Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck.

The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a HIPAA compliance investigation or HIPAA audit.

The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors.

The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications.

Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted more than 5 years ago. 10% said the last time a risk/threat analysis was conducted was more than 5 years ago.

Business associate agreements were another area where survey respondents highlighted potential HIPAA failures. 33% of respondents had not created an inventory of their business associates or were unaware whether an inventory had been created. 16% of respondents said they did not have current business associate agreements for certain vendors or were unaware if current BAAs had been obtained. 3% said they do not have current business associate agreements in place.

45% of respondents said privacy and security policies were updated in the past year, but 45% said they were updated between 1 and 5 years ago, and 3% said they had not been updated for at least 5 years.

Almost three quarters of respondents had prepared for breaches and had developed breach notification polices. 10% of respondents said they did not have policies in place covering breach notifications and 16% were unsure if they had policies covering breach notifications.

Refresher HIPAA training sessions are required to ensure employees are reminded of the importance of HIPAA compliance and understand their responsibilities under HIPAA. More than a third of respondents (35%) had last been offered HIPAA training between one and five years ago, with 13% admitting that HIPAA training was not ongoing and was only provided when onboarding staff. One in ten respondents said they did not know when training on HIPAA was last provided to employees.

Privacy and security policies and procedures must be implemented, but it is essential that those policies are followed by employees. To determine whether that is the case, operational reviews are required. These reviews show whether day-to-day working practices are HIPAA compliant. 23% of respondents said they had not conducted an operational review and 43% of respondents did not know if a review had been conducted.

In the event of a data breach, complaint, or audit, HIPAA failures are likely to be uncovered, which could easily result in a financial penalty for noncompliance. To avoid financial penalties, it is essential for group health plan sponsors to be fully aware of the requirements of HIPAA, have compliant policies and procedures in place, and to regularly assess their compliance efforts and ensure that, in the event of an audit, compliance can be demonstrated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.