Law firms that work with Health Insurance issues and clients should be very concerned about protecting the confidential information as prescribed by HIPPA and their legal clients. If a Data Breach should happen with confidential Health Insurance Information compromised, in addition to 3rd party damages, you may well have 1st party responsibilities under HIPAA. Your Lawyers Malpractice Insurance policy may cover the 3rd party damages, but likely will not cover any 1st party obligations.
Further emphasis on this is that HIPAA 2016 Phase 2 Audits have started
In April the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched Phase 2 of its HIPAA compliance audits. Phase 1 was a pilot program to assess how covered entities implemented controls and processes to protect health information. Covered entities include health care providers, health plans including insurers and company health plans, and health care clearinghouses. A Law Firm that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Health insurance agents/agencies are considered business associates under HIPAA.
Phase 2 of the HIPAA audit program begins with an email that is sent to covered entities and business associates to verify contact information for potential auditees. Organizations only have fourteen business days to respond to OCR's request for information. Failure to respond may result in OCR using publicly available information about an organization to create its audit pool.
If an organization is selected for a desk audit, OCR will email a pre-audit questionnaire. The questionnaire asks about the size, type, and operations of potential audit targets. Pre-audit surveys should be responded to within ten business days.
It is anticipated that the results of a desk audit may trigger a third (onsite) audit and potential investigations if deficiencies are uncovered. The third set of audits will cover a broad scope of requirements from HIPAA rules.