Supporting Statement for OCR HIPAA Audit Covered Entity Survey
A. Justification
Circumstances Making the Collection of Information Necessary
The Office for Civil Rights (OCR), Department of Health and Human Services, is currently conducting a review of the HIPAA Audit program to determine its efficacy in assessing the HIPAA compliance of covered entities. This information collection from covered entities via an on-line survey is part of that review. It will be used to:
measure the effect of the HIPAA Audit program on covered entities;
gauge their attitudes towards the audit overall and in regard to major audit program features, such as the document request, communications received, the on-site visit, the audit-report findings and recommendations;
obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests;
seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations; and
assess whether improvements in HIPAA compliance were achieved as a result of the audit program.
The information, opinions, and comments collected using the information collection will be used to produce recommendations for improving the HIPAA Audit program. The HIPAA Audit program is mandated under Section 13411 of the HITECH Act (42 U.S.C. 17940): “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.” A copy of this regulation is attached in Appendix A.
While the regulation does not specifically mandate the evaluation of the audit program, the receipt of feedback from the audited covered entities as proposed in this collection of information is critical for the improvement and evaluation of efficacy of the audits.
Purpose and Use of Information Collection
The information obtained from this information collection will be summarized in a report to be used internally by OCR. More specifically, the collected information will be used to evaluate the effectiveness and industry reception of the HIPAA audit program and provide insights into post-audit actions of covered entities. Based on the collected information, the HIPAA audit protocol may be revised to improve the administration of the audits and reduce audit burden on covered entities, while ensuring that the integrity of the audits is maintained. This one-time information collection will inform OCR’s decisions on how to conduct future audits and improve industry HIPAA compliance.
Use of Improved Information Technology and Burden Reduction
The information collection will be performed via an online survey of all (100%) 115 entities. Covered entities will be contacted via email and it is anticipated that all of them will have access to computer and internet. The online information collection mode was chosen to minimize the burden to respondents.
Efforts to Identify Duplication and Use of Similar Information
OCR is the sole entity with responsibility for administration and enforcement of the HIPAA Privacy and Security Rules and execution of associated audits. There is no duplicative information available elsewhere on the effects on/reception of the health care industry of the HIPAA audits. In addition, no other activities are planned or ongoing that could assess the effect of the OCR HIPAA audits on covered entities.
Impact on Small Businesses or Other Small Entities
Small organizations (such as individual physicians) are among the potential respondents. However, OCR has carefully designed its collection instrument to ensure that the information requested is necessary and places minimal burden on the respondents. OCR does not anticipate a significant burden to any individual small business or organization.
Consequences of Collecting the Information Less Frequent Collection
The information collection is a one-time event and therefore cannot be conducted less frequently.
There are no legal obstacles to reduce the burden.
Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
None of the listed special circumstances apply to the proposed collection of information. The information collection fully complies with the regulation.
Comments in Response to the Federal Register Notice/Outside Consultation
As required by 5 C.F.R. § 1320.8(d), OCR published a notice seeking public comment on the proposed collection of information. See 78 Fed. Reg. 16,857 (March 19, 2013). A copy of the publication is attached as Appendix B.
OCR received two comments in response to the Federal Register notice. The full text of these comments is attached in Appendix C; the following summarizes the content of comments received:
Respondent 1 filed a complaint stating that the responsibility of protecting patient safety and patient civil rights should lie with the federal government and not just state and local boards.
Respondent 2 stated that individuals should have access to all information kept within their medical record, including the names of the healthcare professionals that have accessed those records.
As both comments were unrelated to the proposed information collection, OCR has not made any changes to the information collection instrument or burden estimates based on these public comments. However, changes to the information collection instrument and response burden were made based on the feedback that OCR solicited from three covered entities that were audited in 2012.
OCR piloted the information collection instrument by asking three audited, covered entities to complete the online survey and provide their feedback about the survey instrument. The table lists the time it took the entities to complete the survey, including time for reviewing instructions. It took each respondent approximately 15 minutes to complete the survey. As a result of subsequent discussions with these respondents, OCR has revised the per-covered-entity time burden to reflect a range of 15 to 40 minutes. This is because some large organizations may have two people who oversee HIPAA compliance (e.g., a privacy officer and a security officer) who may need to collaborate when submitting their organization’s response. That is, a single response/form will be requested from each covered entity, but both individuals may spend time when preparing the response. In cases where two individuals collaborate to submit requested information, OCR calculated the time required as 15 minutes/individual x 2 individuals + 10 minutes for collaboration = 40 minutes.
