The office of US Department of Health and Human Services Secretary Kathleen Sebelius recently announced plans to perform "pre-audit" HIPAA compliance surveys of 800 Covered Entities and 400 Business Associates. Under the Health Information Technology for Economic and Clincial Health Act’s (HITECH Act) Final Rule, made effective in September 2013, business associates now are subject to the same kind of HIPAA compliance audits that covered entities have dealt with since 2011.
Although the Office for Civil Rights (OCR) is still retooling its 2011 HIPAA Audit Protocol to reflect the latest HIPAA rule changes and the expanded scope of its auditing powers, OCR already is preparing to identify business associates who may be audited. OCR's pre-audit surveys will gauge the size, complexity, and audit fitness of survey participants, focusing on the extent to which the surveyed entities utilize electronic records, along with the size of their business service areas and annual revenues.
OCR estimates that a business associate or covered entity selected to participate in a pre-audit survey will spend 30 to 60 hours responding to the survey. While OCR has not estimated a start date for actual audits, pre-audit surveys likely will begin by this summer or early fall. HHS is accepting comments on its proposed pre-audit survey process through April 25, 2014.
