Compliance is Not Just a HIPAA - HITECH Issue

Sunday, January 23, 2011

Jack Anderson


In this recent article by Cadwallader, Wickersham & Taft, OMIG Begins Policing Provider Compliance Programs they go into great detail to describe efforts by OMIG to ensure provider compliance. 

Here is their description of what compliance entails:

Briefly, the eight elements to an “effective” compliance program delineated in the regulations (18 N.Y.C.R.R. Section 521.3(c)) include:  

  • Written policies and procedures that must include: (i) a “Code of Conduct”, or “code of ethics”, that describes the provider’s compliance expectations, (ii) procedures for implementing the operation of the compliance program; (iii) guidance for employees/others confronting a potential compliance issue; (iv) a procedure for communicating potential compliance issue within the organization; and (v) a process for investigating and resolving compliance issues. 
  • Compliance officer must be designated who is the employee in charge of “dayto- day operation” of the compliance program and reports directly to the CEO or other senior administrator, and to the provider’s board of directors.  
  • Inservice training and education of employees, executive staff, and board members.
  • Line of communication to the compliance officer, including an anonymous and confidential method of “good faith” reporting (whistleblower).
  • Disciplinary policies and “firmly enforced sanctions” for (i) failing to report non-compliant behavior, (ii) participating in non-compliant behavior, (iii) or encouraging or actively or even passively allowing non-compliant behavior (i.e., looking the other way is inappropriate and sanctionable).
  • System for identifying risk areas (i) specific to provider type (through internal and external audits) and in connection with (ii) credentialing, (iii) mandatory reporting compliance, (iv) corporate governance, and (v) quality of care. 
  • System for (i) responding to and investigating potential compliance problems, (ii) correcting, and preventing or reducing the risk of recurrence of, compliance problems, (iii) reporting compliance issues to OMIG, and (iv) refunding overpayments to the State. 
  • Non-intimidation and non-retaliation policies for good faith participation in the compliance program, including any employee reports made to public officials (whistleblower protection).  

Failure to maintain an effective compliance program as determined by OMIG may subject a provider to sanctions, including termination from the Medicaid program.

If this sounds familiar it is because it is nearly identical to HIPAA compliance rules.  Getting compliant with the Compliance Helper meets all privacy and information security requirements not just HIPAA. 

Get compliant, stay compliant, and prove compliance with the Compliance Meter.

Cross-posted from Compliance Helper

Possibly Related Articles:
Policy HIPAA Compliance HITECH OMIG
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.