A collection of agencies regulate and govern the technological side of healthcare in the U.S. The Department of Health and Human Services Office for Civil Rights (OCR) is in charge of HIPAA enforcement, by auditing healthcare providers and their business associates and handing out fines for noncompliance. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) both play roles as healthcare compliance resources and regulators of the meaningful use program.
CMS is in a position to reduce the Medicare reimbursement payments of meaningful use participants that fail to meet the criteria and OCR has started to audit covered entities and business associates for HIPAA compliance.
The Food and Drug Administration (FDA) also has a place in managing health IT. The FDA evaluates medical devices and classifies them by the level of risk they could present to users.
1Office for Civil Rights
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA Privacy and Security Rules. To this end, the OCR investigates privacy violations and enforces penalties for noncompliance.
Prior to the HITECH Act, the OCR only audited a HIPAA covered entity when a patient filed a complaint with the agency. However, the HITECH Act now requires the OCR to conduct periodic audits of providers and HIPAA business associates to ensure they are HIPAA compliant.
In addition to holding covered entities accountable, the OCR publishes HIPAA Privacy Rule guidance materials, which are intended to help organizations meet requirements for compliance. The OCR also provides a variety of healthcare compliance resources in the form of training materials and guidance materials for covered entities.
Health data privacy expert knows what to expect from HIPAA audits
A former OCR employee shares his insight into how the agency is approaching HIPAA audits. Listen Now
Audits coming for business associates
Covered entities aren't the only ones that should be preparing for HIPAA audits. Business associates should be ready, too. Listen Now
Security a top investment area for providers in 2015
Notable HIPAA violations and accompanying fines serve as motivation for some healthcare organizations to tighten their security. Read Now
OCR Director Jocelyn Samuels gives an overview of audit process
Without committing to a specific timeline, the OCR did offer a glimpse into its execution of HIPAA audits. Read Now
Providers scurry to ready for audits
Though the OCR won't directly comment on its HIPAA audit plans, history can give us some ideas. Read Now
2Centers for Medicare & Medicaid Services
The Centers for Medicare and Medicaid Services (CMS), also a division of HHS, is responsible for the administration of Medicare, Medicaid and the Children's Health Insurance Program.
The HITECH Act also adds several key tasks to CMS' list of responsibilities that are intended to advance health IT. Under the HITECH Act, hospitals and eligible professionals who failed to demonstrate the meaningful use of electronic health record (EHR) technology by 2015 will be penalized in the form of reduced Medicare and Medicaid reimbursements. However, those who demonstrate meaningful use before the deadline are eligible for financial incentives.
To this end, CMS is charged with the following:
-- Implementing the federal government's EHR Incentive Programs
-- Defining criteria for meaningful use of certified EHR technology
-- Drafting standards for the certification of EHR technology
-- Updating HIPAA health information privacy and security regulations
CMS also oversees the administration of ICD-9 codes and is scheduled to roll out the ICD-10 program starting on Oct. 1, 2015.
Stage 3 proposal receives tepid reaction
Government officials are hopeful that the final stage of meaningful use will create progress, but program participants aren't convinced. Read Now
Proposal for meaningful use stage 3 shifts program's focus
Patient engagement and the exchange of health information are only two of the eight primary objectives included in a stage 3 proposal. Read Now
Are the struggles of stage 2 attestation a preview of stage 3?
Meaningful use participants that are still working on stage 2 aren't eager to look ahead. Read Now
CMS data breaks down stage 2 attestation
The success eligible professionals and hospitals had in achieving meaningful use can be measured by figures presented by CMS. Read Now
CMS keeps pushing for more accountable care
Accountable care organizations should take note of clarifications made to CMS' Shared Savings Program. Read Now
3Office of the National Coordinator for Health IT
The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity responsible for coordinating nationwide efforts to implement and use advanced health information technology and health information exchange. To this end, the ONC is spearheading the effort to move America's healthcare system from paper to electronic health records. This includes programs to encourage EHR adoption, as well as the use of other technologies, by holding competitions and offering prizes.
ONC's mission also includes coordinating health IT policy, providing leadership in the development, recognition and implementation of standards, and the certification of health IT products. In addressing these myriad tasks, the ONC uses the HealthIT.gov site to share healthcare compliance resources and other helpful information.
