Federal regulators have completed work on a document that could terrify as many as a few dozen health insurance agents, brokers and consultants in the coming year: a “pre-audit screening questionnaire.”
The Office for Civil Rights (OCR), an arm of the U.S. Department of Health and Human Services (HHS), is creating the questionnaire in connection with an effort to audit keepers and users of protected health information for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) health data privacy and data security requirements.
See also: Phase 2 HIPAA audits
OCR officials developed the pre-audit screening questionnaire to help OCR decide whether entities are “eligible candidates for HIPAA compliance audits.”
The entities that get the questionnaires “will provide basic descriptive information about their organization,” OCR officials say in a statement describing the questionnaire. “They will provide information including, but not limited to, a verification of being a covered entity, the type of health care organization, the number of patients, members or transactions, their use of technology, their total revenue per fiscal year and other questions.”
The HIPAA health information rules apply to “covered entities,” such as hospitals and health insurance companies.
The rules also apply to the “business associates” of the covered entities. The “business associate” category can include almost any type of entity that handles protected health information, ranging from accounting firms to medical transcription firms to benefit plan administrators. Most health insurers that sell products such as major medical coverage, Medicare supplement insurance, dental insurance or long-term care insurance require agents to accept responsibility for meeting the business associate requirements.
HHS OCR officials have already been auditing the covered entities. OCR officials have been talking about starting to audit the business associates. They have given a little new information about the business associate auditing program in a federal paperwork review packet.
For a look at what officials are saying in the packet, read on.
1. The likelihood of being chosen even to fill out the pre-screening questionnaire is low.
OCR officials expect to send the pre-screening questionnaire to only about 200 business associates per year, and the vast majority of the business associates will probably entities outside the insurance and benefits communities.
Officials did not say how big they think the universe of business associates is, but they estimated that there about 3 million entities in the covered entity universe. OCR officials expect to send only 500 pre-screening questionnaires to covered entities.
2. Filling out the pre-screening questionnaire may not take that long.
OCR officials do not estimate how much time business owners who get a pre-screening questionnaire will spend tossing and turning in bed at night, and having nightmares about what exactly happens during a HIPAA Phase 2 compliance audit.
But officials estimate that filling the form itself should take a typical business associate entity only about half an hour.
See also: Do you live in fear of an IRS audit?
3. OCR officials will be using the questionnaire to get potentially sensitive information from you.
The first page of the questionnaire asks an entity to provide its name, the name of primary contact person at the entity, and the contact person’s e-mail address, telephone number and mailing address.
It’s conceivable that one risk of filling out the questionnaire is that the OCR investigators could get hacked: The U.S. Department of Health and Human Services Office of Inspector General (HHS OIG) reported in December 2013 that OCR investigators were doing a poor job of protecting the data they were using in their own investigations.