Supporting Statement for OCR HIPAA Covered Entity and Business Associate Pre-Audit Screening Questionnaire for OMB Review and Approval under the Paperwork Reduction Act and 5 CFR 1320
Date: March 12, 2015
Department of Health and Human Services
Office for Civil Rights
Point of Contact:
Linda Sanches
Supporting Statement for OCR HIPAA Covered Entity and Business Associate Pre-Audit Screening Questionnaire
A. Justification
Circumstances Making the Collection of Information Necessary
The Office for Civil Rights (OCR) is required to conduct periodic audits of HIPAA covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR is only capable of auditing a limited subset of the overall population of covered entities and business associates and needs information about each entity to assess whether an entity is appropriate to be audited. An initial pool of several hundred covered entities has been selected from entity-specific databases (e.g., the National Provider Identifier). The Pre-Audit Screening Questionnaire will enable OCR to determine characteristics about a given entity in relation to the overall sample pool of potential auditees and select the entities that best fit OCR criteria for OCR’s desired auditee population. Generally, OCR is looking to obtain an appropriate mix of size and complexity of entities to be audited.
Although some information about entities maybe available online or through public or private (for-pay) resources, this information may be dated and/or involve significant cost to the government for more information than would be useful. Other information useful for entity selection purposes relates to characteristics and activities of a given organization which generally is not available through external sources. Also note that the covered entity population exceeds 3 million entities for which OCR is likely to continue to focus on a small subpopulation. Audits conducted in 2012 were only for 115 covered entities.
The HIPAA Audit program is mandated under Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act (42 U.S.C. 17940) of the American Recovery and Reinvestment Act (ARRA): “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.”
Purpose and Use of Information Collection
Responses to the Pre-Audit Screening Questionnaire will be used in combination with other information to identify covered entities and business associates that meet criteria for OCR audits.
The questionnaire respondent will provide basic descriptive information about their organization. They will provide information including, but not limited to a verification of being a covered entity, the type of health care organization, the number of patients, members or transactions, their use of technology, their total revenue per fiscal year and other questions to assist OCR in determining if they are eligible candidates for HIPAA compliance audits.
This information collection has not been requested before by OCR. If this data is not collected, OCR will be unable to appropriately select entities that are subject to the mandate to periodic HIPAA compliance audits.
The requirement to conduct audits is on a periodic basis. OCR intends to use the information collection at the outset of any specified period of audits.
Use of Improved Information Technology and Burden Reduction
The information collection will be performed via an online screening questionnaire. Covered entities will be contacted via email and it is anticipated that all of them will have online access for responding. The online information collection mode was chosen to minimize the burden to respondents. The questionnaire incorporates skip patterns so that the respondent will only see questions relevant to its particular entity type.
Efforts to Identify Duplication and Use of Similar Information
OCR is the sole entity with responsibility for administration and enforcement of the HIPAA Privacy, Security, and Breach Notification Rules and execution of associated audits. There is no duplicative information available elsewhere regarding the effects on or the reception of the health care industry of the HIPAA audits. In addition, no other activities are planned or ongoing that could assess the effect of the OCR HIPAA audits on covered entities.
Impact on Small Businesses or Other Small Entities
Small businesses and small entities (such as physicians and dentists) are among the expected respondents. OCR has carefully designed its collection instrument to ensure that the information requested is necessary and the absolute minimum data to be collected for the purpose of assessing the size and complexity of respondents. For example, some questions are not applicable to physicians or dentists that do not have in-patient beds or do not perform other functions that the collection instrument requests responses for; these questions do not require responses by the small business or small entity.
Consequences of Collecting the Information Less Frequent Collection
The information collection is a one-time, baseline query for the potential auditees to assess fitness for being audited and therefore cannot be conducted less frequently than one time per round of audits. It is the initial step in the auditee selection process. If this collection is not conducted or is conducted less frequently, OCR will be unable to select an appropriate range of entities, wasting time and money beginning formal engagements and ending engagements when entities are determined to not meet the desired auditee criteria. There are no legal obstacles to reduce the burden.
