The Office for Civil Rights (OCR) is
mandated to conduct periodic audits to assess the compliance of covered
entities and business associates with the HIPAA Privacy, Security, and Breach
Notification Rules. On February 20, 2014 the Department of Health and Human
Services announced plans to utilize a Pre-Audit Survey form to gather
information in an effort to assess the size, complexity and fitness of an
entity for an audit. Below is a summary of the announcement.
- The Office for Civil Rights (OCR) will be sending the
survey to as many as 1,200 HIPAA covered entities and business associates
to determine suitability for an audit, as part of the much anticipated
permanent HIPAA audit program. Approximately two-thirds of that survey
will be completed by HIPAA Covered Entities and the remainder, Business
Associates. Information will be gathered to evaluate the “fitness of a
respondent for an audit.”
- The OCR is required to conduct audits to ensure the
compliance of covered entities and business associates with the HIPAA
Privacy, Security, and Breach Notification Rules. By acquiring information
through the Pre-Audit Survey, the OCR will attempt to determine which
organizations may benefit from their audit.
- The survey will take approximately 30-60 minutes.
Organizations will need to install software prior to the survey. In
response to this requirement, and other time constraints placed on
organizations by issuance of the permanent HIPAA audit, the OCR has
released the following Burden Statement:
“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”
Organizations must be prepared for
the Pre-Audit Survey. Preparations will entail certain actions (for instance,
installing the necessary software), but another significant aspect of
preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date
with information concerning the permanent HIPAA audit program that will begin
soon.
Other possible preparations include,
but are not limited to, performing an independent Risk Assessment (a less
understood mandate of the OCR), forming policies and procedures to protect ePHI
and/or respond to a data breach, and drafting Business Associate Agreements
with clients and Business Associates (in the case of HIPAA Covered Entities).
For the full announcement, please visit the Federal
Register. Please contact LaSalle Consulting Partners for more
information on the upcoming Pre-Audit Survey.