Buck Bond Group

Buck survey finds group health plan sponsors struggle to comply with HIPAA regulations, unprepared for an audit or investigation

NEW YORK, January 14, 2020 – Buck, an integrated HR and benefits consulting, technology, and administration services firm, today released the findings of its HIPAA Readiness Survey, which found that many group health plan sponsors are not in full compliance with HIPAA rules nor are they prepared for a HIPAA audit or investigation.

Under the HIPAA rules, covered entities and business associates must not only have processes in place to safeguard protected health information, they must also periodically review the procedures and update or modify them as necessary.

Buck’s survey uncovered that one third of plan sponsors didn’t know when a HIPAA risk or threat assessment was last performed, and an additional 10% stated their analysis was more than five years old. An essential component of HIPAA compliance is an up-to-date risk/threat assessment to identify key IT security weaknesses.

“Strong governance is essential to protecting information,” says Laurie DuChateau, U.S Compliance Consulting Practice Leader. “It’s risky for group health plan sponsors to be unprepared for a HIPAA audit or investigation as penalties for non-compliance can amount to millions of dollars.”

The survey also found other gaps that need to be addressed: Only 39% of respondents had updated their privacy and security policies and procedures in the last year. In addition, documented policies and procedures were not adequately communicated and therefore often not followed, and records of individual training completion had not been maintained.

Key findings:

  • 42% of survey participants did not know when a risk/threat analysis was last conducted or last conducted one more than five years ago.
  • 33% of respondents to the survey either have not inventoried their business associates or did not know if they have done so.
  • 35% indicated they last offered HIPAA training between one and five years ago, 13% provide training only during onboarding, and 10% did not know when HIPAA training was last provided.

“HIPAA has always been a complex law,” says DuChateau. “Over the last few years, the U.S. Health & Human Services’ Office of Civil Rights has ramped up its investigations, resulting in some of the largest monetary settlements in HIPAA’s history. Understanding and complying with the rules is the best way to prevent a breach and the only way to emerge successfully from a HIPAA audit.”

Click here to download a copy of the report

Responses were received from organizations representing a broad range of industries – primarily manufacturing, materials and mining, and life sciences – with 500 or more full-time employees. All questionnaire responses were carefully reviewed, statistical software was used to identify outliers and other unusual data points, and a final quality control review was conducted.

About Buck
Together with our clients, we’re defining the new social contract between employers and their employees to not only accommodate shifting expectations, but to stay ahead of them. Driven by best-in-class technology and leading analytics capabilities, our consulting solutions and easy-to-use administration platforms are helping the world’s most forward-thinking organizations re-envision and re-design the way people work and live. For more information, visit www.buck.com.

Media contact:
Lumina Communications for Buck
Hollie Smith / Michael Gallo
646-741-8359 / 212-239-8594

Note: The majority (77.4%) of survey respondents identified as sponsors of group health plans. The balance of survey participants did not provide a response to this question.