CMS Provides Guidance on Meaningful Use Appeals Process

Posted by Krystyna Monticello on January 26, 2012

CMS has released additional guidance for hospitals and eligible professionals on the Medicare EHR Incentive Program appeals process.  The CMS Office of Clinical Standards and Quality (OCSQ), together with Provider Resources, Inc., the CMS appeals support contractor, will accept and review appeals filed by eligible professionals and hospitals. For those individuals and organizations participating in the Medicaid EHR Incentive Program, each state will have its own process for Medicaid appeals. 

CMS began accepting appeals December 1, 2011.  Appeals may be filed by eligible professionals and hospitals through an online web portal.  In addition to eligibility determinations, eligible professionals and hospitals may appeal denials of status as a meaningful user as well as incentive payment calculations.

For hospitals, the deadline to appeal eligibility determinations has been extended to January 30, 2012.  In general, a hospital or eligible professional has sixty (60) days after the issuance of an incentive payment to appeal the amount of the payment made.  Additionally, hospitals and eligible professionals have thirty (30) days to appeal denials of their status as a meaningful user after receipt of a letter with the results of a meaningful use audit conducted by CMS.  Limited extensions will be granted on a case-by-case basis under extenuating circumstances.

The first OCSQ informal review determination was released on January 19, 2012.  CMS plans on making this and other OCSQ appeals opinions available in February on its EHR Incentive Program Appeals website.  These opinions may provide additional guidance to eligible professionals and hosptials seeking to attest in 2012 for their first payment year.

Over $2 billion paid in Meaningful Use Incentive Payments and Counting

Posted by Krystyna Monticello on January 20, 2012

In a report submitted to the Health Information Technology Policy Committee on January 10th, CMS highlighted progress in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use") and registration and attestation numbers for eligible hospitals and eligible professionals ("EPs"). For 2011, the two programs paid out over $2.5 billion in Meaningful Use incentive payments to EPs and hospitals who attested to Meaningful Use for 2011.

In 2011, 124,089 EPs registered for Medicare, 39, 503 EPs registered for Medicaid, and 2,834 hospitals registered for both programs.  Out of the 842 hospitals that attested to Meaningful Use for FY 2011, 100% were succesful, with 99% of EPs that attested for 2011 also succesful.

CMS has made available additional information on a state-by-state basis which can be viewed on its EHR Data and Reports page.  You'll notice also that CMS has "modernized" the look and feel of its webpages, not only for Meaningful Use, but in general for Medicare, Medicaid and other web resources.   

Hospitals in their second payment year will generally need to meet Stage 1 Meaningful Use requirements for the full 12-month period in FY 2012.  Due to concerns about the ability of EHR vendors to certify their products in compliance with Stage 2 requirements, once finalized, HHS has proposed to delay Stage 2 Meaningful Use, which was originally set to begin in 2013 for those who attested in 2011. 

Input from the vendor community and the provider community makes clear that the current schedule for compliance with Stage 2 meaningful use objectives in 2013 poses a challenge for those who are attesting to meaningful use in 2011.  The current timetable would require EHR vendors to design, develop, and release new functionality, and for providers to upgrade, implement, and begin using the new functionality as early as October 2012.

HHS has indicated that those hospitals and EPs that attested in 2011 would be able to attest to Stage 1 requirements for an additional year, giving them the benefit of attesting to the more lenient Stage 1 requirements again in their third payment year (FY 2013 for hospitals).

The delay is not expected to affect hospitals and EPs who attest to Meaningful Use for their first payment year in 2012.  It would also not affect any hospitals or EPs who attested under Medicaid for "Adoption, Implementation and Upgrade" incentive payments for their first payment year in 2011. 

