1. Respondent Universe and Sampling Methods
OCR’s authority and mandate for conducting audits goes to all entities required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. This includes both covered entities (health plans, health care clearinghouses and most health care providers) and business associates of covered entities. Based on contract work performed for OCR in 2011, there may be as many as 3 million covered entities comprised of less than 100 clearinghouses, approximately 38 thousand health plans and health insurance issuers, and the balance as health care providers. Among this universe, we intend to survey a sufficiently large sample to enable the selection from a diverse pool of covered entities for an audit. Because OCR has limited information about the universe of covered entities, the survey will be used to collect relevant information for further stratification (e.g., size, complexity) of entities prior to selection for an audit. Samples sizes will also be directly derivative of the number of audits OCR intends to conduct. For example, if we intend to audit 100 entities, we would select a sample size of 200 to 300 entities to respond to the survey.
There is no present good approximation of the number of business associates. A covered entity is not required to have business associates, but to the extent a covered entity engages another entity to perform certain functions, the HIPAA Rules define the latter entity as a business associate. Because the number of business associates is a function of business decisions made on the part of individual covered entities, the estimation is that anywhere from 0 to 100’s of business associates may be associated with any single covered entity. In 2013 rulemaking, we estimated that 1 – 2 million business associates existed.
We have not previously conducted this collection. During a separate activity asking covered entities that had been audited for feedback to evaluate the HIPAA audit program, a 100% response rate was achieved. We expect similar results.
2. Procedures for the Collection of Information
The Pre-Audit Survey will be used to collect information about selected respondents for purposes of assessing the fitness of the respondent to be audited by OCR. Information collected will not be used for extrapolation purposes; instead, it will be used to describe the universe, population, or strata to which the respondent belongs.
OCR anticipates use of the survey no more frequently than annually or as determined by program requirements. Generally, no entity will be expected or requested to respond to the survey more frequently than one time per audit program cycle.
Collection will be done through an online tool with instructions for answering the survey questions. No interviewers will be used.
Data validation would only be performed to the extent a response indicates an improbable or nonsensical response. No routine data validation is planned.
3. Methods to Maximize Response Rates and Deal with Nonresponse
Because OCR is the administrative and enforcement authority for the HIPAA Rules, we expect a high response rate from entities required to comply with the HIPAA Rules. For entities that do not respond, a follow-up email or phone call may be made depending upon the level of nonresponsiveness.
During a separate activity asking covered entities that had been audited for feedback to evaluate the HIPAA audit program, 100% response rate was achieved. We expect similar results.
4. Tests of Procedures or Methods to be Undertaken
Only pilot tests involving fewer than 10 respondents will be performed.
5. Individuals Consulted on Statistical Aspects and Individuals Collecting and/or Analyzing Data
Development and analysis was done with existing OCR staff. Appropriate contacts are:
Linda Sanches |
202-380-6587 |
|
Verne Rinker |
202-205-0744 |
| File Type | application/msword |
| Author | DHHS |
| Last Modified By | Linda.Sanches |
| File Modified | 2014-05-07 |
| File Created | 2014-05-07 |