Survey Exposes Group Health Plan Sponsors’ HIPAA Noncompliance

A recent survey by Buck revealed that a lot of group health plan sponsors do not fully comply with the Health Insurance Portability and Accountability Act Rules. Buck is a company providing integrated HR and benefits consulting, technology, and administration services.

The survey revealed that many group health plan sponsors are noncompliant in a number of areas and are, therefore, not ready for a HIPAA audit or compliance investigation.

Thirty-one group health plan sponsors participated in the 2019 HIPAA Readiness Survey, which was conducted from April 29, 2019 to May 17, 2019.

The survey mentioned the following areas where the HIPAA Rules are not completely understood or are not being observed:

Business Associate Agreements (BAA)

Survey respondents claimed potential HIPAA failures in this area. 33% of respondents stated their health plan has no listing of their business associates or they do not know if there was one. 16% of respondents stated that certain vendors have no current BAAs or they do not know if there were current BAAs obtained. 3% stated there are no current BAAs in place.

Risk analyses

Because risk analyses aren’t being done often, threats to the integrity, confidentiality and availability of ePHI might not be discovered and controlled. 42% of respondents were not certain when was the last time a HIPAA-compliant risk assessment was conducted or they said that it was conducted over 5 years ago. 10% stated that the last risk/threat analysis was over 5 years ago.

Breach Notifications

45% of respondents stated that they have updated their privacy and security policies last year. Another 45% of the respondents said the policies were updated within 1 to 5 years, and 3% stated they had not updated the policies for at least 5 years.

Nearly 75% of respondents were ready for breaches and had created breach notification policies. 10% of respondents stated they have no breach notification policies in place and 16% were not sure if their groups have breach notification policies.

HIPAA Training of Employees

Extra HIPAA training is necessary to make sure employees remember the value of HIPAA compliance and know their obligations under HIPAA. 35% of respondents had their last HIPAA training within one to five years ago. 13% admitted that the HIPAA training was not continuous and was used for onboarding staff only. 10% of respondents said they were unaware of when was the last HIPAA training given to employees.

Implementation of privacy and security policies and procedures is important, but it is important that employees follow those policies. To find out if that is so, operational reviews are necessary. These reviews indicate the HIPAA compliance of the group health plan sponsor’s day-to-day working practices. 23% of respondents stated no operational review was conducted and 43% of respondents don’t whether a review was conducted.

In case of a data breach, audit or complaint, it is likely to find HIPAA violations, which could readily lead to a financial penalty. To avert such penalties, it is important for group health plan sponsors to know fully the HIPAA requirements, create and implement compliant policies and procedures, and to consistently evaluate compliance efforts and ensure compliance in case of an audit.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at