ONC sets interoperability as its new target
Population health and sharing health information trumped meaningful use as ONC's main talking point. Read Now
ONC releases interoperability roadmap to stir up HIE activity
The ONC has a plan for encouraging more cooperation between healthcare providers and now providers can read it for themselves. Read Now
ONC report to Congress reflects poorly on some EHR vendors
Not every EHR vendor in enthusiastic about HIE. In fact, the ONC found that some are deliberately interfering with the exchange of health data. Read Now
ONC and HHS plan to keep investing in interoperability
As many as 12 state HIEs can look forward to a piece of $28 million in ONC and HHS funding. Read Now
ONC issues draft of its interoperability plan
Improved privacy and security are two criteria that the ONC believes will support its vision for a nationwide interoperable health IT infrastructure. Read Now
4Food and Drug Administration
In addition to regulating drugs, the Food and Drug Administration (FDA) also regulates the safety and effectiveness of X-ray equipment and medical devices. This includes approving new devices before they go to market, defining manufacturing and performance standards and tracking reports of device malfunction and serious adverse reactions.
The FDA assigns medical devices, software and other equipment to categories of regulatory control. The categories, or classes, define the regulatory requirements for those items. On a scale of Class III (high risk) to Class I (low risk) the FDA classifies medical device data systems (MDDS) as Class I devices. Class I devices are subject to general regulatory control and exempt from premarket notification requirements, which eases certain requirements. The FDA determined that MDDS that receive or store data from medical devices do not need to be subject to stringent regulations.
The FDA has taken a similar approach with mobile health applications. The administration has looked into regulating mHealth and wellness apps and devices, and determined that most don't pose a significant threat to patient safety.
5Hospital accreditation agencies
CMS has approved a limited number of hospital accreditation agencies, including: The Joint Commission, the Healthcare Facilities Accreditation Program and DNV Healthcare Inc., the Accreditation Association for Ambulatory Health Care, the Accreditation Commission for Health Care, Inc., the American Association for Accreditation of Ambulatory Surgery Facilities, the Center for Improvement in Healthcare Quality, the Community Health Accreditation Program and The Compliance Team.
The Joint Commission, founded in 1951, is an independent organization that accredits and certifies healthcare organizations and programs in the U.S. Its healthcare accreditation program involves an on-site survey conducted by a commission team at least once every three years. Most states require accreditation by The Joint Commission as a prerequisite for licensing and Medicaid reimbursement.
The Joint Commission also issues advice regarding the protection of personal health information. For example, TJC warned healthcare organizations that "it is not acceptable" for physicians and other practitioners to send patient orders via text messages due to security and privacy issues.
DNV Healthcare Inc. integrates ISO 9001:2008 with Medicare Conditions of Participation. DNV's hospital accreditation is the National Integrated Accreditation for Healthcare Organizations (NIAHC). Hospitals do not have to comply with ISO 9001 to be accredited by DNV -- they have up to three years from their effective Medicare participation date (determined by CMS) to become ISO 9001 compliant.
DNV also offers primary stroke center certification and critical access hospital accreditation.
The Chicago-based Healthcare Facilities Accreditation Program incorporates National Quality Forum (NQF) standards for patient safety and care quality into its accreditation programs for acute care and critical access hospitals, ambulatory surgical centers, clinical laboratories, behavioral and mental health facilities, ambulatory care and office-based surgery centers and primary stroke centers. Healthcare compliance resources available from this organization include a description of NQF's 34 safe practices and a series of webinars that explain the certification process. The program is run by the American Osteopathic Association.
The Accreditation Association for Ambulatory Health Care, founded in 1979, accredits more than 5,000 healthcare organizations including community health centers and other medical and dental facilities. It is based in Skokie, Ill.
The Accreditation Commission for Health Care, Inc. was established by The Association for Home & Hospice Care of North Carolina in 1986 and focuses on accreditation of in-home and alternate-site care providers. It is based in Cary, N.C.
The American Association for Accreditation of Ambulatory Surgery Facilities, headquartered in Gurnee, Ill., originated in 1980 and maintains a mission of standardizing quality care in ambulatory surgery facilities. More than 2,000 healthcare facilities are accredited by the association.
The Center for Improvement in Healthcare Quality was established in 1999 and is based in Round Rock, Texas. Acute care and critical access hospitals make up most of the group's membership, which cooperates with CMS on the development of healthcare standards and regulations.
The Community Health Accreditation Program was jointly created by the National League for Nursing and the American Public Health Association in 1965. It is headquartered in Washington D.C. and accredits community and home-based healthcare organizations.
The Compliance Team was founded in 1994 and provides accreditation to healthcare providers in Puerto Rico, the U.S. Virgin Islands and all fifty states.