Health Care Law Blog

HIPAA Compliance: Conducting a Risk Assessment

Maybe you have determined you're a Business Associate (or a subcontractor of a Business Associate) or maybe you’re a Covered Entity for purposes of HIPAA and have not gotten around to conducting or updating your risk assessment. Now is the time to do it.

HIPAA requires that Covered Entities, Business Associates, and subcontractors of Business Associates “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1)). In order to fulfill these requirements, all entities subject to HIPAA’s Security Rule must run a risk assessment. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In the past, some of the largest penalties have been assessed against entities that had failed to conduct a proper risk assessment and subsequently experienced a breach. Read More ›

Categories: Compliance, HIPAA

Contact Author

Share  | 

New Laws Expand Powers and Responsibilities of Guardians Relating to DNR Orders

On Feb. 4, 2014, new legislation took effect amending Michigan's Do-Not-Resuscitate Procedure Act (the "Act").The Act allows a guardian, who has the power under Michigan’s guardianship laws, to consent to a do-not-resuscitate order (“DNR Order”) on behalf of a legally incapacitated person under certain conditions. This power does not extend to a guardian ad litem.

In 1996, Michigan passed the Act, which permits a competent adult or his or her patient advocate to sign a DNR Order instructing emergency personnel not to perform potentially life-saving procedures in the event of the cessation of respiration and circulation. However, the Act did not give express authority to a guardian acting on behalf of an individual to authorize a DNR Order. Read More ›

Categories: Compliance, Hospitals

Posted by: Jennifer B. Van Regenmorter

  |  Contact Author

Share  | 

Health Plans Take Notice: Compliance with HIPAA Administrative Simplification Rules is still Required

On Jan. 2, 2014, the Department of Health and Human Services (“HHS”) issued a proposed rule related to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Specifically, it delayed the date by which health plans must certify compliance with certain operating rules imposed by the Affordable Care Act (“ACA”).   

The ACA required the Secretary of HHS to adopt operating rules related to claims status, eligibility, electronic funds transfers ("EFT") and health care payment and remittance advice transactions ("ERA").  Health plans (and other covered entities) were required to comply with the claims status and eligibility operating rules by Jan. 1, 2013 and the EFT and ERA operating rules by Jan. 1, 2014.  Additionally, health plans were required to file a statement with HHS certifying that the health plan is in compliance with the operating rules.  This certification statement was due by Dec. 31, 2013.  Read More ›

Categories: Billing/Payment, Compliance, Health Care Reform, HIPAA, Insurance, Privacy, Providers

Posted by: Mindi M. Johnson

  |  Contact Author

Share  | 

Walgreens Agrees to Record $80 Million Settlement with DEA

On Tuesday, June 11, 2013, the Drug Enforcement Administration (“DEA”) announced that it had reached an $80 million civil settlement agreement, the largest in DEA history, with Walgreen Co. (“Walgreens”) to resolve allegations involving an “unprecedented number” of record-keeping and dispensing violations under the Controlled Substance Act (“CSA”). According to the DEA’s Press Release, Walgreens negligently allowed controlled substances, including Oxycodone and other prescription painkillers, to be diverted into the black market. Read More ›

Categories: Compliance, Fraud & Abuse, Hospitals, Pharmacy, Physicians, Regulatory

Posted by: Julie LaVille Hamlet, Johanna M. Novak

  |  Contact Author

Share  | 

Payments to Doctors Will Soon be Public Knowledge

Under the Patient Protection and Affordable Care Act, companies that provide drugs, medical devices, biologicals or other medical supplies covered by certain government programs (Medicare, Medicaid or the Children's Health Insurance Program) are required to annually report certain payments they make to physicians. According to a recently issued final rule, payment categories will include: Read More ›

Categories: Compliance, Hospitals, Physicians, Regulatory

Posted by: Mindi M. Johnson

  |  Contact Author

Share  | 

Long-Awaited Privacy Rules Just Published

The Office for Civil Rights of the Department of Health and Human Services recently released its final rule (the "Rule") modifying the Health Insurance Portability and Accountability Act ("HIPAA") and implementing the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  (The Rule was originally expected to be released in February of 2010 when HITECH became effective.) In short, the Rule: modifies HIPAA’s privacy, security and enforcement rules; changes HIPAA’s enforcement rules to increase penalties consistent with HITECH; provides a final rule on breach notification; and modifies HIPAA as required by the Genetic Information Nondiscrimination Act.

The new rule is approximately 563 pages and can be accessed here.  If you have any questions about how the Rule may impact your health care practice, please contact Nicole Stratton at (517) 371-8140 or by using the form below.

Categories: Compliance, HIPAA, HITECH Act, Hospitals, Physicians, Privacy, Regulatory

Contact Author

Share  | 

New Board of Dentistry rules for handling and disposal of amalgam

The Michigan Board of Dentistry has adopted several new rules governing the handling and disposal of amalgam waste for dentists and dental practices.  

There are some exceptions for oral and maxillofacial surgeons; oral and maxillofacial radiologists; oral pathologists; orthodontists; periodontists; and dentists providing services in a dental school or hospital, or through a local health department.  Read More ›

Categories: Compliance, Licensing, Physicians, Regulatory

Contact Author

Share  | 

National Practitioner Data Bank

Hospitals are required to report certain adverse clinical privileging actions and medical malpractice payments to the National Practitioner Data Bank (NPDB).  Since the NPDB was established by the Health Care Quality Improvement Act (HCQIA) in 1986, compliance with these reporting obligations has been largely entrusted to hospitals with little enforcement action by the United States Department of Health and Human Services.  There are now reports that the federal government has begun auditing compliance by hospitals with the NPDB reporting requirements. Read More ›

Categories: Audits, Compliance, Hospitals, Physicians

Contact Author

Share  | 

Recap of 2012 Healthcare Forum

On October 11, 2012, the Lansing Regional Chamber of Commerce hosted its annual Healthcare Forum.  A half-day event, the Healthcare Forum brings together mid-Michigan leaders in the health care industry to provide updates on the latest issues.  This year’s forum, titled “Countdown to 2014 – The Tools to Conform to Healthcare Reform,” drew nearly 100 attendees and featured topics including: Read More ›

Categories: Compliance, Employee Benefits, Employment, Health Care Reform, Labor Relations, Regulatory

Contact Author

Share  | 

Newly Released Audit Protocol Serves as Guidance for Compliance Programs

The Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), passed in 2009, imposed new requirements on health care providers (among others) related to the privacy and security of Protected Health Information ("PHI").  Included in the HITECH Act's requirements was a mandate that the Department of Health and Human Services’ ("HHS") Office for Civil Rights ("OCR") conduct audits to analyze the processes, controls and policies of certain covered entities.  The pilot program for such audits began in 2011 and will conclude in December, 2012. Read More ›

Categories: Compliance, HIPAA, HITECH Act, Hospitals, Physicians, Regulatory

Posted by: Mindi M. Johnson, John R. Taylor

  |  Contact Author

Share  |