Friday, September 21, 2012

Is a Cloud Vendor a Business Associate?

Before a covered entity can use cloud storage for ePHI, the covered entity must enter into a business associate agreement (BAA) with the cloud vendor.[1]   It seems that there is some uncertainty surrounding this requirement, with some cloud vendors taking the position that a BAA is unnecessary for passive storage of ePHI or that they qualify for an exception under HITECH Act as a personal health records vendor.

HIPAA defines a business associate as anyone that performs on behalf of a covered entity a function or activity regulated under HIPAA privacy and security regulations.[2]   HIPAA regulates a covered entity’s passive storage of ePHI by imposing on the covered entity strict requirements to ensure the confidentiality, integrity and availability of ePHI maintained by the covered entity.[3]   Because HIPAA regulates a covered entity’s passive storage of ePHI, disclosure of ePHI by the covered entity to a cloud vendor for the purpose of storing the ePHI makes the vendor a business associate.[4]   Because the cloud vendor is a business associate, a BAA is required prior to the vendor assuming responsibility for the ePHI.[5]

Tuesday, September 18, 2012

Is HIPPA in the Clouds?

Virtual or “cloud” data storage is an increasingly popular method for storing data electronically in a safe and yet conveniently accessible manner that may also represent a cost savings over traditional onsite data storage options.  Health care providers, including hospitals, pharmacies and physicians, have been slow to avail themselves of the benefits of “cloud computing” due in part to concerns about whether the cloud offers the rigorous privacy and security safeguards required for storing electronic protected health information (ePHI) under Federal and State privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and implementing regulations.

Sunday, September 9, 2012

Guess Who’s Coming to Visit?
Long-Term Care Facility Inspections

Compliance and preparedness are two very real, everyday concerns for long-term care facilities. Not only are these important aspects of daily operations for the safety of the employees and patients, they are paramount because any day a visitor from the Office of the Inspector General (OIG”) or Occupational Safety and Health Administration (“OSHA”) could show up for an inspection.  Is your facility prepared?

The OIG will soon be conducting unannounced inspections of long-term care facilities as part of an increased crackdown on fraud, waste and abuse in the Medicaid and Medicare programs. The purpose of the OIG inspection will be to determine if the facility is in compliance with the new federal regulations outlined in the Patient Protection and Affordable Care Act (“PPACA”). The inspections focus on the management and evaluate the programs looking for any vulnerability, inefficiency or violation that could be considered fraud or abuse. With more funds earmarked for the enforcement of the fraud, waste and abuse controls, facilities can expect inspections to be very intense.

Wednesday, September 5, 2012

Passive Payer No More: In Final 2013
IPPS Rule,CMS Officially Launches Payment
Adjustments for Quality Performance

On August 1, 2012, the Centers for Medicare & Medicaid Services (CMS) issued its final inpatient prospective payment system (IPPS) rule for fiscal year (FY) 2013 (the final rule was published in the Federal Register on August 31, 2012).[1]  In addition to the annual Medicare payment updates, the final rule gives notice that the Medicare program will, for the first time beginning in FY 2013, adjust IPPS payments based on quality performance under the Hospital Value-Based Purchasing Program and the Hospital Readmissions Reduction Program.  Both programs were created as a part of the Patient Protection and Affordable Care Act (ACA). The following is a brief overview of some of the final rule’s significant provisions.