Stay updated with the latest in the healthcare and compliance world with our news articles. To sign up for our newsletter for more articles like these, email

CMS Announces Extension for States under Medicaid Home and Community-Based Settings Criteria

CMS Announces Extension for States under Medicaid Home and Community-Based Settings Criteria:

CMS Announces Extension for States under Medicaid Home and Community-Based Settings Criteria
Agency reinforces partnership with states in administering Medicaid Program 

Today, the Centers for Medicare & Medicaid Services (CMS) announced a three-year extension for state Medicaid programs to meet the Home and Community Based Services (HCBS) settings requirements for settings operating before March 17, 2014. This extension is in response to states’ request for more time to demonstrate compliance with the regulatory requirements and ensure compliance activities are collaborative, transparent, and timely.

“Medicaid programs are strongest when states have time to engage with beneficiaries and their families to ensure these programs fit  their choices and needs,” said CMS Administrator Seema Verma. “Extending the HCBS compliance period by three years allows states to work more closely with those they serve, so they can increase the quality of care and minimize the potential for unnecessary disruption in services.”

Today’s announcement builds on a joint commitment from Health and Human Services (HHS) Secretary Tom Price and CMS Administrator Seema Verma to partner with states in improving the Medicaid program and the lives of those it serves. In the March 14, 2017 letter to governors, the HHS leaders laid out a vision of partnership that would provide high quality, sustainable, health care to those who need it most. “We commit to ushering in a new era for the federal and state Medicaid partnership where states have more freedom to design programs that meet the spectrum of diverse needs of their Medicaid population.”

States now have until March 17, 2022 to demonstrate compliance with the final rule. For more information, please visit:

Updated CMS Quarterly Provider Update (QPU) – 2017-02-23

The CMS Quarterly Provider Update (QPU) was updated on 2017-01-26 through 2017-02-17 to include recently published instruction(s) and/or regulation(s). Please view the January 2017 QPU What’s New Page at  for more details.

$2.5 million settlement shows that not understanding HIPAA requirements creates risk – April 24, 2017

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.

No Business Associate Agreement? $31K Mistake – April 20, 2017

The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health (CCDH) following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015.

For more information on Business Associate Agreements, please visit

Justice Center: Web Submission of Investigation Report Document

By: Complete Compliance Solutions, Dec. 11, 2014. 

The following notice from the New York State Justice Center provides details about the new requirement, effective January 2015, that all investigative material relating to allegations of abuse and neglect be submitted electronically, using their new internet-accessible Web Submission ofInvestigation Report (WSIR) application.

Justice Center WSIR  

OMIG Posts December 2014 Compliance Program Certification Information and Forms

By: Complete Compliance Solutions, Dec. 1, 2014.

This morning, the New York State Office of the Medicaid Inspector General posted the December 2014 Certification period on the OMIG website. Be sure to check the OMIG website for this update and other important information. Webinar #23, “OMIG’s Compliance Certification Process: December Annual and Enrolling Providers,” is also available on the website

LEIE Database Updated with August 2014 Exclusions and Reinstatements 

By: Complete Compliance Solutions, Sept. 15, 2014.

On September 9, OIG updated the LEIE database with August 2014 Exclusions and Reinstatements. Have you checked the new database for important changes?

The Updated database file reflects all OIG exclusion and reinstatement actions, up to and including, those taken in August 2014. Please note that OIG now only archives monthly supplement files for the previous 12 months, so older material is no longer available on the website or via phone.

OIG has added NPIs to LEIE records starting in 2008 and will include NPIs in LEIE records on a forward-going basis. Please note that not every individual or entity that is excluded has an NPI to add. Therefore, many records will not include information in the NPI field.

For more information on how to use and access these databases, watch the instructional video or access the downloadable file from OIG.



Common HIPAA Questions: What Has Changed for Business Associates?

By: Complete Compliance Solutions, Monday, August 11, 2014

One of the biggest changes under HIPAA’s final rule was that business associates of HIPAA covered entities are now directly liable for compliance with certain requirements. With the onset of this rule, OCR can now audit, regulate, and sanction business associates for noncompliance with HIPAA. In order to help you understand more about this new rule, we’ve summarized five of the important points and our suggested takeaways from Healthcare Business Monthly’s article on this issue.

1. A business associate is a “person or entity who performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of protected health information”according to HIPAA. These functions or activities include creating, receiving, maintaining, and transmitting PHI.

Take Away: More organizations now qualify as business associates if they maintain PHI even if they don’t’ actually review it- think online storage vendors, cloud service providers, and EHR vendors that give individuals copies of their medical records.

2. The people and entities that make up a covered entities’ workforce are not considered business associates.

Take Away: Those who just allow for the transport of PHI but do not access that information (aside from very infrequently) do not qualify as business associates.

3. HIPAA requires that the disclose of PHI to business associates is defined in a BA agreement.

Take Away: With the onset of the final rule, you need to make sure your BA agreement is up to date. If your existing BA agreement was in compliance with HIPAA before the final rule was issued (Jan 2013), you have a grace period until September 2014 to make sure the new components of the final rule are included in your contract.

4. BA Agreements now require enhanced specifications for business associates and their subcontractors. 

Take Away: BAs must: enter into subcontractor agreements with downstream BAs, comply with the Privacy and Security Rules, report any use or disclosure of PHI to the upstream BA, and ensure that each downstream agreement is at least as strict as the original agreement between the CE and BA. 

5. Make sure you take action towards compliance. 

Take Away: Identify your business associates and subcontractors and make sure these parties understand what is required of them under the final rule. 


Source: Healthcare Business Monthly