We have been writing about the permanent HIPAA audit program that will be put in place in 2014. Details of the program are starting to be released. The full text can be access by going to:
Here are some of the highlights:
Number of Organizations
A survey will be sent to 1,200 organizations to assess the size, complexity, use of electronic health records, number of locations, how many patient visits and most importantly the fitness of the organization to be audited.
This information collection consists of a survey of up to 1200 Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to a HIPAA covered entity) to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program. The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.
Determine Suitability for an Audit
The notice states that the need for the survey will allow OCR to collect information to determine the respondent’s suitability for a HIPAA audit. Details have not be released on what the criteria will be to select an organization for an audit.
Need and Proposed Use of the Information: The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. This information collection will enable OCR to assess the suitability of respondent covered entities and business associates for audits.
Covered Entities and Business Associates
The survey will include both HIPAA Covered Entities (hospitals, physician, dental and chiropractic offices) and Business Associates (IT companies, medical billing, law firms, etc.).
Likely Respondents: Respondents will include both HIPAA covered entities and business associates.
Requires Software to be installed for Data Collection
OCR estimates that the survey will take 30-60 minutes to complete. But even more interesting, it seems that there will be some sort of software that will need to be installed to collect, validate and verify information.
Burden Statement: Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.
Organizations Need to be Prepared
The writing on the wall has never been clearer. OCR is about to start the permanent HIPAA audit program that they have discussed in the past. Organizations need to take this seriously.
Are you ready?
(Click on the links below for more information)
- Are you a Business Associate?
- Have you performed a Risk Assessment?
- Have you provided HIPAA security training for all employees?
- Do you have written policies and procedures on how to protect patient information?
- Do you have an incident response plan?
- Do you have Business Associate Agreements with your subcontractors?
Now is the time to get ready for the
HIPAA permanent audit program!