CMS is expected to formalize this delay in the proposed rule for Stage 2 which is expected to be released this month or in February.  For more information about the Medicare/Medicaid EHR Incentive Programs, visit the CMS EHR Meaningful Use webpage

Helen Oscislawski Invited to Speak at National HIPAA Summit

Posted by Helen Oscislawski on January 06, 2012

I attend the annual National HIPAA Summit in Washington D.C. eHIPAA Summit.pngvery year to keep on top of developments with HIPAA and related topics, and so I was thrilled to find out that one of the Co-Chairs of the ONC Privacy and Security Tiger Team recommended that I be asked to speak on HIPAA and its implications on Health Information Exchange (HIE) at this year's event. The 20th National HIPAA Summit will run from March 26-28th and take place at the Renaissance Hotel in Washington, D.C.  You can review the full intenerary here.

I am scheduled to speak on HIPAA and HIE during the afteronnon session of March 27 (Day 2), and will be joining Dr. William R. Braithwaite, MD, PhD (aka "Dr. HIPAA"), Joy Pritts, Esq., the Chief Privacy Officer for the ONC, and Deven McGraw, Esq., Co-Chair of the ONC Privacy and Security Tiger Team, who will be speaking on related topics during this afternoon segment.

The annual HIPAA Summit will provide the most up-to-date information on the status and schedule for publication of the new regulations. Comprehensive presentations by leading regulators from the Centers for Medicare & Medicaid Services, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology, provide unique insights. Private sector leaders will add practical advice from their many experiences in implementation. The HIPAA Summit will address privacy and security and data breach changes and challenges and the legal and policy issues implicated, as well as electronic health record adoption issues. It will also cover developments and requirements for transactions and code sets and operating rules about how they are being implemented. It will also include training sessions for HIPAA privacy and security professionals who intend to apply for certification. 

see www.hipaasummit.com/overview.html

This is an event not to be missed by anyone who needs to keep on top of the most recent trends and developments in health care information privacy, and security.

To register for the HIPAA Summit, visit www.hipaasummit.com/registration.php

For other events which Attorneys at Oscislawski are participating in, visit our new Upcoming Events page.

Yet Another Class-Action Filed After Breaches of Patient Data

Posted by Krystyna Monticello on December 30, 2011

In what appears to be the trend in California for 2011, another class-action lawsuit has been filed, this time by patients of the University of California-Los Angeles (UCLA) Health System affected by a data breach in early September of this year.  An external hard drive was stolen from the home of a former UCLA physician that contained the EHR data of over 16,000 patients from July 2007 to July 2011.  No social security numbers, insurance information or credit/account information was included. Although the hard drive was encrypted, a piece of paper with the password was also missing.

Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.

Several other health care entities in California have also recently had class-action lawsuits filed against them recently.  Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor.  Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients.  The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.

Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients.  The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected. 

Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules.  The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information. 

The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records.  it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.

OIG Releases New Fraud and Abuse Advisory Opinion Involving EHR Data Exchange

Posted by Krystyna Monticello on December 16, 2011

On December 7, 2011, the Office of the Inspector General (OIG) released an Advisory Opinion regarding a proposed coordination service to facilitate the electronic exchange of data for patient referral purposes.  A health IT company requested the opinion to determine whether its proposed services would be subject to OIG sanctions or civil monetary penalties (CMP) under the Anti-kickback Statute (AKS). The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit or receive any remuneration to induce or reward referrals of items or services which are reimburseable by a Federal health care program.  

Three types of services were offered by the health IT company: billing services, electronic health record (EHR) management services, and automated messaging services for communicating with patients.  These services could be purchased as a package deal or on a monthly basis for a subscription fee.  The Proposed Arrangement, however, would provide a new service that would provide coordination services for referrals and managing patients receiving services from other health care professionals (the "Coordination Service"). 

Through the Coordination Service, a trading partner could send referrals as well as all necessary medical records in addition to insurance and billing information.  The patient information would be accessed and exchanged through an electronic database network.  Although purchase of the EHR services offered by the health IT company was required in purchasing the Coordination Services because of the need for all patient medical, demographic and other information contained within to be available for referral purposes, the Proposed Arrangement would offer a discount on a monthly EHR subscription fee of approximately 25-35%. Other transmission, functionality and service fees would be assessed, depending upon the complexity of the services performed and per referral.

