Share this article on:
The Office for Civil Rights has set the wheels in motion for its upcoming HIPAA compliance auditing program by filing an information collection request in the Federal Register, which post-Omnibus Rule now includes Business Associates as well as entities previously covered by HIPAA.
No schedule for the audits has been announced, nor was an announcement expected. The collection request is just the first step in the process and the audits are not expected to take place until the fall this year. The request is to allow it to conduct a pre-screening survey which will permit it to contact up to 1,200 covered entities and Business Associates, in part to gain an understanding of each organizations readiness for audit and also to “assess the size, complexity, and fitness of a respondent for an audit.”
The information the OCR plans to collect relates to recent activities in relation to HIPAA regulations laid down by the Omnibus Rule and Privacy Rule in particular. It will require information to be provided on the use of electronic patient health records which are to be the major focus of the upcoming audits. It will also be screening based on geographical location and business entity.
The information has been requested to ensure “proper performance of the agency’s functions”, to determine the “accuracy of the estimated burden”, “ways to enhance the quality, utility, and clarity of the information to be collected” and to permit the use of automated collection technologies.
The OCR’s Susan McAndrew revealed at December’s HIT Policy Committee meeting that risk assessments and analyses will be a major focus in the second round of compliance audits, in light of the issues it discovered during the pilot program. The majority of HIPAA violations it discovered during the first round were due to a failure to conduct a thorough risk assessment, with many organizations not having conducted one at all.
The OCR is accepting comments on its proposed prescreening survey until April 25.