Healthcare Administrators contacted in 2013 |
Completion Time (hours) |
Doreen Espinoza Chief Business Development and Privacy Officer Utah Health Information Network 801-466-7705 x 210 |
15/60 |
Leyla Erkan Corporate Compliance & Privacy Officer Rehabilitation Institute of Chicago lerkan@ric.org 312-238-7032 |
15/60 |
Jessica Arvantis Director of Corporate Compliance Catholic Medical Center 603-663-6651 |
20/60 |
Original Estimate (hours) |
2 |
Revised Estimate (hours) |
15/60 to 40/60 |
The respondents from the entities participating in the pilot also provided feedback on the clarity, structure, and effectiveness of survey instrument. Several changes were made to the information collection instrument as a result of their feedback. The revised instrument is attached in Appendix D.
Explanation of any Payment/Gift to Respondents
No payments or gifts will be provided to respondents.
Assurance of Confidentiality Provided to Respondents
No assurance has been provided to respondents regarding the confidentiality of the responses. However, in order to promote participation in the survey the following assurance will be given: “Information obtained from you will be used only to assess the HIPAA Audit program and will not be used to assess your entity’s HIPAA compliance or affect your entity’s chances of selection for future audits.”
Justification for Sensitive Questions
No information of sensitive nature will be collected.
Estimates of Annualized Hour and Cost Burden
In calculating this estimate, OCR made the following assumptions:
First, 115 covered entities (consisting of healthcare providers, health plans, and clearinghouses) comprise the universe of audited entities in 2012. All 115 will be surveyed and the burden is calculated assuming 100% participation rate.
Second, the median wage of an administrator in the health care industry is $40.52 per hour based on Department of Labor data. OCR used this median wage per hour to calculate the costs of the information request, assuming that a healthcare administrator will be responsible for collecting and providing the information requested.
Finally, the initial estimated number of hours for respondents (i.e., a single, audited, covered entity) to complete the survey was revised based on the actual completion times recorded when three health care administrators at audited, covered entities completed the survey during the pilot, as described in item 8. The estimate below is based on 57 entities having an average response time of 15/60 hours and 58 entities having an average response time of 40/60 hours. The split is based upon our knowledge of the respondents.
The total estimated time burden is shown in the table below.
Estimated Annualized Burden Hours
Type of Respondent
|
Form Name
|
No. of Respondents |
No. Responses per Respondent |
Average Burden per Response (in hours) |
Total Burden Hours |
Covered Entity Privacy and Security Officer(s) |
OCR HIPAA Audit Evaluation Survey |
115 |
1 |
0.45 (or 27 mins) |
52.5 |
Total |
|
|
|
|
52.5 |
The total annualized costs listed below were determined from the estimated burden hours in the above table multiplied by the average wage rate of $40.52 per hour.
Estimated Annualized Burden Costs
Type of Respondent
|
Total Burden Hours
|
Hourly Wage Rate
|
Total Respondent Costs
|
Covered Entity Privacy and Security Officer(s) |
52.5 |
$40.52 |
$2,127.30 |
Total |
|
|
$2,127.30 |
Estimates of other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs
There are no capital, start-up, operation, maintenance, or other similar costs to respondents.
Annualized Cost to Federal Government
The cost to the Federal Government will be approximately $85,000. A contractor will design and implement the information request, conduct the surveys, and analyze the data. The cost of contractor services will be $79,000. In addition, the OCR staff time necessary to identify a contractor and to assist the contractor in completing its duties will require approximately 20% of a GS-14 for 3 months (5% effective FTE effort) or approximately $6,000, based on salary alone. The cost of OCR staff time is an estimate because factors, such as number of staff involved and actual time required, will vary. Other occupational expenses, such as equipment, overhead, and support staff expenses, would have occurred without these collection of information requirements and are considered normal OCR operating expenses.
Explanation for Program Changes or Adjustments
This is a new information request.
Plans for Tabulation and Publication and Project Time Schedule
The results of the survey will be used to prepare a report for internal use by OCR. The collection of information will begin after completion of the OMB review process and incorporation of any OMB-requested changes. A timeline for the proposed information collection and subsequent analysis is included below. Note that in order to meet vendor-contractual obligations; it is vital that the collection of information begin no later than on July 1, 2013.
Task |
Timeline |
OCR/Contractor Committed Timeline |
Perform information collection (i.e., field online survey) |
6 weeks following OMB approval |
July 1, 2013 – August 9, 2013 |
Analyze and summarize survey results |
4 weeks following close of survey |
August 12, 2013 – September 6, 2013 |
Summary report due |
|
September 6, 2013 |
Reason(s) Display of OMB Expiration Date is Inappropriate
OCR is not seeking such approval.
Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
B. COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
The agency should be prepared to justify its decision not to use statistical methods in any case where such methods might reduce burden or improve accuracy of results.
Neither statistical sampling nor statistical techniques will be employed when administering this information collection. Due to the small population size (115 covered entities), substantial heterogeneity in the types of covered entities (e.g., clearinghouses, health plans, group practices, and individual physicians), and variability in the types/number of audit findings (e.g., privacy, security, and breach notification), all of the covered entities will be surveyed to ensure proper representation.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |