OMB cleared the HIPAA pre-audit survey late last week. (H/T LifeHealthPro.) That is one crucial prerequisite to OCR's initiation of the new round of HIPAA audits that have been the subject of all the Delphic prophecies we keep hearing (the survey is required to collect information about covered entities and their business associates, since this round of audits is supposed to include a look at business associates . . . and OCR won't know who's a business associate unless they ask covered entities).
OCR has apparently already identified "several hundred" covered entities (see "OCR supporting statement A") to which it would like to administer the questionnaire this time around (out of an estimated 3 million covered entities).
OCR wants to select "an appropriate mix of size and complexity of entities to be audited" from a pool of no more than 500 potential covered entity auditees. It also projects administering the questionnaire to no more than 200 potential business associate auditees in 2015. (In 2012, 115 covered entities were audited. Seems like more audits will be conducted this time around.) Screening questionnaires will be administered at the outset of each future round of audits, which OCR helpfully notes will be conducted, per the HITECH Act, on a "periodic" basis.
Some day, the federales may even update the posted OCR audit protocol to reflect the Omnibus Final Rule and really, really enter into this next phase of auditing. Before that happens, all covered entities and business associates should make sure that HIPAA compliance policies, procedures and workforce training processes are fully implemented and documented. Can't say I didn't warn you.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
