A collection of agencies regulate and govern the technological side of healthcare in the U.S. The Department of Health and Human Services Office for Civil Rights (OCR) is in charge of HIPAA enforcement, by auditing healthcare providers and their business associates and handing out fines for noncompliance. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) both play roles as healthcare compliance resources and regulators of the meaningful use program.
CMS is in a position to reduce the Medicare reimbursement payments of meaningful use participants that fail to meet the criteria and OCR has started to audit covered entities and business associates for HIPAA compliance.
The Food and Drug Administration (FDA) also has a place in managing health IT. The FDA evaluates medical devices and classifies them by the level of risk they could present to users.
1Terms to know-
Healthcare compliance resources and agencies
- Centers for Medicare & Medicaid Services (CMS)
- HIPAA (Health Insurance Portability and Accountability Act)
- ONC (Office of the National Coordinator for Health Information Technology)
- US Department of Health and Human Services (HHS)
- Office for Civil Rights (OCR)
2OCR and HIPAA compliance-
Office for Civil Rights
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA Privacy and Security Rules. To this end, the OCR investigates privacy violations and enforces penalties for noncompliance.
Prior to the HITECH Act, the OCR only audited a HIPAA covered entity when a patient filed a complaint with the agency. However, the HITECH Act now requires the OCR to conduct periodic audits of providers and HIPAA business associates to ensure they are HIPAA compliant.
In addition to holding covered entities accountable, the OCR publishes HIPAA Privacy Rule guidance materials, which are intended to help organizations meet requirements for compliance. The OCR also provides a variety of healthcare compliance resources in the form of training materials and guidance materials for covered entities.
A former OCR employee shares his insight into how the agency is approaching HIPAA audits. Continue Reading
Notable HIPAA violations and accompanying fines serve as motivation for some healthcare organizations to tighten their security. Continue Reading
Without committing to a specific timeline, the OCR did offer a glimpse into its execution of HIPAA audits. Continue Reading
In her first speech as OCR Director, Jocelyn Samuels dove right into her plans for enforcing HIPAA. Continue Reading
3Meaningful use attestation-
Centers for Medicare & Medicaid Services
The Centers for Medicare and Medicaid Services (CMS), also a division of HHS, is responsible for the administration of Medicare, Medicaid and the Children's Health Insurance Program.
The HITECH Act also adds several key tasks to CMS' list of responsibilities that are intended to advance health IT. Under the HITECH Act, hospitals and eligible professionals who failed to demonstrate the meaningful use of electronic health record (EHR) technology by 2015 will be penalized in the form of reduced Medicare and Medicaid reimbursements. However, those who demonstrate meaningful use before the deadline are eligible for financial incentives.
To this end, CMS is charged with the following:
-- Implementing the federal government's EHR Incentive Programs
-- Defining criteria for meaningful use of certified EHR technology
-- Drafting standards for the certification of EHR technology
-- Updating HIPAA health information privacy and security regulations
CMS also oversees the administration of ICD-9 codes and is scheduled to roll out the ICD-10 program starting on Oct. 1, 2015.
Patient engagement and the exchange of health information are only two of the eight primary objectives included in a stage 3 proposal. Continue Reading
Meaningful use participants that are still working on stage 2 aren't eager to look ahead. Continue Reading
More than a quarter of a million physicians are in line to pay for not fully achieving meaningful use. Continue Reading
4Health data Interoperability-
Office of the National Coordinator for Health IT
The Office of the National Coordinator for Health Information Technology (ONC) is the principal entity responsible for coordinating nationwide efforts to implement and use advanced health information technology and health information exchange. To this end, the ONC is spearheading the effort to move America's healthcare system from paper to electronic health records. This includes programs to encourage EHR adoption, as well as the use of other technologies, by holding competitions and offering prizes.
ONC's mission also includes coordinating health IT policy, providing leadership in the development, recognition and implementation of standards, and the certification of health IT products. In addressing these myriad tasks, the ONC uses the HealthIT.gov site to share healthcare compliance resources and other helpful information.
The ONC has a plan for encouraging more cooperation between healthcare providers and now providers can read it for themselves. Continue Reading
Not every EHR vendor in enthusiastic about HIE. In fact, the ONC found that some are deliberately interfering with the exchange of health data. Continue Reading
As many as 12 state HIEs can look forward to a piece of $28 million in ONC and HHS funding. Continue Reading
Learn why healthcare players shouldn't be troubled by the amount of different standards regulating the industry. Continue Reading
5The FDA and medical devices-
Food and Drug Administration
In addition to regulating drugs, the Food and Drug Administration (FDA) also regulates the safety and effectiveness of X-ray equipment and medical devices. This includes approving new devices before they go to market, defining manufacturing and performance standards and tracking reports of device malfunction and serious adverse reactions.
