Reinstatement with Change
Supporting Statement for HIPAA Audit Review Survey
OMB # 0945-0005
Justification
Circumstances Making the Collection of Information Necessary
The HHS Office for Civil Rights (OCR) is requesting OMB approval for reinstatement with change of previously approved collection OMB No. 0945-0005 for its voluntary Health Insurance Portability and Accountability Act (HIPAA) Audit Review Survey to HIPAA regulated entities that participated in the 2016-2017 OCR HIPAA Audits.
Section 13411 of the HITECH Act (42 U.S.C. 17940) provides that “The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.” A copy of this authority is attached in Appendix A. In 2016-2017, OCR conducted an audit of 166 HIPAA covered entities’ and 41 business associates’ compliance with selected provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The individual audit results were given to each auditee, and an industry report of the general results was published in 2020.
The information collection consists of 39 voluntary on-line survey questions that will be used to:
measure the effect of the 2016-2017 HIPAA Audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA Rules;
provide entities with an opportunity to give feedback on the Audit and its features, such as the helpfulness of HHS’ guidance materials and communications, the utility of the online submission portal, whether the Audit helped improve entity compliance, and the entities’ responses to the Audit-report findings and recommendations;
provide OCR with information on the burden imposed on entities to collect audit-related documents and to respond to audit-related requests; and
seek feedback on the effect of the HIPAA Audit program on the entities’ day-to-day business operations.
The information, opinions, and comments collected using the information collection will be used to improve future OCR HIPAA Audits. While the HITECH Act does not specifically mandate the evaluation of HIPAA Audits, the U.S. Government Accountability Office (GAO) recommended that OCR develop performance measures and the receipt of feedback from the audited entities as proposed in this collection of information is critical for the improvement and evaluation of the Audits.
Purpose and Use of Information Collection
The information obtained from this information collection will be used to evaluate the effectiveness and industry reception of the 2016-2017 HIPAA Audits and provide insights into post-Audit actions of covered entities and business associates. The collected information may be used to revise the HIPAA Audit protocol and make improvements in future OCR HIPAA Audits, including, OCR’s communication materials and guidance documents, the administration of the Audits, and reduction of the Audit burden on covered entities and business associates. This information collection will also inform OCR’s decisions on how to conduct future Audits and improve industry HIPAA compliance.
Use of Improved Information Technology and Burden Reduction
The information collection will be performed via an online survey sent to all (100%) 207 entities. Covered entities and business associates will be contacted via email. The online information collection mode was chosen to minimize the burden to respondents.
Efforts to Identify Duplication and Use of Similar Information
OCR is responsible for administration and enforcement of the HIPAA Privacy, Security, and Breach Notification Rules and execution of associated Audits. No information has been previously collected from Audited entities on the effects of the 2016-2017 Audit to the healthcare industry and the industry’s reception of the HIPAA Audits. In addition, no other activities are planned or ongoing that could assess the effect of the 2016-2017 HIPAA Audits on covered entities and business associates.
Impact on Small Businesses or Other Small Entities
Small organizations (such as individual physicians) are among the potential respondents. However, OCR has carefully designed its collection instrument to ensure that the information requested is necessary and places minimal burden on the respondents. Furthermore, the HIPAA Audit Review Survey consists of only 39 questions, of which the majority are multiple choice. OCR does not anticipate a significant burden to any individual small business or organization.
Consequences of Collecting the Information Less Frequent Collection
The information collection is a one-time event and therefore cannot be conducted less frequently.
There are no legal obstacles to reduce the burden.
Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
There are no additional special circumstances for collecting this information.
Comments in Response to the Federal Register Notice/Outside Consultation
As required by 5 C.F.R. § 1320.8(d), OCR published a notice seeking public comment on the proposed collection of information. See 89 Fed. Reg. 9857 (February 12, 2024). A copy of the publication is attached as Appendix B.
Explanation of any Payment/Gift to Respondents
OCR does not provide any payments or gifts to respondents.
Assurance of Confidentiality Provided to Respondents
No assurance has been provided to respondents regarding the confidentiality of the responses. However, in order to promote participation in the survey the following statement will be provided: “The survey is anonymous, and we encourage your open and honest feedback. Your participation in this survey will help OCR evaluate the effectiveness of the last audit and identify areas of improvement for future audits.”
