When you're starting a population health program, a critical component is information?the data you collect to assess patient risk factors. Having a computer system to sort through information and help you identify high-risk patients is a huge asset to any program, says Gavin Malcolm, LCSW, director of Population Health for Broward Health ACO Services in Florida. "You have to be able to access and manage data to be successful," he says.
Phase 2 of OCR's HIPAA audit program is coming down the pipeline, and although privacy and security officers are typically tasked with all things HIPAA, there's a seat at the table for HIM when it comes to preparing for audits.
CMS has sharply accelerated its push toward moving outpatient payments from a fee-for-service model to a true prospective payment system with a number of its proposals in the 2016 OPPS proposed rule (https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-16577.pdf), including new comprehensive APCs (C-APC) and extensive APC consolidation and reconfiguration.
HIPAA originally recognized the business associate (BA) as a contractor of a covered entity (CE), but did not mandate direct accountability to the regulations. This put the onus on a CE to ensure, contractually, that its BAs met applicable requirements and supported their CE clients' compliance. When the Privacy and Security Rules first became effective, many CEs accepted BA contracts (BAC) (sometimes also called BA agreements [BAA]) from their BAs. Some BAs were actually quite adamant about having the CE sign their BAC. Although it was the obligation of a CE to initiated the BAC and the CE was liable under the law for compliance, in most cases, BAs offered a BAC that met the legal requirements and often looked like the model offered by HHS. If this was not the case or if either party wanted additional provisions, the CE and the BA negotiated a contract. No provisions required by HIPAA could be removed or changed, but other provisions could be added.
There are a number of tools on the market to assist covered entities (CE) and business associates (BA) in addressing their compliance needs. Solutions range from large governance, risk, and compliance programs to tools that assist in the development of a compliance program. When it comes to ongoing compliance management, Ostendio's My Virtual Compliance Manager™ (MyVCM™) offers a solution that is more than just a tool for an occasional look at the compliance stance of an organization.
