Essential Guide

Get started Bring yourself up to speed with our introductory content.

Guide to healthcare compliance resources and agencies

This guide provides an overview of the agencies and regulatory bodies that govern the use of health IT through the law and by functioning as healthcare compliance resources.


A collection of agencies regulate and govern the technological side of healthcare in the U.S. The Department of Health and Human Services Office for Civil Rights (OCR) is in charge of HIPAA enforcement, by auditing healthcare providers and their business associates and handing out fines for noncompliance. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) both play roles as healthcare compliance resources and regulators of the meaningful use program.

CMS is in a position to reduce the Medicare reimbursement payments of meaningful use participants that fail to meet the criteria and OCR has started to audit covered entities and business associates for HIPAA compliance.

The Food and Drug Administration (FDA) also has a place in managing health IT. The FDA evaluates medical devices and classifies them by the level of risk they could present to users.

1Terms to know-

Healthcare compliance resources and agencies

2OCR and HIPAA compliance-

Office for Civil Rights

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA Privacy and Security Rules. To this end, the OCR investigates privacy violations and enforces penalties for noncompliance.

Prior to the HITECH Act, the OCR only audited a HIPAA covered entity when a patient filed a complaint with the agency. However, the HITECH Act now requires the OCR to conduct periodic audits of providers and HIPAA business associates to ensure they are HIPAA compliant.

In addition to holding covered entities accountable, the OCR publishes HIPAA Privacy Rule guidance materials, which are intended to help organizations meet requirements for compliance. The OCR also provides a variety of healthcare compliance resources in the form of training materials and guidance materials for covered entities.


Health data privacy expert knows what to expect from HIPAA audits

A former OCR employee shares his insight into how the agency is approaching HIPAA audits. Continue Reading


Audits coming for business associates

Covered entities aren't the only ones that should be preparing for HIPAA audits. Business associates should be ready, too. Continue Reading


Security a top investment area for providers in 2015

Notable HIPAA violations and accompanying fines serve as motivation for some healthcare organizations to tighten their security. Continue Reading


OCR Director Jocelyn Samuels gives an overview of audit process

Without committing to a specific timeline, the OCR did offer a glimpse into its execution of HIPAA audits. Continue Reading


Providers scurry to ready for audits

Though the OCR won't directly comment on its HIPAA audit plans, history can give us some ideas. Continue Reading


Privacy, patients' rights to their records part of Samuels' plan

In her first speech as OCR Director, Jocelyn Samuels dove right into her plans for enforcing HIPAA. Continue Reading

3Meaningful use attestation-

Centers for Medicare & Medicaid Services

The Centers for Medicare and Medicaid Services (CMS), also a division of HHS, is responsible for the administration of Medicare, Medicaid and the Children's Health Insurance Program.

The HITECH Act also adds several key tasks to CMS' list of responsibilities that are intended to advance health IT. Under the HITECH Act, hospitals and eligible professionals who failed to demonstrate the meaningful use of electronic health record (EHR) technology by 2015 will be penalized in the form of reduced Medicare and Medicaid reimbursements. However, those who demonstrate meaningful use before the deadline are eligible for financial incentives.

To this end, CMS is charged with the following:

-- Implementing the federal government's EHR Incentive Programs

-- Defining criteria for meaningful use of certified EHR technology

-- Drafting standards for the certification of EHR technology

-- Updating HIPAA health information privacy and security regulations

CMS also oversees the administration of ICD-9 codes and is scheduled to roll out the ICD-10 program starting on Oct. 1, 2015.


Stage 3 proposal receives tepid reaction

Government officials are hopeful that the final stage of meaningful use will create progress, but program participants aren't convinced. Continue Reading


Proposal for meaningful use stage 3 shifts program's focus

Patient engagement and the exchange of health information are only two of the eight primary objectives included in a stage 3 proposal. Continue Reading


Are the struggles of stage 2 attestation a preview of stage 3?

Meaningful use participants that are still working on stage 2 aren't eager to look ahead. Continue Reading


CMS data breaks down stage 2 attestation

The success eligible professionals and hospitals had in achieving meaningful use can be measured by figures presented by CMS. Continue Reading


CMS keeps pushing for more accountable care

Accountable care organizations should take note of clarifications made to CMS' Shared Savings Program. Continue Reading


Medicare penalties coming for those who missed meaningful use marks

More than a quarter of a million physicians are in line to pay for not fully achieving meaningful use. Continue Reading

4Health data Interoperability-

Office of the National Coordinator for Health IT

The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity responsible for coordinating nationwide efforts to implement and use advanced health information technology and health information exchange. To this end, the ONC is spearheading the effort to move America's healthcare system from paper to electronic health records. This includes programs to encourage EHR adoption, as well as the use of other technologies, by holding competitions and offering prizes.

ONC's mission also includes coordinating health IT policy, providing leadership in the development, recognition and implementation of standards, and the certification of health IT products. In addressing these myriad tasks, the ONC uses the site to share healthcare compliance resources and other helpful information.