Justification for Sensitive Questions
OCR will not ask questions of sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
Estimates of Annualized Hour and Cost Burden
In calculating this estimate, OCR made the following assumptions:
First, 166 covered entities (consisting of healthcare providers, health plans, and clearinghouses) and 41 business associates comprise the universe of audited entities in 2016-2017. All 207 entities will be asked to complete the voluntary survey, and the burden is calculated assuming 100% participation rate.
Second, the median wage of a medical and health services manager in the health care industry is $53.21 per hour based on U.S. Bureau of Labor Statistics data for 2023 (the most recent data available at the time of drafting).1 OCR used this median wage per hour, which we doubled to account for benefits, to calculate the costs of the information request, assuming that a healthcare manager will be responsible for collecting and providing the information requested.
The estimate below is based on 207 entities having an average response time of 45 minutes.
The total estimated time burden is shown in the table below.
Estimated Annualized Burden Hours
Type of Respondent (If necessary) |
Form name
|
Number of Respondents |
Number of Responses per Respondent |
Average Burden per Response (in hours) |
Total Burden Hours |
Covered Entity Privacy and Security Officer(s) or Administrators |
OCR HIPAA Audit Participant Survey |
166 |
1 |
45/60 |
124.5 |
Business Associate Privacy and Security Officer(s) or Administrators |
OCR HIPAA Audit Participant Survey |
41 |
1 |
45/60 |
30.75 |
Total |
|
|
|
|
155.25 |
The total annualized costs listed below were determined from the estimated burden hours in the above table multiplied by the fully loaded average wage rate of $106.42 per hour.
Estimated Annualized Burden Costs
Type of Respondent
|
Total Burden Hours
|
Hourly Wage Rate
|
Total Respondent Costs
|
Covered Entity Privacy and Security Officer(s) or Administrators |
124.5 |
$106.42 |
$13,249.29 |
Business Associate Privacy and Security Officer(s) or Administrators |
30.75 |
$106.42 |
$3,272.42 |
Total |
155.25 |
$106.42 |
$16,521.71 |
Estimates of other Total Annual Cost Burden to Respondents or Recordkeepers/Capital Costs
There are no capital, start-up, operation, maintenance, or other similar costs to respondents.
Annualized Cost to Federal Government
OCR estimates that approximately 80 hours of federal workforce time will be utilized for the creation and processing of this survey, including the review of received survey responses. The cost of OCR staff time is an estimate because factors, such as number of staff involved and actual time required, will vary. Other occupational expenses, such as equipment, overhead, and support staff expenses, would have occurred without these collection of information requirements and are considered normal OCR operating expenses. OCR is using estimated hourly rates for federal employees at multiple levels from the 2024 General Schedule and Executive and Senior Executive Schedule to account for the work performed by multiple federal staff. Total costs to the government are estimated at $8,847.
Explanation for Program Changes or Adjustments
OCR’s revisions to the HIPAA Audit Review Survey reflect an effort to streamline, simplify, and clarify the questions and responses in this information collection. To this end, OCR has modified most responses to a binary “yes” or “no”. OCR has also included additional free form text boxes to ensure that covered entities and business associates are able to share additional feedback on the Audit program.
Plans for Tabulation and Publication and Project Time Schedule
The results of the survey will be for internal use by OCR and will not be published.
Reason(s) Display of OMB Expiration Date is Inappropriate
OCR is not seeking such approval.
Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
The agency should be prepared to justify its decision not to use statistical methods in any case where such methods might reduce burden or improve accuracy of results.
Neither statistical sampling nor statistical techniques will be employed when administering this information collection. Due to the small population size (207 covered entities and business associates), substantial heterogeneity in the types of covered entities and business associates (e.g., clearinghouses, health plans, group practices, and individual physicians), and variability in the types/number of audit findings (e.g., privacy, security, and breach notification), all covered entities and business associates that participated in an OCR Audit in 2016-2017 will be surveyed to ensure proper representation.
Appendix A – Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
Appendix B – Agency Information Request; 60 Day Public Comment Request, 89 Fed. Reg. 9857 (February 12, 2024)
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2024-07-20 |