The Department of Health and Human Services (“HHS”) announced in late February that it intends to conduct a “pre-audit survey” of up to 1200 entities subject to the Health Insurance Portability and Accountability Act or “HIPAA.”  Comments on the proposed collection request must be submitted by April 25, 2014.

The announcement provides that HHS intends to issue the surveys to both HIPAA “covered entities” (i.e., health care providers, health plans, and health care clearinghouses) and “business associates.”  Thus, all of the following entities could potentially be selected for the pre-audit survey:

  • Health care providers.  Health care providers include all health care service providers that transmit any health information electronically in connection with certain transactions.  This includes nearly all physicians, dentists, chiropractors, nursing homes, and other health care providers that transmit health information electronically in connection with billing and payment for services or insurance coverage.
  • Health plans.  Health plans include employer sponsored group health insurance. Although fully insured health plans are exempt from HIPAA, employers that provide medical benefits to their employees using self-funded health plans are likely subject to HIPAA.  Notably, this typically includes major medical plans where the employer self-insures even a portion of the plan and many medical flexible spending plans.
  • Health care clearinghouses.  Health care clearinghouses are entities which process nonstandard health information they receive from another entity into a standard format.  This category can include an assortment of organizations that work as a go-between for health care providers and health plans such as entities providing billing services.
  • Business associates.  Business associates are persons or entities that perform activities that involve the use of protected health information on behalf of a health care provider, health plan, and/or health care clearinghouse.

The pre-audit survey likely indicates that HHS intends to increase HIPAA enforcement actions. Thus, to prepare for possible audit selection and future stepped-up HIPAA enforcement, all covered entities and business associates should ensure that they are compliant with the requirements of HIPAA including the changes recently implemented by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  For example, at a minimum, all covered entities and business associates should ensure that they have:

  • Written HIPAA policies and procedures in place;
  • Updated their “Notice of Privacy Practices” and “Business Associate Agreements” as required by HITECH;
  • Assigned a privacy officer.

For assistance in determining whether your business is subject to HIPAA and/or whether it needs to take additional actions to become HIPAA compliant, please contact Jean H. Bender.

Davenport, Evans, Hurwitz & Smith, LLP, located in Sioux Falls, South Dakota, is one of the State’s largest law firms. The firm’s attorneys provide business and litigation counsel to individuals and corporate clients in a variety of practice areas. For more information about Davenport Evans, visit