Site moved to, redirecting in 1 second...

18 posts categorized "Compliance"

September 09, 2014

OCR Audits: The Skinny

Linda Sanches, Senior Advisor, Health Information Privacy, at OCR, DHHS, spoke with Tom Sullivan (@GovHITeditor) at the HIMSS Media #HITprivacy and security conference in Boston today (September 9, 2014) about OCR HIPAA compliance audits. See the Storify after the jump.

Continue reading "OCR Audits: The Skinny" »

April 23, 2014

HIPAA Marketing Rule Guidance: Better Than Nothing

61800551_5f5a2485ce_zThe HITECH Act made some significant changes to the HIPAA Privacy Rule, updating some provisions and increasing protections for individuals. Improvement of regulatory schemes that are a little long in the tooth is laudable, since technical and societal changes, of necessity, make for a perpetual game of catch-up. However, it is a challenge for regulators to pick the right battles to fight, and the challenge is made that much more difficult to navigate when, as in the case of the HITECH Act, Congress gets into the weeds with extremely detailed statutory language, thus limiting the regulators' range of discretion. Since it is often difficult for Congress to act, and even more difficult for it to act rationally, the detailed language of the HITECH Act hamstrings the regulators and the regulated community.

Continue reading "HIPAA Marketing Rule Guidance: Better Than Nothing" »

April 15, 2014

HIPAA Privacy and Security Compliance: Should You Care?

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing HIPAA-download-button-2 agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.  

Continue reading "HIPAA Privacy and Security Compliance: Should You Care?" »

February 26, 2014

HIPAA compliance audits coming; bits of detail emerge. Get ready now!

HIPAA cad logoOCR planning for the next round of HIPAA compliance audits continues.

A new information collection request will be filed soon (two months from now or so), according to the HIPAA audit questionnaire burden estimate published Monday, February 24. (H/T Art Gross, HIPAA Secure Now.) The filing shows that OCR intends to administer 1200 questionnaires to a mix of covered entities and business associates. The questionnaires are estimated to take 30 minutes to complete.

Once those questionnaires hit the street, the full force of OCR will not be far behind. In light of the latest multimillion dollar HIPAA penalty -- this one levied by the Puerto Rican government against an organization that might actually be around long enough to cough up the big bucks, as opposed to Cignet (and there's no telling what OCR might do in addition to that) -- let's just say it behooves all covered entities and busienss associates out there that have not yet put their house in order from a HIPAA/HITECH compliance perspective to do so now.

Do not pass Go. Do not collect $200. Go directly to: HIPAA Compliance.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

January 03, 2014

Health IT Wisdom at the End of 2013 and Start of 2014

Janus1I am quoted in a couple of year-end / new year pieces on health IT, appearing this week in iHealthBeat and FierceHealthIT.

With new developments over the past year in the realms of telehealth, mobile health and health data privacy and security, and opportunities for accountable care organizations, integration of connected health and implementation of HIPAA compliance plans, there is plenty of material for prognosticators.

Kate Ackerman, Editor-in-Chief at iHealthBeat asked 13 experts three questions.

Here are the questions and my answers; follow the link above to read 12 other perspectives.

Continue reading "Health IT Wisdom at the End of 2013 and Start of 2014" »

September 27, 2013

#StrataRx -- David Harlow's HIPAA and HITECH presentation

Patient Consent to Use of Data: Are We Asking the Wrong Question?

I spoke yesterday at the StrataRx conference in Boston, as part of the data liquidity track. This was sort of a blue sky presentation (as you can tell from the first slide); the thought was to explore the notion of building big data analytics on top of a data store populated by health record information obtained as a result of patient requests. Why? Because doing it that way would bring the data out from under HIPAA and HITECH regulations. Patients could contribute as much or as little of the data as they wish, patients could be compensated for their contributions, and other pesky HIPAA restrictions would fall by the wayside. I used one company's newly-announced service as an example, but there are others in this space as well.

Continue reading "#StrataRx -- David Harlow's HIPAA and HITECH presentation" »

September 17, 2013

OCR and ONC release model NPPs With H-Hour (the HIPAA Omnibus Rule compliance date) just a week away, the federales have come through, delivering a useful compliance tool with the HIPAA Notice of Privacy Practices requirements -- a set of model forms released during the Consumer Health IT Summit. At first blush, the forms seem extremely user-friendly, and they are certainly briefer, and are written in a tongue that bears a closer resemblance to English, than the NPPs with which most of us have had to labor. Kudos to the agencies for undertaking the effort to draft and field-test these forms.

While the field-testers' favored format, we are told, is the booklet, I much prefer the layered online form. The first page has a high-level summary of the HIPAA privacy and security rules as they pertain to patients, and details are set forth on the pages that follow.

I was disappointed, however, with one of the examples given in the model NPP:

Continue reading "OCR and ONC release model NPPs" »

September 12, 2013

HIPAA Clarity: Do You Have to Sue HHS to Get It?

