Practice Areas

Are You Prepared for the 2012 HIPAA Audits?

January 2012

By: Peter E. Hansen, Esq.

In 2012, the Department of Health and Human Services (HHS) will begin auditing employers for compliance with HIPAA's privacy and security regulations. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers employers who maintain either physical or electronic documents containing "protected health information," or information created by a health care provider that concerns an individual's physical or mental health. HIPAA's coverage is broad, extending to many employers who are unfamiliar with the privacy and security regulations and, as a result, may be subject to fines ranging from $100 to $50,000 per violation.

HIPAA's privacy and security regulations have undergone significant changes over the last several years, due in large part to information technology. In fact, the HHS amended HIPAA's privacy and security regulations in 2009, 2010 and 2011. This trend is likely to continue as the HHS will soon issue final regulations concerning "metadata," or data about data that is hidden within electronic documents.

The HHS, which awarded two private contracts to assist with the audits, will select the entities to be audited at random. If selected, an employer must allow the auditor to examine whatever privacy and security procedures HIPAA requires. The specific privacy and security regulations with which employers must comply varies depending on the extent of an employer's use and/or disclosure of protected health information; however, if HIPAA requires it, the auditor may inspect it. For many employers, the audit will include at least a privacy policy, employee notices and recordkeeping procedures.

Given the ever-changing nature of HIPAA and potentially high penalty for non-compliance, employers should review their existing HIPAA privacy and security procedures to ensure compliance with current federal regulations - and, if none exist, determine whether such procedures must be implemented.

Questions? Please contact WS Attorney Peter E. Hansen at (262) 560-9696, or email pehansen@wesselsherman.com