RISC Management and Consulting

Resolution Agreements and Civil Money Penalties – A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into ten resolution agreements and issued CMPs to one covered entity.

A good example is the 42 CFR Part 488 Medicare and Medicaid Programs, Civil Money Penalties for Nursing Homes. This final rule will update the current Medicare and Medicaid regulations with regards to imposition and collection of civil money penalties when nursing homes are not in compliance.

Several resolution agreements have been in the news lately. These include agreements with the Alaska Department of Health and Human Services (DHHS), and the Massachusetts Eye and Ear Associates, Inc. (MEEI). Both of these resolution agreements include several consistent findings and enforcement actions, even though they originate in very disparate OCR Regions. Both include significant penalties, $1.7 million to DHHS and $1.5 million to MEEI. Additionally, both of the resolution agreements include significant, and thus expensive to implement, resolution plans, or Corrective Action Plans (CAPs). Both of the resolution plans include short term and long term milestones that must be achieved. Both of these CAPs also include the requirement that a third party who is an expert in these areas, monitor the progress of the entity, including both a “Monitor Plan” and “Monitor Reviews”.

Significantly identified in both resolution agreements by the OCR was a failure to demonstrate the conducting of a thorough analysis of the risk to the confidentiality of ePHI on an ongoing basis as a part of the security management process. This consistent finding points to the first Standard in the HIPAA Security Rule 164.308(a)(1)(i) Security Management Process, and the first two of Implementation Specifications including (A) Risk Analysis and (B) Risk Management. These sometimes overlooked and oft-delayed measures are the foundation of the HIPAA Security Rule. To implement security or corrective measures without first conducting a thorough risk analysis and developing a risk management plan are akin to beginning a long driving trip without looking up the directions. Or to bring the analogy up to date, without at least updating your GPS and bringing it along for the trip! In addition, a Covered Entity or Business Associate must update that analysis and plan periodically, thereby continuing to check their progress against their written directions or their GPS.

References:

Click to access meei-agreement-pdf.pdf

Click to access alaska-agreement.pdf

News Release

The United States Department of Health and Human Services (HHS) announced on August 23, 2012, the next steps to promote the use of electronic health records and expand health information exchange. According to Kathleen Sebelius, the change will lead to enhanced patient care via the elimination of duplicate screening and tests, as well as the reduction of medical errors.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, physicians, health care professionals and hospitals can qualify for Medicare and Medicaid incentive payments when they adopt and meaningfully use certified electronic health record (EHR) technology.

More than 120,000 eligible health care professionals and more than 3,300 hospitals have qualified to participate in the program and receive an incentive payment since it began in January 2011. That exceeds the goal set earlier this year of 100,000.

That includes more than half of all eligible hospitals and critical access hospitals and one out of every five eligible health care professionals. The program is divided into three stages:

Stage 1 sets the basic functionalities electronic health records must include such as capturing data electronically and providing patients with electronic copies of health information.
Stage 2 (which will begin as early as 2014) increases health information exchange between providers and promotes patient engagement by giving patients secure online access to their health information.
Stage 3 will continue to expand meaningful use objectives to improve health care outcomes.

These are the Stage 2 requirements announced on August 23, 2012:

Make clear that stage two of the program will begin as early as 2014. No providers will be required to follow the Stage 2 requirements outlined today before 2014.
Outline the certification criteria for the certification of EHR technology, so eligible professionals and hospitals may be assured that the systems they use will work, help them meaningfully use health information technology, and qualify for incentive payments.
Modify the certification program to cut red tape and make the certification process more efficient.
Allow current “2011 Edition Certified EHR Technology” to be used until 2014.

The CMS final rule also provides a flexible reporting period for 2014 to give providers sufficient time to adopt or upgrade to the latest EHR technology certified for 2014.

For detailed information please contact RISC Management and Consulting at: Sales@RISCsecurity.com

For assistance with HIPAA Security and Compliance projects, or help handling an OCR Audit or Investigation request, please contact RISC Management and Consulting at: Sales@RISCsecurity.com, 800.648.4358

This posting is sponsored by RISC Management & Consulting, www.RISCsecurity.com