Respondents will respond to the data collection one-time only for a given round of OCR audits. OCR makes efforts to not duplicate audits for prior audited covered entities, meaning that OCR would not send a pre-audit screening questionnaire to an entity that was audited in recent years. However, an entity may be asked to respond to a pre-audit screening questionnaire during a subsequent round of OCR audits.
Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
None of the listed special circumstances apply to the proposed collection of information. The information collection fully complies with the regulation.
Comments in Response to the Federal Register Notice/Outside Consultation
The Federal Register Notice was published on February 24, 2014 (79 FR 10158 – 10159). No comments have been received to date.
Explanation of any Payment/Gift to Respondents
No payments or gifts will be provided to respondents.
Assurance of Confidentiality Provided to Respondents
No assurance has been provided to respondents regarding the confidentiality of the responses. The screening questionnaire states, “Data will be kept private to the extent allowed by law.”
Justification for Sensitive Questions
No information of sensitive nature will be collected.
Estimates of Annualized Hour and Cost Burden
In calculating this estimate, OCR made the following assumptions:
Up to 500 covered entities (consisting of healthcare providers, health plans, and clearinghouses) comprise the universe of potential covered entity auditees in 2015. The burden is calculated assuming 500 respondents and 100% participation rate.
Up to 200 business associates comprise the universe of potential business associate auditees in 2015. The burden is calculated assuming 200 respondents and 100% participation rate
The median wage of a medical and health services manager in the health care industry is $47.34 per hour based on Department of Labor data. OCR used this mean wage per hour to calculate the costs of the information request, assuming that a healthcare administrator will be responsible for collecting and providing the information requested.
The total estimated time burden is shown in the table below.
Estimated Annualized Burden Hours
Type of Respondent
|
Form Name
|
No. of Respondents |
No. Responses per Respondent |
Average Burden per Response (in hours) |
Total Burden Hours |
Covered Entity Administrator or Privacy Officer(s) |
OCR Pre-Audit Screening questionnaire |
500 |
1 |
0.5 (or 30 mins) |
250 |
Business Associate Administrator |
OCR Pre-Audit Screening questionnaire |
200 |
1 |
0.5 (or 30 mins) |
100 |
Total |
|
|
|
|
350 |
The total annualized costs listed below were determined from the estimated burden hours in the above table multiplied by the average wage rate of $47.34 per hour.
Estimated Annualized Burden Costs
Type of Respondent
|
Total Burden Hours
|
Hourly Wage Rate
|
Total Respondent Costs
|
Covered Entity Administrator or Privacy Officer(s) |
250
|
$47.34 |
$11,835 00 |
Business Associate Administrator |
100 |
$47.34 |
$4,734.00 |
Total |
|
|
$16,569.00 |
Estimates of other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs
There are no capital, start-up, operation, maintenance, or other similar costs to respondents.
Annualized Cost to Federal Government
The cost to the Federal Government will be approximately $85,000. OCR will design and implement the information request, conduct the screening questionnaires, and analyze the data. The OCR staff time necessary to complete these activities will require approximately 20% of a GS-14 for 3 months (5% effective FTE effort) or approximately $6,000, based on salary alone. The cost of OCR staff time is an estimate because factors, such as number of staff involved and actual time required, will vary.
Other occupational expenses, such as equipment, overhead, and support staff expenses, would have occurred without these collections of information requirements and are considered normal OCR operating expenses.
OCR intends to use an online screening questionnaire tool and solicit responses by email, thus eliminating postage and other fees associated with mailing the screening questionnaire.
Explanation for Program Changes or Adjustments
This is a new data collection.
Plans for Tabulation and Publication and Project Time Schedule
The results of the screening questionnaire will be used for selection of auditees in 2015 and future audits. The collection of information will begin after completion of the OMB review process and incorporation of any OMB-requested changes.
There are no plans to publish, tabulate or manipulate the information collection requirements. This includes no plans to publish hard copies or on the Internet. Results will be used for internal OCR operations only.
Reason(s) Display of OMB Expiration Date is Inappropriate
OCR is not seeking such approval.
Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
| File Type | application/msword |
| File Title | How to Write and Submit |
| Author | CMS |
| Last Modified By | Linda.Sanches |
| File Modified | 2015-03-12 |
| File Created | 2015-03-12 |