The Office for Civil Rights Wants You – Should You Be Afraid?

The Office for Civil Rights Wants You – Should You Be Afraid?

On February 24, 2014, the Office for Civil Rights announced a notice of intent to survey 1,200 HIPAA Covered Entities and Business Associates. This notice represents forward movement towards the re-engagement of auditing and enforcement of new HIPAA rules and requirements.

The information to be collected will include (but is not limited to) recent data about the number of patient visits, number of insured lives for carriers, use of electronic information, revenue, and business locations. The stated purpose of gathering the information is to assist the Office for Civil Rights (OCR) in creating a suitable HIPAA Audit Program. In essence, they’re looking to assess the size of the entity, how complex the organization is technologically and otherwise, and the financial fitness of the entity.

Why is OCR wanting to reach out and touch you? It’s quite possible OCR is responding to an unflattering Office of Inspector General report from December 2013 that found OCR to be deficient in a number of HIPAA and HITECH enforcement areas. To be fair, the time of the audit was for the period 2009 to 2011, and OCR had only received Security Rule oversight from HHS in 2009. That said, perception is reality, and OCR is upping it’s game. Collecting foundational data before defining it’s path is hardly unreasonable and will hopefully result in a more efficient and less detrimental audit process.

Despite the optimism, to many this will seem like more government intrusion into their business affairs. After all, this is yet another federal agency asking for revenue information and more on your organization. Although the notice itself, linked here, does not state that participation in the estimated 30 minute survey is compulsory, as covered entities and business associates, we don’t get the luxury of declaring ourselves exempt from HIPAA enforcement. While none of us like divulging information we consider confidential, this may not be the best place to draw your line in the sand, particularly because the effort could and should be ultimately beneficial to all of us.

Another perspective would be this is your chance to participate in crafting the process that you will potentially be subjected to – that is if you encounter a breach or your number comes up for the random audits they’ll be conducting.

Regardless of your perspective, HHS wants to hear from you. The comment window is open until April 25, 2014 and HHS is specifically requesting comments on

  • The necessity and utility of the proposed information collection for the proper performance of the agency’s functions,
  • The accuracy of the estimated burden,
  • Ways to enhance the quality, utility, and clarity of the information to be collected, and
  • The use of automated collection techniques or other forms of information technology to minimize the information collection burden.

We recommend taking advantage of the opportunity to share your input with this process. The more engaged we are now, the greater the likelihood the resulting audit process will be satisfactory to most of us. Submit your comments to or call 202-690-6162.