Group Health Plan Sponsors have HIPAA Compliance Issues: Buck Survey


Most group health plan sponsors are not fully adhering to the Health Insurance Portability and Accountability Act Rules, according to a recently published by the integrated HR and advantages consulting, technology, and administration services firm, Buck.

The survey uncovered many areas where group health plan sponsors are not complying and showed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit.

The 2019 HIPAA Readiness Survey was carried out between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors.

The survey showed several areas where important provisions of HIPAA Rules are not fully comprehended or are not being adhered to like as risk analyses, business associate agreements, HIPAA training for staff, and breach alerts.

Risk analyses are not being carried out as often as they should, so dangers to the confidentiality, integrity and availability of ePHI may not be spotted and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last carried out or that said it was last conducted over five years ago. 10% said the last time a risk/threat analysis was conducted was more than five years ago.

Business associate agreements were another area where survey respondents emphasised possible HIPAA failures. 33% of respondents had not created an inventory of their business associates or were unaware whether an inventory had been devised. 16% of respondents said they did not have existing business associate agreements for certain vendors or were unaware if current BAAs had been completed. 3% said they do not have existing business associate agreements.

45% of respondents said privacy and security policies were refreshed in the past year, but 45% said they were updated between 1 and 5 years ago, and 3% said they had not been updated for at least 5 years.

Almost three quarters of respondents had prepared for breaches and had developed breach alert policies. 10% of respondents said they did not have existing policies covering breach notifications and 16% were unsure if they had policies covering breach alerts.

Refresher HIPAA training sessions are necessary to ensure employees are aware of the importance of HIPAA compliance and understand their responsibilities under HIPAA. More than a third of respondents (35%) had last been given  HIPAA training between one and five years ago, with 13% admitting that HIPAA training was not constant and was only provided when onboarding staff. One in ten respondents said they were not aware when training on HIPAA was last provided to employees.

Privacy and security policies and procedures must be put in place, but it is vital that those policies are followed by staff members. To determine whether that is the case, operational reviews are necessary. These reviews show whether day-to-day working practices are HIPAA compliant. 23% of respondents said they had not carried out an operational review and 43% of respondents did not know if a review had been completed.

Should a data breach take place, complaint, or audit, HIPAA failures are likely to be uncovered, which could easily lead to in a financial penalty for noncompliance. To prevent financial penalties, it is vital for group health plan sponsors to be fully aware of the obligations of HIPAA, have compliant policies and procedures in place, and to regularly assess their compliance efforts and ensure that, in the event of an audit, compliance can be displayed.