The FDA assigns medical devices, software and other equipment to categories of regulatory control. The categories, or classes, define the regulatory requirements for those items. On a scale of Class III (high risk) to Class I (low risk) the FDA classifies medical device data systems (MDDS) as Class I devices. Class I devices are subject to general regulatory control and exempt from premarket notification requirements, which eases certain requirements. The FDA determined that MDDS that receive or store data from medical devices do not need to be subject to stringent regulations.
The FDA has taken a similar approach with mobile health applications. The administration has looked into regulating mHealth and wellness apps and devices, and determined that most don't pose a significant threat to patient safety.
Mobile health vendors are pleased the FDA is mostly staying out of mHealth, but that may put more pressure on providers. Continue Reading
A rare keynote speech from Margaret Hamburg, former FDA Commissioner was a highlight of the 2013 mHealth Summit. Continue Reading
The FDA offered guidance to medical device manufacturers to help them avoid having their devices compromised. Continue Reading
Radiologists are as likely as other medical professionals to consult their mobile devices during work, but security concerns hold them back in some cases. Continue Reading
6Accreditation agency rundown-
Hospital accreditation agencies
CMS has approved a limited number of hospital accreditation agencies, including: The Joint Commission, the Healthcare Facilities Accreditation Program and DNV Healthcare Inc., the Accreditation Association for Ambulatory Health Care, the Accreditation Commission for Health Care, Inc., the American Association for Accreditation of Ambulatory Surgery Facilities, the Center for Improvement in Healthcare Quality, the Community Health Accreditation Program and The Compliance Team.
The Joint Commission, founded in 1951, is an independent organization that accredits and certifies healthcare organizations and programs in the U.S. Its healthcare accreditation program involves an on-site survey conducted by a commission team at least once every three years. Most states require accreditation by The Joint Commission as a prerequisite for licensing and Medicaid reimbursement.
The Joint Commission also issues advice regarding the protection of personal health information. For example, TJC warned healthcare organizations that "it is not acceptable" for physicians and other practitioners to send patient orders via text messages due to security and privacy issues.
DNV Healthcare Inc. integrates ISO 9001:2008 with Medicare Conditions of Participation. DNV's hospital accreditation is the National Integrated Accreditation for Healthcare Organizations (NIAHC). Hospitals do not have to comply with ISO 9001 to be accredited by DNV -- they have up to three years from their effective Medicare participation date (determined by CMS) to become ISO 9001 compliant.
DNV also offers primary stroke center certification and critical access hospital accreditation.
The Chicago-based Healthcare Facilities Accreditation Program incorporates National Quality Forum (NQF) standards for patient safety and care quality into its accreditation programs for acute care and critical access hospitals, ambulatory surgical centers, clinical laboratories, behavioral and mental health facilities, ambulatory care and office-based surgery centers and primary stroke centers. Healthcare compliance resources available from this organization include a description of NQF's 34 safe practices and a series of webinars that explain the certification process. The program is run by the American Osteopathic Association.
The Accreditation Association for Ambulatory Health Care, founded in 1979, accredits more than 5,000 healthcare organizations including community health centers and other medical and dental facilities. It is based in Skokie, Ill.
The Accreditation Commission for Health Care, Inc. was established by The Association for Home & Hospice Care of North Carolina in 1986 and focuses on accreditation of in-home and alternate-site care providers. It is based in Cary, N.C.
The American Association for Accreditation of Ambulatory Surgery Facilities, headquartered in Gurnee, Ill., originated in 1980 and maintains a mission of standardizing quality care in ambulatory surgery facilities. More than 2,000 healthcare facilities are accredited by the association.
The Center for Improvement in Healthcare Quality was established in 1999 and is based in Round Rock, Texas. Acute care and critical access hospitals make up most of the group's membership, which cooperates with CMS on the development of healthcare standards and regulations.
The Community Health Accreditation Program was jointly created by the National League for Nursing and the American Public Health Association in 1965. It is headquartered in Washington D.C. and accredits community and home-based healthcare organizations.
The Compliance Team was founded in 1994 and provides accreditation to healthcare providers in Puerto Rico, the U.S. Virgin Islands and all fifty states.