Although the Proposed Arrangement did not fit into an AKS Safe Harbor, the OIG determined it would not impose administrative sanctions upon the health IT company if it proceeded with offering the Coordination Services.  Although health care professionals were paying fees in connection with the receipt and transmission of referrals, these did not result in enhanced access to a referral stream.  Health care professionals also were not required to enter into an agreement with the health IT company or purchase the Coordination Service in order to receive a referral through the network.

In addition, the fees reflected the fair market value of the services provided and were based upon the level of services that were provided, as well as assessed regardless of whether a patient followed through on a referral and actually received the referred services, therefore distinguished from traditional per-click success fees. The Opinion stated that the independent value provided by the services which were actually paid for was unrelated to inducing referrals, and fees charged,

would not vary based on the value of the items or services that a receiving health professional might ultimately provide to Federal health care program beneficiaries.

OIG Advisory Opinions may only be legally relied upon by the party requesting the opinion but can prove useful guidance to other entities in structuring arrangements to comply with the Anti-kickback Statute. You can read the full Advisory Opinion here.  CMS also issues Advisory Opinions pursuant to its authority under the Stark physician self-referral laws.   

 

OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

Posted by Krystyna Monticello on December 16, 2011

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ).  However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus.  The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors).  Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released.  The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit.  In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data.  A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.  

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security.  I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules.  And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon". 

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

Posted by Krystyna Monticello on December 09, 2011

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.  

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

Federal Government Releases Updated DURSA for NHIN Participants

Posted by Helen Oscislawski on December 07, 2011

An Amended and Restated DURSA dated May 3, 2011 was released November 30, 2011.  The DURSA is an acronym for the "Data Use and Reciprocal Support Agreement."  It is a comprehensive agreement to govern the exchange of health data through the Nationwide Health Information Network Exchange (NHIN).  It is a multi-party single agreement that establishes the rules of engagement and obligations to which all Participants agree and that all Participants sign as a condition of joining the NHIN community. A clean copy of the updated DURSA can be downloaded from the NHIN's Participant "Onboarding" Website, or by clicking here. The Office of National Coordinator (ONC) has also posted a Redline version comparing the most recent May 2011 version of the DURSA against its predecessor (scroll all the way down to the "DURSA" subcategory). 

According to a PowerPoint posted by the ONC that summarizes all the changes to the November 2009 version of the DURSA, here are some of the more significant ones that NHIN Participants can expect:

  • The term “Nationwide Health Information Network” is defined more broadly, and ONC is phasing out its use altogether.
  • The composition of the Coordinating Committee is being downsized/reduced significantly. ONC indicated that the current composition is not scalable given the rapid growth in the number and type of Participants.
  • The definition of "Permitted Purposes" has been revised to support varied types of transactions and not preclude legitimate reasons to transact Message Content including treatment, payment, limited healthcare operations with respect to the patient that is the subject of the data being exchanged, public health activities, meaningful use and disclosures based on an authorization from the individual.
  • Each Participant is required to (i) validate information about its Users prior to issuing the User credentials; (ii) use the credentials to verify the identity of its Users before enabling the User to transact Message Content; and (iii) provide truthful assertions.  The November 2009 version did not specifically require Participants to “identity proof” their Users or explicitly require a Participant to submit truthful information in the assertions and statements that accompany a Message.  At the time, the DURSA developers assumed that these issues would be addressed in the Specifications, but they were not.
  • Combines duties of a responder and requestor into duties of a Submitter, and adds that Messages must comply with Applicable Law, the DURSA, Operating P&P, applicable Performance and Service Specifications. Submitter must represent that all assertions or statements related to the submitted Message are true and accurate. Also, it is the responsibility of the Submitter – the one disclosing the data – to make sure that it has met all legal requirements before disclosing the data, including, but not limited to, obtaining any consent or authorization that is required by law applicable to the responding Participant.
  • Removed 24 notice requirement to Coordinating Committee before suspending a Participant.  Recognized that process is onerous.  Participant can now be voluntarily suspend from 5-10 days.

