Guide to healthcare compliance resources and agencies

Last updated:May 2015

Editor's note

A collection of agencies regulate and govern the technological side of healthcare in the U.S. The Department of Health and Human Services Office for Civil Rights (OCR) is in charge of HIPAA enforcement, by auditing healthcare providers and their business associates and handing out fines for noncompliance. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) both play roles as healthcare compliance resources and regulators of the meaningful use program.

CMS is in a position to reduce the Medicare reimbursement payments of meaningful use participants that fail to meet the criteria and OCR has started to audit covered entities and business associates for HIPAA compliance.

The Food and Drug Administration (FDA) also has a place in managing health IT. The FDA evaluates medical devices and classifies them by the level of risk they could present to users.

1Office for Civil Rights

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA Privacy and Security Rules. To this end, the OCR investigates privacy violations and enforces penalties for noncompliance.

Prior to the HITECH Act, the OCR only audited a HIPAA covered entity when a patient filed a complaint with the agency. However, the HITECH Act now requires the OCR to conduct periodic audits of providers and HIPAA business associates to ensure they are HIPAA compliant.

In addition to holding covered entities accountable, the OCR publishes HIPAA Privacy Rule guidance materials, which are intended to help organizations meet requirements for compliance. The OCR also provides a variety of healthcare compliance resources in the form of training materials and guidance materials for covered entities.

2Centers for Medicare & Medicaid Services

The Centers for Medicare and Medicaid Services (CMS), also a division of HHS, is responsible for the administration of Medicare, Medicaid and the Children's Health Insurance Program.

The HITECH Act also adds several key tasks to CMS' list of responsibilities that are intended to advance health IT. Under the HITECH Act, hospitals and eligible professionals who failed to demonstrate the meaningful use of electronic health record (EHR) technology by 2015 will be penalized in the form of reduced Medicare and Medicaid reimbursements. However, those who demonstrate meaningful use before the deadline are eligible for financial incentives.

To this end, CMS is charged with the following:

-- Implementing the federal government's EHR Incentive Programs

-- Defining criteria for meaningful use of certified EHR technology

-- Drafting standards for the certification of EHR technology

-- Updating HIPAA health information privacy and security regulations

CMS also oversees the administration of ICD-9 codes and is scheduled to roll out the ICD-10 program starting on Oct. 1, 2015.

3Office of the National Coordinator for Health IT

The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity responsible for coordinating nationwide efforts to implement and use advanced health information technology and health information exchange. To this end, the ONC is spearheading the effort to move America's healthcare system from paper to electronic health records. This includes programs to encourage EHR adoption, as well as the use of other technologies, by holding competitions and offering prizes.

ONC's mission also includes coordinating health IT policy, providing leadership in the development, recognition and implementation of standards, and the certification of health IT products. In addressing these myriad tasks, the ONC uses the site to share healthcare compliance resources and other helpful information.

4Hospital accreditation agencies

CMS has approved a limited number of hospital accreditation agencies, including: The Joint Commission, the Healthcare Facilities Accreditation Program and DNV Healthcare Inc., the Accreditation Association for Ambulatory Health Care, the Accreditation Commission for Health Care, Inc., the American Association for Accreditation of Ambulatory Surgery Facilities, the Center for Improvement in Healthcare Quality, the Community Health Accreditation Program and The Compliance Team.

The Joint Commission, founded in 1951, is an independent organization that accredits and certifies healthcare organizations and programs in the U.S. Its healthcare accreditation program involves an on-site survey conducted by a commission team at least once every three years. Most states require accreditation by The Joint Commission as a prerequisite for licensing and Medicaid reimbursement.

The Joint Commission also issues advice regarding the protection of personal health information. For example, TJC warned healthcare organizations that "it is not acceptable" for physicians and other practitioners to send patient orders via text messages due to security and privacy issues.

DNV Healthcare Inc. integrates ISO 9001:2008 with Medicare Conditions of Participation. DNV's hospital accreditation is the National Integrated Accreditation for Healthcare Organizations (NIAHC). Hospitals do not have to comply with ISO 9001 to be accredited by DNV -- they have up to three years from their effective Medicare participation date (determined by CMS) to become ISO 9001 compliant.

DNV also offers primary stroke center certification and critical access hospital accreditation.

The Chicago-based Healthcare Facilities Accreditation Program incorporates National Quality Forum (NQF) standards for patient safety and care quality into its accreditation programs for acute care and critical access hospitals, ambulatory surgical centers, clinical laboratories, behavioral and mental health facilities, ambulatory care and office-based surgery centers and primary stroke centers. Healthcare compliance resources available from this organization include a description of NQF's 34 safe practices and a series of webinars that explain the certification process. The program is run by the American Osteopathic Association.

The Accreditation Association for Ambulatory Health Care, founded in 1979, accredits more than 5,000 healthcare organizations including community health centers and other medical and dental facilities. It is based in Skokie, Ill.

The Accreditation Commission for Health Care, Inc. was established by The Association for Home & Hospice Care of North Carolina in 1986 and focuses on accreditation of in-home and alternate-site care providers. It is based in Cary, N.C.

The American Association for Accreditation of Ambulatory Surgery Facilities, headquartered in Gurnee, Ill., originated in 1980 and maintains a mission of standardizing quality care in ambulatory surgery facilities. More than 2,000 healthcare facilities are accredited by the association.

The Center for Improvement in Healthcare Quality was established in 1999 and is based in Round Rock, Texas. Acute care and critical access hospitals make up most of the group's membership, which cooperates with CMS on the development of healthcare standards and regulations.

The Community Health Accreditation Program was jointly created by the National League for Nursing and the American Public Health Association in 1965. It is headquartered in Washington D.C. and accredits community and home-based healthcare organizations.

The Compliance Team was founded in 1994 and provides accreditation to healthcare providers in Puerto Rico, the U.S. Virgin Islands and all fifty states.