Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

* Indicates a required field.

Categories

McBrayer Blogs

Related Blogs

Showing 15 posts in Compliance Programs.

The Finalized Meaningful Use Rule – What Providers Need To Know

The Centers for Medicare and Medicaid Services (“CMS”) finalized a rule (“Final Rule”) on August 29, 2014, giving health care providers a bit more breathing room to comply with the Electronic Health Record (“EHR”) Incentive Program’s (“the Program’s”) meaningful use requirements. The Program began as a way to motivate health care providers to implement EHR systems. Hospitals and health care professionals can qualify through the Program for incentive payments from CMS for the “meaningful use” of certified EHR technology (“CEHRT”). What qualifies as “meaningful use” has been the source of much confusion. The Program is intended to be implemented in three stages, with each stage to be completed within one calendar or fiscal year. More >

Reminder: Update Your “Grandfathered” HIPAA Business Associate Agreements Now!

In January 2013, the Department of Health and Human Services (“HHS”) published its Final Rule, which significantly increased the privacy and security responsibilities for the “business associates” of “covered entities,” as those terms are defined by HIPAA. A provision within the Final Rule mandated that all covered entities and their business associates revise their business associate agreements to reflect the new responsibilities. Specifically, a business associate must now, among other things: More >

Preparing for Round Two, Continued

Earlier this week, information about OCR Phase 2 HIPAA audits was provided. Today, let’s take a look at how to prepare if your entity is selected for an audit:

  • Confirm that a recent comprehensive Risk Assessment has been completed and documented.
  • Confirm that all action items identified in the Risk Assessment have received attention and have been completed (or are in the process of being completed).
  • Verify that policies are up-to-date, including breach notification procedures, notice of privacy practices, and responses to patient requests.
  • Ensure that a current list of business associates (and their contact information) is readily available.

Because Phase 2 does not consist of on-site visits, there will not be an opportunity for dialogue with auditors. Therefore, it is crucial to ensure that documentation alone shows a complete picture of an entity’s compliance efforts. All documents should be carefully reviewed, dated, and signed before turned over to an auditor. While providing extraneous information is not recommended, it is important to double-check that all requested and necessary information is submitted.

Phase 2 audits set to occur in 2016 will focus on the Security Standard’s encryption and decryption requirements, facility access controls, breach reports and complaints. It is never too early to start considering what protocols, training, and procedures will need to be implemented in anticipation of a possible audit related to these items.

In the event you are selected for a Phase 2 audit and have any questions about your responsibilities or what you can do to ensure a smooth process, contact a McBrayer health care attorney today.

This article is intended as a summary of newly enacted federal and state law and does not constitute legal advice.

Are You Ready for Round Two?

In February 2014, the Health and Human Services Office of Civil Rights (“OCR”) announced its plans to send pre-audit surveys to between 550 and 800 entities during the summer in preparation for Phase 2 HIPAA compliance audits. After collecting information from those surveyed, OCR will select about 400 of those entities for actual HIPAA audits. Those audits will begin this fall – which is quickly approaching. More >

OCR Offers “Lessons Learned” Regarding HIPAA Compliance, Part II

On Tuesday, some of the details of OCR’s recently released Breach and Compliance Reports were discussed. In addition to detailing facts and figures from cases involving breaches in 2011 and 2012, the Breach Report includes an important “Lessons Learned” section that all covered entities and their business associates should review. Based upon reported breaches, the OCR has outlined some specific areas of concern, which include the following: More >

OCR Offers “Lessons Learned” Regarding HIPAA Compliance

Two recent reports issued by the HHS Office for Civil Rights (“OCR”), pursuant to the HITECH Act, reveal some interesting information about HIPAA data breaches. The Annual Report to Congress on Breaches of Unsecured Protection Information (“Breach Report”) and the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (“Compliance Report”) should remind covered entities and their business associates about the many risks associated with HIPAA and the importance of compliance. More >

Electronic Data Breach Leads to Largest HIPAA Settlement to Date

Recently, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services entered into a $4.8 million dollar settlement with two New York-based health care organizations after a data breach involving electronic protected health information occurred. The agreement is the largest HIPAA settlement thus far. More >

All Eyes on Hospice Care

In 2013, the Department of Justice (“DOJ”) and Office of Inspector General (“OIG”) charged the nation’s largest for-profit hospice chain, Vitas Innovative Hospice Care (“Vitas”), with false Medicare billings, inappropriately admitting patients with “aggressive marketing tactics,” and misleading patients and families about Medicare hospice benefits. This suit is just one of many recently filed against hospice providers, indicating that they are being watched keenly by enforcement authorities and government agencies. More >

New Enrollment and Re-Validation Requirements for Providers/Suppliers for Participation in Medicare and Medicaid: Watch Your Mail! Part I

Even though the Centers for Medicare and Medicaid Services (“CMS”) published final regulations to implement provisions to the Affordable Care Act (“ACA”) on February 2, 2011, it is likely that many Kentucky health care providers, including physicians, are not aware of the importance of the new requirements for revalidation of Medicare and Medicaid enrollment or the new and more burdensome requirements for initial enrollment. The requirements are aimed at strengthening provider and supplier screening procedures to reduce fraud, waste, and abuse in federal health care programs. Because CMS contractors and KY Medicaid have been slow to comply with these new requirements, it is likely that many providers have not noticed the enrollment/screening changes unless they have been asked to revalidate or have applied for new or additional provider/supplier numbers. More >

A New HIPAA Security Risk Assessment Tool For Your Compliance Arsenal

On Friday, the U.S. Department of Health and Human Services (HHS) announced a new security risk assessment (“SRA”) tool for small and medium size healthcare providers. The downloadable tool (available for free here) is a self-contained, independent application that is available for Windows and iOS platforms. The SRA works by asking a series of in-depth questions about the provider’s activities and facilities. The “yes” or “no” answer format for each question reveals whether corrective action is needed in a particular area. Additional resources in the SRA help providers understand the risks associated with the use, disclosure and storage of protected health information. The SRA offers providers the opportunity to generate, update and document assessment materials and corrective action plans through the SRA; documentation is especially important for audit purposes. More >

Lexington, KYLouisville, KYFrankfort, KY: MML&KFrankfort, KY LawGreenup, KYWashington, D.C.