Copies of special enrollment notices and logs of distribution to eligible individuals (such as HIPAA special enrollment, CHIPRA, enrollments entitled under health care reform)
-Descriptions of wellness or disease management programs
-Copies of various notices, including proof of distribution to participants (including Women’s Health and Cancer Rights Act, and Newborns’ and Mothers’ Health Protection Act)
-Copy of fidelity bond policy
-Copy of fiduciary liability policy

Because the DOL has been ramping up their audit efforts, now is an excellent time to ensure your documents are in order.  If you do not have one already, you should consider implementing an ERISA “wrap” document around your underlying plans.  A wrap document “wraps” around the underlying ERISA benefits to ensure required ERISA provisions are included (such as name of plan; plan sponsor and plan administrator’s name, address and EIN; eligibility and participation requirements; type of plan; plan administration; funding; benefit descriptions and events resulting in loss or reduction of benefits; claims procedures; amendment and termination procedures; plan year; COBRA information; ERISA rights… just to name a few).  Insurance documents alone do not usually include all ERISA required elements.  

[NOTE:  While you may have a Section 125 cafeteria plan in place in order to allow your employees to pay for benefits on a pre-tax basis (or to take cash in lieu of such benefits), this also does not arise to the level of an ERISA “wrap” document.]

If you should have any questions with regard to these matters, or any other health or welfare benefit plan matters, please feel free to contact our offices. You can reach attorney Elizabeth Latchana directly at elatc@fraserlawfirm.com or 517-377-0826.