Sue Me

"Serve a paper and sue me ...."  Is this really the only way to get HHS to agree to promulgate long-promised guidance for medication adherence contractors and others that face "restrictions on remunerated refill reminders and other communications." under the HIPAA Omnibus Rule?  

Apparently it is.

The final rule was promulgated eight months in advance of the compliance date coming up on September 23, yet Adheris (great name, eh?) found it necessary to seek an injunction earlier this month barring HHS/OCR from enforcing the Omnibus Rule insofar as it would infringe on the company's constitutionally-protected right of free (commercial) speech.

Continue reading "HIPAA Clarity: Do You Have to Sue HHS to Get It?" »

March 01, 2013

OIG review finds about 1/3 of all Medicare nursing home stays had inadequate care, care planning or discharge planning

OIGAs part of the US Department of Health and Human Services Office of Inspector General's current focus on nursing facilities, the OIG recently released a report entitled: Skilled Nursing Facilities Often Fail To Meet Care Planning and Discharge Planning Requirements.

From the OIG summary:

Skilled nursing facilities (SNF) are required to develop a care plan for each beneficiary and provide services in accordance with the care plan, as well as to plan for each beneficiary's discharge. These requirements are essential to ensuring that beneficiaries receive appropriate care and safely transition from one care setting to another. Several OIG studies and investigations found that SNFs had deficiencies in quality of care, did not develop appropriate care plans, and failed to provide adequate care to beneficiaries. In fiscal year 2012, Medicare paid $32.2 billion for SNF services. This study is part of a larger body of work about SNF payments and quality of care.


For 37 percent of stays, SNFs did not develop care plans that met requirements or did not provide services in accordance with care plans. For 31 percent of stays, SNFs did not meet discharge planning requirements. Medicare paid approximately $5.1 billion for stays in which SNFs did not meet these quality-of-care requirements. Additionally, reviewers found examples of poor quality care related to wound care, medication management, and therapy. These findings raise concerns about what Medicare is paying for. They also demonstrate that SNF oversight needs to be strengthened to ensure that SNFs perform appropriate care planning and discharge planning.

(Emphasis added.)

The OIG found, and CMS agreed, that CMS administrative enforcement efforts need to be beefed up on care planning and discharge planning, and that payment for services needed to be more closely tied to quality of services.

The negative findings implicate about 1/3 of skilled nursing facility stays, and over 15% of Medicare payment for skilled nursing facility stays.

In other arenas where health care providers are found to be out of compliance with Medicare conditions of participation, the Department of Justice tends to initiate actions under the False Claims Act to recover Medicare payments. (One example that leaps to mind involves the physician supervision requirements for diagnostic imaging under the OPPS rule.) Clearly, recoupment of $5.1 billion per year would be disastrous for the nursing facility sector, and since the OIG's recommendations included a mandate to clarify the regulations it is an unlikely result of this report. However, nursing facility operators should take note of this report and begin to address these areas of concern sooner rather than later.

The current report comes on the heels of a report issued late last year highlighting Medicare billing errors by nursing facilities that resulted in overpayments of $1.5 billion in 2009.  CMS committed to take appropriate action following receipt of that report, which could include recoupment of overpayments.

The OIG is currently looking at adverse events in skilled nursing facilities, which will be the subject of an upcoming report.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

December 07, 2012

Data Breach Analysis 2009-2012 - HITECH Experience Reviewed by HITRUST

In the first three years that the HITECH data breach notification rules have been in effect (September 2009 - September 2012), almost 500 breaches affecting more than 500 individuals have been reported.  As of this spring, over 57,000 data breaches affecting fewer than 500 individuals have been reported.

Courtesy of HITRUST (Health IT Trust Alliance)

The key takeaways:

  • Most data breaches are accounted for by theft or loss (2/3 of breaches, over 4/5 of breached records); the balance are accounted for by unauthorized access or disclosure, incorrect mailing, hacking and improper disposal 
  • Hacks are on the rise, and given the likely underreporting of all breaches and the ease with which theft and loss of devices and records are detected, chances are that security improvement efforts are not being targeted appropriately
  • The weak link for most data breaches are laptops, paper records and mobile media (3/4 of breaches, 2/3 of records); the balance are from desktop computers, network servers and system applications
  • The trend in number of data breaches over time is encouraging, but there have been upticks in late 2011 and early 2012 
  • Hospitals, health plans and business associates are getting better at securing their data over time; physician practices are getting a little worse, particularly in smaller practice which, since they are often linked to community hospital EHRs, expose the hospitals as well
  • Government sector breaches account for a large percentage of the whole (check out the OIG report on CMS data breaches under HITECH for a glimpse of one sliver of this problem)

The full report is worth reading.  Also: see more from HealthBlawg on HIPAA, HITECH and data breaches.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting