Healthcare Organization Boards’ Responsibilities for Compliance Plan Oversight

The governing board of any health care organization has critical oversight responsibilities for the organization’s compliance plan.  To help boards meet these responsibilities, the U.S. Department of Health and Human Services Office of Inspector General (OIG) has issued a new practical guide outlining health care boards’ compliance obligations.   The guide, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” was created by the OIG in collaboration with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA).

While not intended to set particular standards of conduct, the guide attempts to provide practical guidance to help governing boards of health care organizations understand and address their compliance responsibilities.   The guide emphasizes the practical, with sections on the OIG’s expectations for board oversight of compliance programs and the interrelationship of audit, compliance and legal functions.  The guide also addresses mechanisms for identifying risks and reporting issues to the board, along with methods of encouraging accountability to achieve compliance objectives.

Although not every compliance measure addressed in the guide may be appropriate for every organization, every board may benefit from additional insight to the regulators’ compliance expectations.  The guide can be found at the following link:

© 2015 Houghton Vandenack Williams

For more information, Contact Us

EEOC Proposes Rule Regarding Incentives in Employer Wellness Program

On April 20, 2015, the Equal Employment Opportunity Commission (EEOC) published a proposed rule regarding employer wellness programs. Employer wellness programs have been under scrutiny for potential violations of the Americans with Disability Act (ADA) and the Health Insurance Portability and Accountability Act (HIPAA) because of questions regarding the “voluntary” nature of participation.

Previous EEOC regulations define voluntary as when “an employer neither requires participation nor penalizes employees who do not participate.” The EEOC is proposing the regulation to add clarity regarding the size of the incentive that may be offered for participation in the wellness program. The proposed rule limits the incentive to 30% of the total cost of employee-only coverage.

The proposed rule will be open to comment for 60 days from April 20. The proposed rule may be found at the following link:

© 2015 Houghton Vandenack Williams

For more information, Contact Us

Hospital to Pay $1 Million to Settle HIPAA Privacy Claims

The federal government has made clear that it is serious about enforcing the HIPAA Privacy and Security Rules.  Before HITECH’s data breach notification requirements were in place and being enforced, a Massachusetts General Hospital employee took documents containing protected health information (“PHI”) from her bag and placed them on the seat beside her while commuting on the subway. The documents were left on the subway and never recovered.  Unfortunately, the documents included PHI of 192 patients who had been treated in the hospital’s infectious disease practice, including HIV/AIDS patients. 

The hospital and its physicians’ organization have agreed to pay the federal government $1 million in fines related to the subway incident. The hospital has also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, which includes providing training to workers. The hospital is required to remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost.

Source: Donnelly, Julie M. Boston Business Journal. 24 Feb. 2011.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact

Fraud Waste and Abuse Training Requirements Eliminated for Providers

A final rule published in the April 15, 2010 Federal Register makes clear that enrolling in Medicare is considered enough proof that providers know about fraud, waste and abuse issues, and that Medicare Advantage (“MA”) plans do not need to require additional compliance training.

In the 2007 MA regulations, CMS stated that it would hold MA plans and Part D sponsors responsible for fraud and abuse training of first-tier and downstream entities that participate in their plans. This would have included providers who contract with many health plans, which means providers would have had to establish many different training programs.

CMS appeared to back away from the requirement in a proposed regulation posted in October 2009.  This latest final rule, which takes effect June 7, 2010, puts the issue to rest.

CMS listened to providers’ complaints about the burden triggered by training requirements from different MA plans, which essentially amounted to CMS being a tad too extreme in its fraud-fighting efforts. CMS wanted to make sure that plans had good compliance programs and that their downstream contractors, such as providers, had them as well.  But pushing the responsibilities onto providers went a little too far.

To comply with all the idiosyncrasies of each plan’s compliance program would have been a logistical nightmare. Now, with the final rule, an unnecessary and basically impossible standard has been made reasonable and providers will not have to deal with the additional training requirements.

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact