As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.
In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.
The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
The OCR’s detailed audit protcol is available here.
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
To learn more about OCR’s Phase 2 Audit program, click on one of the links below:
When Will the Next Round of Audits Commence?
Who Will Be Audited?
On What Basis Will Auditees Be Selected?
How Will the Selection Process Work?
How Will the Audit Program Work?
What if an Entity Doesn’t Respond to OCR’s Requests for Information?
What is the General Timeline for an Audit?
What Happens After an Audit?
How Will Consumers Be Affected?
Will Audits Differ Depending on the Size and Type of Participants?
Will Auditors Look at State-Specific Privacy and Security Rules in Addition to HIPAA’s Privacy, Security, and Breach Notification Rules?
Who is Responsible for Paying the On-Site Auditors?
On July 14, 2015 the IRS, DOL and HHS will jointly issue final rules regarding no additional cost preventive services, including contraceptive services, under the Affordable Care Act.
The final rules maintain the existing accommodation for eligible religious nonprofits, but also finalizes an alternative pathway for eligible organizations that have a religious objection to covering contraceptive services to seek an accommodation from contracting, providing, paying, or referring for such services. The rules allow these eligible organizations to notify HHS in writing of their religious objection to providing contraception coverage, as an alternative to filling out the form provided by the Department of Labor (EBSA Form 700) to provide to their issuer or third-party administrator. HHS and the DOL will then notify insurers and third party administrators of the organization’s objection so that enrollees in plans of such organizations receive separate payments for contraceptive services, with no additional cost to the enrollee or organization, and no involvement by the organization.
The alternative notice must include:
- the name of the eligible organization and the basis on which it qualifies for an accommodation;
- its objection based on sincerely held religious beliefs to covering some or all contraceptive services, as applicable (including an identification of the subset of contraceptive services to which coverage the eligible organization objects, if applicable);
- the plan name and type; and
- the name and contact information for any of the plan’s third party administrators and health insurance issuers.
The departments issued a model notice to HHS that eligible organizations may, but are not required to, use.
Nothing in this alternative notice process (or in the EBSA Form 700 notice process) provides for a government assessment of the sincerity of the religious belief underlying the eligible organization’s objection.
In addition, the final rules provide certain closely held for-profit entities the same accommodations. Relying on a definition used in federal tax law, the final rules define a “closely held for-profit entity” as an entity that is not publicly traded and that has an ownership structure under which more than 50 percent of the organization’s ownership interest is owned by five or fewer individuals, or an entity with a substantially similar ownership structure. For purposes of this definition, all of the ownership interests held by members of a family are treated as being owned by a single individual. The rules finalize standards concerning documentation and disclosure of a closely held for-profit entity’s decision not to provide coverage for contraceptive services.
The final rules also finalize interim final rules on the coverage of preventive services generally, with limited changes.
The Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS), recently issued its final 2016 Notice of Benefit and Payment Parameters (2016 Payment Notice), in which it stated that, starting in the 2016 plan year, the self-only annual limitation on cost sharing applies to each individual, regardless of whether the individual is enrolled in other than self-only coverage, including in a family high deductible Health Plan (HDHP). The significance of this is that it effectively embeds an individual out-of-pocket limit in all family group health plans with a higher family deductible.
For example, an HDHP plan that has a $10,000 family deductible may provide payment for covered medical expenses for a member of the family if that member has incurred covered medical expenses during the year of at least $2,600 (the minimum deductible for a 2015 family HDHP). Under the policy finalized in the 2016 Payment Notice, this plan must also apply the annual limitation on cost sharing for self only coverage ($6,600 in 2015) to each individual in the plan, even if this amount is below the $10,000 family deductible limit.