Table of contents:
Key health care compliance regulators, resource providers
Office for Civil Rights
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA Privacy and Security Rules. To this end, the OCR investigates privacy violations and enforces penalties for noncompliance.
Prior to the HITECH Act, the OCR only audited a HIPAA covered entity when a patient filed a complaint with the agency. However, the HITECH Act now requires the OCR to conduct periodic audits of providers and HIPAA business associates to ensure they are HIPAA compliant.
In addition to holding covered entities accountable, the OCR publishes HIPAA Privacy Rule guidance materials, which are intended to help organizations meet requirements for compliance. The OCR also provides a variety of health care compliance resources in the form of training materials and guidance materials for covered entities.
Centers for Medicare & Medicaid Services
The Centers for Medicare and Medicaid Services (CMS), also a division of HHS, is responsible for the administration of Medicare, Medicaid and the Children's Health Insurance Program.
The HITECH Act also adds several key tasks to CMS's list of responsibilities that are intended to advance health IT. Under the HITECH Act, hospitals and eligible professionals who fail to demonstrate the meaningful use of electronic health record (EHR) technology by 2015 will be penalized in the form of reduced Medicare and Medicaid reimbursements. However, those who demonstrate meaningful use before the deadline are eligible for financial incentives.
To this end, CMS is charged with the following:
Office of the National Coordinator
The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity responsible for coordinating nationwide efforts to implement and use advanced health information technology and health information exchange. To this end, the ONC is spearheading the effort to move America's health care system from paper to electronic health records. This includes programs to encourage EHR adoption, as well as the use of other technologies, by holding competitions and offering prizes.
ONC's mission also includes coordinating health IT policy, establishing governance for the Nationwide Health Information Network and providing leadership in the development, recognition and implementation of standards, and the certification of health IT products. In addressing these myriad tasks, the ONC uses the HealthIT.gov site to share health care compliance resources and other helpful information.
Food and Drug Administration
In addition to regulating drugs, the Food and Drug Administration (FDA) also regulates the safety and effectiveness of X-ray equipment and medical devices. This includes approving new devices before they go to market, defining manufacturing and performance standards and tracking reports of device malfunction and serious adverse reactions.
The FDA assigns medical devices, software and other equipment to categories of regulatory control. The categories, or classes, define the regulatory requirements for those items. The FDA recently issued a final rule reclassifying medical device data systems (MDDS) from Class III to Class I devices.
While Class I devices are subject to general regulatory control and exempt from premarket notification requirements, which eases certain requirements, the MDDS final rule says any entity making changes to the way a device collects data -- including an end user such as a hospital -- must submit the changed device for FDA approval. In addition, the new designation can have broader implications for health care organizations as well as the manufacturers of consumer device products that are used by physicians, such as Apple Inc.'s iPad.
While the MDDS rule does not apply to EHR systems, the FDA is separately considering how it will regulate EHR safety.
Hospital accreditation agencies
CMS has approved three hospital accreditation agencies -- The Joint Commission, the Healthcare Facilities Accreditation Program and DNV Healthcare Inc.
The Joint Commission, founded in 1951, is an independent organization that accredits and certifies health care organizations and programs in the U.S. Its health care accreditation program involves an on-site survey conducted by a commission team at least once every three years. Most states require accreditation by The Joint Commission as a prerequisite for licensing and Medicaid reimbursement.
The Joint Commission also issues advice regarding the protection of personal health information. For example, TJC warned health care organizations that "it is not acceptable" for physicians and other practitioners to send patient orders via text messages due to security and privacy issues.
DNV Healthcare Inc. integrates ISO 9001:2008 with Medicare Conditions of Participation. DNV's hospital accreditation is the National Integrated Accreditation for Healthcare Organizations (NIAHC). Hospitals do not have to comply with ISO 9001 to be accredited by DNV -- they have up to three years from their effective Medicare participation date (determined by CMS) to become ISO 9001 compliant.
DNV also offers primary stroke center certification and critical access hospital accreditation.
Finally, the Chicago-based Healthcare Facilities Accreditation Program incorporates National Quality Forum (NQF) standards for patient safety and care quality into its accreditation programs for acute care and critical access hospitals, ambulatory surgical centers, clinical laboratories, behavioral and mental health facilities, ambulatory care and office-based surgery centers and primary stroke centers. Health care compliance resources available from this organization include a description of NQF's 34 safe practices and a series of webinars that explain the certification process.