HHS Releases a New Security Risk Assessment Tool

Posted by Health Law Informer Author on April 29, 2014
HHS, HIPAA / No Comments

The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.

HIPAA Audits Set to Begin in 2014: Another Enforcement Mechanism for HIPAA Compliance

Posted by Health Law Informer Author on March 07, 2014
HIPAA / No Comments

The Department of Health and Human Services (HHS) is expected to launch its long-awaited HIPAA audit program sometime in 2014. The audit program will be run by HHS’ Office of Civil Rights (OCR), which is likely eager to get the program going after being criticized in a report from HHS’ Office of Inspector General (OIG) last year for not conducting sufficient audits as mandated by the HITECH Act. This public reprimand gives OCR an added incentive to make sure its HIPAA audit program is active and effective.

In terms of how the permanent audit program will operate, OCR has indicated that it will differ from the pilot program that ran from 2011 to 2012. During the pilot, 115 covered entities were audited, and each of them endured lengthy and detailed investigations into the entity’s compliance with nearly all aspects of the HIPAA rules. The director of OCR, Leon Rodriguez, has said that the plan moving forward is to audit many more entities, including business associates, but to make each audit narrower and more targeted. A note of caution, however, is that OCR has previously stated that audits that uncover significant noncompliance with HIPAA could prompt an investigation by OCR.

So what are the big areas of interest for OCR? This will become clearer as the audits get underway, but we do know at least two of the topics that have OCR’s attention: security risk analysis and business associate compliance. Director Rodriguez has said that risk analysis was an area of consistent weakness among entities audited during the pilot program and that “one focus in the audits will be on risk analysis.” Every covered entity and business associate must conduct a thorough review of the security of PHI in its organization and examine all facilities and operations to see where PHI flows in and where it flows out. Everything from computer encryption to office traffic patterns to off-hours use of mobile devices has to be analyzed and plans must be put in place to address any holes in security.

For more information about the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

CMS Solicits Comments on How to Impose Penalties for Failure to Comply with the MSP Act’s Reporting Requirements

Posted by Health Law Informer Author on December 19, 2013
Medicaid, Medicare / No Comments

On December 11, 2013 the Centers for Medicare & Medicaid Services (CMS) published an advance notice of proposed rulemaking concerning the circumstances under which civil money penalties may be imposed for failure to comply with Medicare Secondary Payer Act (the “MSP Act”) Section 111 reporting requirements.  Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 amended the MSP Act by establishing  mandatory reporting requirements for certain group health plans (GHPs) and for liability insurance (including self-insurance) no fault insurance and workers compensation (collectively NGHPs) arrangements.  The Section 111 amendments require GHPs and NGHPs to notify CMS when they pay a claim on behalf of a Medicare beneficiary.  Failure to comply with the reporting requirements resulted in a civil monetary penalty of $1,000 for each day of noncompliance.

The Strengthening Medicare and Repaying Taxpayers Act of 2012 (the “SMART Act”) amended the penalty provision of the Section 111 reporting requirements by stating that applicable plans that fail to comply with the reporting requirements may be subject to a civil monetary penalty of up to $1,000 per day of non-compliance.  Thus, the SMART Act made the penalty discretionary instead of mandatory and allowed for penalties below $1,000.  As a result,  CMS is soliciting public comments and proposals on the practices for which civil monetary penalties may or may not be imposed.  Specifically, CMS is seeking comments on how to define “noncompliance” with reporting requirements; what mechanisms and criteria should be used to evaluate whether a civil money penalty can be imposed; what methods should be used to determine the dollar amount of such a penalty; and what actions on the part of a primary payer would constitute a “good faith effort” to identify a Medicare beneficiary for purposes of reporting under the MSP Act.  Comments can be submitted to CMS until February 10, 2014.

