OCR has apparently already identified “several hundred” covered entities (see “OCR supporting statement A“) to which it would like to administer the questionnaire this time around (out of an estimated 3 million covered entities).
OCR wants to select “an appropriate mix of size and complexity of entities to be audited” from a pool of no more than 500 potential covered entity auditees. It also projects administering the questionnaire to no more than 200 potential business associate auditees in 2015. (In 2012, 115 covered entities were audited. Seems like more audits will be conducted this time around.) Screening questionnaires will be administered at the outset of each future round of audits, which OCR helpfully notes will be conducted, per the HITECH Act, on a “periodic” basis.
Some day, the federales may even update the posted OCR audit protocol to reflect the Omnibus Final Rule and really, really enter into this next phase of auditing. Before that happens, all covered entities and business associates should make sure that HIPAA compliance policies, procedures and workforce training processes are fully implemented and documented. Can’t say I didn’t warn you.
Photo: Kufoleto via Wikimedia Commons CC