ONC sets interoperability as its new target

Population health and sharing health information trumped meaningful use as ONC's main talking point. Continue Reading


ONC releases interoperability roadmap to stir up HIE activity

The ONC has a plan for encouraging more cooperation between healthcare providers and now providers can read it for themselves. Continue Reading


ONC report to Congress reflects poorly on some EHR vendors

Not every EHR vendor in enthusiastic about HIE. In fact, the ONC found that some are deliberately interfering with the exchange of health data. Continue Reading


ONC and HHS plan to keep investing in interoperability

As many as 12 state HIEs can look forward to a piece of $28 million in ONC and HHS funding. Continue Reading


ONC issues draft of its interoperability plan

Improved privacy and security are two criteria that the ONC believes will support its vision for a nationwide interoperable health IT infrastructure. Continue Reading


Fridsma explains ONC's role in interoperability

Doug Fridsma, M.D. former ONC chief scientist talked about his transition plans. Continue Reading


Too much health data? Not so, said Doug Fridsma

Find out why the amount of data stored in today's health devices should be seen as an opportunity and not a burden. Continue Reading


Fridsma sees strength in diversity of health IT standards

Learn why healthcare players shouldn't be troubled by the amount of different standards regulating the industry. Continue Reading

5The FDA and medical devices-

Food and Drug Administration

In addition to regulating drugs, the Food and Drug Administration (FDA) also regulates the safety and effectiveness of X-ray equipment and medical devices. This includes approving new devices before they go to market, defining manufacturing and performance standards and tracking reports of device malfunction and serious adverse reactions.

The FDA assigns medical devices, software and other equipment to categories of regulatory control. The categories, or classes, define the regulatory requirements for those items. On a scale of Class III (high risk) to Class I (low risk) the FDA classifies medical device data systems (MDDS) as Class I devices. Class I devices are subject to general regulatory control and exempt from premarket notification requirements, which eases certain requirements. The FDA determined that MDDS that receive or store data from medical devices do not need to be subject to stringent regulations.

The FDA has taken a similar approach with mobile health applications. The administration has looked into regulating mHealth and wellness apps and devices, and determined that most don't pose a significant threat to patient safety.


How much risk do patients assume when they invest in an mHealth device?

Mobile health vendors are pleased the FDA is mostly staying out of mHealth, but that may put more pressure on providers. Continue Reading


FDA searches for balance between regulation and safe innovation

A rare keynote speech from Margaret Hamburg, former FDA Commissioner was a highlight of the 2013 mHealth Summit. Continue Reading


Healthcare startups shouldn't fear FDA

Unless a new device or app presents a notable risk to patient safety, healthcare innovators won't have to worry about the FDA. Continue Reading


Learn the differences between FDA premarket approval and premarket notification

The FDA offered guidance to medical device manufacturers to help them avoid having their devices compromised. Continue Reading


Find out why radiology differs from other specialties when it comes to FDA regulation

Radiologists are as likely as other medical professionals to consult their mobile devices during work, but security concerns hold them back in some cases. Continue Reading

6Accreditation agency rundown-

Hospital accreditation agencies

CMS has approved a limited number of hospital accreditation agencies, including: The Joint Commission, the Healthcare Facilities Accreditation Program and DNV Healthcare Inc., the Accreditation Association for Ambulatory Health Care, the Accreditation Commission for Health Care, Inc., the American Association for Accreditation of Ambulatory Surgery Facilities, the Center for Improvement in Healthcare Quality, the Community Health Accreditation Program and The Compliance Team.

The Joint Commission, founded in 1951, is an independent organization that accredits and certifies healthcare organizations and programs in the U.S. Its healthcare accreditation program involves an on-site survey conducted by a commission team at least once every three years. Most states require accreditation by The Joint Commission as a prerequisite for licensing and Medicaid reimbursement.

The Joint Commission also issues advice regarding the protection of personal health information. For example, TJC warned healthcare organizations that "it is not acceptable" for physicians and other practitioners to send patient orders via text messages due to security and privacy issues.

DNV Healthcare Inc. integrates ISO 9001:2008 with Medicare Conditions of Participation. DNV's hospital accreditation is the National Integrated Accreditation for Healthcare Organizations (NIAHC). Hospitals do not have to comply with ISO 9001 to be accredited by DNV -- they have up to three years from their effective Medicare participation date (determined by CMS) to become ISO 9001 compliant.

DNV also offers primary stroke center certification and critical access hospital accreditation.

The Chicago-based Healthcare Facilities Accreditation Program incorporates National Quality Forum (NQF) standards for patient safety and care quality into its accreditation programs for acute care and critical access hospitals, ambulatory surgical centers, clinical laboratories, behavioral and mental health facilities, ambulatory care and office-based surgery centers and primary stroke centers. Healthcare compliance resources available from this organization include a description of NQF's 34 safe practices and a series of webinars that explain the certification process. The program is run by the American Osteopathic Association.

The Accreditation Association for Ambulatory Health Care, founded in 1979, accredits more than 5,000 healthcare organizations including community health centers and other medical and dental facilities. It is based in Skokie, Ill.

The Accreditation Commission for Health Care, Inc. was established by The Association for Home & Hospice Care of North Carolina in 1986 and focuses on accreditation of in-home and alternate-site care providers. It is based in Cary, N.C.

The American Association for Accreditation of Ambulatory Surgery Facilities, headquartered in Gurnee, Ill., originated in 1980 and maintains a mission of standardizing quality care in ambulatory surgery facilities. More than 2,000 healthcare facilities are accredited by the association.

The Center for Improvement in Healthcare Quality was established in 1999 and is based in Round Rock, Texas. Acute care and critical access hospitals make up most of the group's membership, which cooperates with CMS on the development of healthcare standards and regulations.

The Community Health Accreditation Program was jointly created by the National League for Nursing and the American Public Health Association in 1965. It is headquartered in Washington D.C. and accredits community and home-based healthcare organizations.

The Compliance Team was founded in 1994 and provides accreditation to healthcare providers in Puerto Rico, the U.S. Virgin Islands and all fifty states.


The Joint Commission weighs in on data security

Encryption and recipient verification compose half of the steps the Joint Commission recommends to secure a healthcare messaging system. Continue Reading


Hospital accreditors approve of e-signatures

Learn the three levels of e-signatures that allow physicians to safely update a patient's medical record. Continue Reading

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.