On February 24, 2014, the Department of Health and Human Services (“HHS”) published a notice of its proposed collection of information in connection with its HIPAA audit efforts. Comments on the proposed collection request must be submitted by April 25, 2014.
The notice indicates HHS’s intent to survey up to 1,200 organizations, including both covered entities and business associates, to determine the organizations’ suitability for HIPAA audits by HHS. The survey will seek information about an organization’s patient visits, use of electronic information, revenue, and business locations, among other things. The notice hints that some sort of technology will be used to complete the survey, as HHS’s time estimate of 30-60 minutes to complete the survey includes the time needed to “develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information…”. The notice does not include details on the criteria HHS will use to select an organization for an audit.
One of the notable items of this notice is HHS’s announcement that this round of HIPAA surveys will include business associates as well as covered entites. This is a clear signal that HHS is getting serious about HIPAA compliance by all organizations who handle protected health information.
For more information about HIPAA audits and HIPAA enforcement, please contact Lee Kuo.
[…] In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis. This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA. Importantly, though only eligible professionals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act. Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits. […]