This week at the Healthcare Information and Management Systems Society (“HIMSS”) Conference, Susan McAndrew, the Deputy Director for Information Privacy at the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”), announced that OCR is planning to resume its HIPAA compliance audit program in 2014. As a first step, OCR will soon launch a survey of 1,200 organizations – 800 Covered Entities and 400 Business Associates – in order to select audit targets. Organizations were selected to receive the OCR survey from a large database, and the survey itself will seek to determine whether each entity is an appropriate audit candidate by, for instance, verifying whether the organization is still in business. Not all surveyed entities will wind up being audited.
Ms. McAndrew’s announcement coincided with a notice in the February 24 Federal Register, which explains that OCR is planning an Information Collection Request (“ICR”) to “gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit” including “recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.” Interested parties who wish to submit comments regarding this ICR must do so by April 25, 2014.
This HIPAA compliance audit program is a continuation of a pilot program launched in 2012, through which OCR audited 115 Covered Entities for HIPAA compliance. KPMG served as the contractor for the pilot program, but at this time, OCR does not plan to utilize a contractor for the upcoming round of audits.
Both Covered Entities and Business Associates are advised to use the next several months in advance of the audit program’s resumption to submit comments regarding the ICR if interested, to review their HIPAA compliance programs, and to address any potential HIPAA compliance gaps.