Following issuance of the landmark HIPAA Omnibus Rule in 2013, the Office for Civil Rights (OCR) is now gearing up for another round of HIPAA privacy and security rule audits, targeting 1,200 firms — both covered entities and business associates.
Specifically, the audits will focus on 800 covered entities and 400 business associates, but the number represents "an oversupply," according to Susan McAndrew, OCR deputy director for health information privacy.
Yesterday, OCR published a notice in the Federal Register, explaining that it will survey "up to 1,200 covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program."
In other words, the list of 1,200 could easily shrink in actual practice as company information is collected, including "recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations."
HIPAA stands for the Health Insurance Portability and Accountability Act. The privacy and security rules associated with HIPAA involve the collection, protection, storage, transmission and security of patients' protected health information, or PHI.
To better understand your company's responsibilities under HIPAA and its rules and regulations, please get a copy of our comprehensive HIPAA Compliance Program.
I'm pretty sure that Sue never said the audit was going to involve 1,200 entities. As you noted, that's a universe of those who will be asked to complete a survey to create a pool of auditees.