Tags: , , , ,

Ruminations on Observation: OIG Report Highlights Inpatient vs. Observation Status

Posted by Health Law Informer Author on August 22, 2013
Medicaid / No Comments

On July 29, 2013, the OIG released a memorandum report finding that Medicare paid more on average for short inpatient stays than for observation stays in 2012.  The report, Hospitals’ Use of Observation Stays and Short Inpatient Stays for Medicare Beneficiaries, OEI-02-12-00040, touches on observation versus inpatient status, which has been and continues to be a hot button issue.

Background

Medicare beneficiaries receiving care at a hospital are classified as either inpatients or observation patients.  Observation patients are outpatients who receive treatments and assessments to determine whether they require further treatment as inpatients or can be discharged.  CMS policy provides that observation services are usually needed for 24 hours or less.   Continue reading…

Tags: , , ,

THE CLOCK IS TICKING: Covered Entities, Business Associates and Subcontractors Have Until September 23, 2013 to comply with Updated HIPAA Regulations

Posted by Health Law Informer Author on June 27, 2013
HIPAA, HITECH / No Comments

As we’ve discussed in previous articles,[1] and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift.  In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media.  Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013.  In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline. Continue reading…

Tags: , , , ,

Screen Early, Screen Often: OIG Updates its Advice on How to Avoid Liability for Employing or Contracting with Individuals Excluded from Participation in Federal Health Care Programs

Posted by Health Law Informer Author on June 03, 2013
Fraud and Abuse, Medicaid, Medicare / No Comments

On May 8, 2013, the Office of Inspector General (“OIG”) of the Department of Health & Human Services issued an updated Special Advisory Bulletin (the “Updated Bulletin”)[1]  on the effect of exclusion from participation in Medicare, Medicaid and other Federal health care programs (collectively “FHPs).  The Updated Bulletin, which replaces and supersedes guidance originally provided by OIG in a 1999 Special Advisory Bulletin (the “1999 Bulletin”), details OIG’s broad interpretation of the scope and effect of its exclusion authority under the Civil Monetary Penalties Law (“CMPL”).[2]  The Updated Bulletin addresses many of the questions OIG has received about exclusions and purports to convey insight gained from resolving self-disclosure cases since publishing the 1999 Bulletin. Continue reading…

Tags: , ,

UPDATE: Congress Drafts Legislation that would Expand the FDA’s Role in Regulating Compounding Pharmacies

Posted by Health Law Informer Author on May 02, 2013
Food and Drug Law, Pharmacy / No Comments

UPDATE

The Senate Health, Education, Labor, and Pensions (HELP) committee approved a bill on May 22 that largely tracks the Draft Legislation.  As outlined below, the bill would create a new category for large-scale compounders – known as “compounding manufacturers” – and give the FDA greater authority over compounding pharmacies. Continue reading…

Tags: , ,

Are You Prepared? The ACA’s Compliance Program Mandate for All Health Care Providers

Posted by Health Law Informer Author on April 15, 2013
Affordable Care Act, Medicare / No Comments

While the implementation of compliance programs to encourage the development and use of internal controls to monitor adherence of the health care industry to applicable statutes, regulations, and program requirements has long been considered a best practice, the Patient Protection and Affordable Care Act (“ACA”) has made them mandatory. Continue reading…

Tags: , , ,

Highlights of the Omnibus HIPAA/HITECH Final Rule

Posted by Health Law Informer Author on March 12, 2013
Affordable Care Act, HIPAA, HITECH / No Comments

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

Tags: , , , , , ,

The SMART Act: A Bipartisan Attempt to Make the MSP Act Workable

Posted by Health Law Informer Author on January 23, 2013
Uncategorized / No Comments

On January 10, 2013, President Obama signed into law H.R. 1845, which includes the Strengthening Medicare and Repaying Taxpayers Act of 2011 (SMART Act).[1] The SMART Act,  amends several portions of the Medicare Secondary Payer (MSP) Act that apply to non-group health plans, including liability (including self-insurance) and no-fault insurance and workers’ compensation plans (together, NGHPs).  Although the SMART Act makes significant substantive and procedural amendments to the MSP Act, many practical issues will continue to bedevil parties who are trying to settle a personal injury claim. Continue reading…

Tags: , , ,

« Previous Page Next Page »