When asked if it will audit entities who report breaches of unsecured protected health information (PHI) affecting 500 or more individuals, OCR tells HealthLeaders Media it has not "determined how the HITECH audit requirement will be implemented."
HITECH requires OCR to post on its website those entities who report the 500-or-more patient information breaches.
As for breaches below the 500 mark, OCR says it does not intend to publish breach information on those report.
"However," OCR says, "summary data will be included in OCR's annual report to Congress about breaches."
Though no enforcement plans have been announced regarding HITECH provisions, OCR says it is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.
OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.
"They're focused clearly on compliance," McMillan says.
The CEO praised OCR for reaching out to the industry–and general public–regarding its "Request for Information for Accounting of Disclosures Rulemaking."
In that May 3 Federal Register posting, OCR asks providers and the public several questions to help it produced a proposed rule on accounting of disclosures on EHRs; that HITECH provision is due out in June and gives patients greater rights to disclosures on their EHRs.
"They're engaged," McMillan says. "They're not afraid to talk about this. I think they're doing a lot more that most folks aren't seeing yet."