The government noted that the process has proven itself inefficient and has impeded the ability to amend [Operating Policies and Procedures, and technical specifications]......

  • The November 2009 version required 2/3 of non-governmental and 2/3 of governmental Participants to approve all changes to the Operating policies and procedures.  The government acknowledged that this process has proven itself inefficient and has impeded the Coordinating Committee’s ability to revise the Operating Policies and Procedures.  In the May 2011 version, the process for revising and adopting new Operating Policies & Procedures has been revised.  Prior to approving new Operating P&Ps, Coordinating Committee will solicit comments from the Participants.  There will be a 30 day objection period once the Coordinating Committee approves new or amended Operating P&P.  New or amended Operating P&Ps go into effect unless 1/3 of the Participants object.  If 1/3 object, then 2/3 of non-governmental and 2/3 of governmental Participants must approve before the new or amended OP&Ps become effective.
  • In the Nov 2009 version, approval of new or amended Performance and Service Specifications required the Coordinating Committee to make a determination of “materiality,” which then dictates the Technical Committee’s process of approving the Spec change.  The government noted that the process has proven itself inefficient and has impeded the ability to amend the Performance and Service Specifications and adopt new Performance and Service Specifications.  With the new May 2011 version of the DURSA, new and amended Performance and Service Specifications will be approved in the same way that new and amended Operating P&Ps are approved.

Supreme Court to Hear Arguments on Suit for Damages under the Privacy Act

Posted by Krystyna Monticello on November 29, 2011

The Supreme Court is scheduled to hear oral arguments tomorrow, November 30, in a suit for damages under the Privacy Act stemming from a wrongful disclosure of confidential information.  Federal Aviation Administration v. Cooper involves a plaintiff whose HIV information was wrongfully disclosed by federal agencies.  The suit seeks to establish that mental or emotional injuries qualify as "actual damages" for purposes of the civil remedies provision of the Privacy Act, 5 U.S.C. § 552a(g)(4)(A).  The Privacy Act regulations the collection, maintenance, use and disclosure of individuals' information collected by federal agencies.  

A private aircraft pilot since 1964, the plaintiff, Stanmore Cooper, was diagnosed with HIV in 1985. Although required to disclose the illness and any medications being taken on his "airman medical certificate," a continuing certification requirement required by the FAA for any pilot to legally operate an aircraft, Cooper chose to let his certificate lapse because he would not be permitted to fly if he disclosed his illness.  In 1994, he again submitted the application, choosing not disclose his HIV status.  For ten years, he continued to renew the application, intentionally omitting his HIV status. 

However, Cooper's information was exchanged between the Social Security Administration (SSA) and the FAA as a result of a collaboration between agencies that sought to uncover illicit efforts by pilots to obtain FAA licenses although medically "unfit." This exchange occurred without his authorization.  Cooper had provided information regarding his HIV status to the SSA in his application for long-term disability benefits.   Cooper was eventually indited on three counts of submitting false statements to the government and lost his pilot's license.

Cooper sued in 2007 alleging that the federal government had "willfully and intentionally" violated the Privacy Act and caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.”  The Southern District of California, where the plaintiff's case was originally brought, admitted that the federal government had violated the Privacy Act, but found that regardless, Cooper had not demonstrated the "actual damages" required by the Act.  The Ninth Circuit on appeal reversed, finding mental or emotional distress was sufficient, "given the nature of the injuries that most frequently flow from privacy violations...."

The Supreme Court accepted the government's petition for certiorari in June of 2011. A key issue expected to be tackled by the Supreme Court, according to the prestigious ScotusBlog, is whether the Privacy Act was intended to broadly protect privacy rights against the government's more limited interpretation, an important step for understanding the nature of privacy injuries and privacy law generally.

If the Supreme Court sides with the government, this would not only limit damages to pecuniary ones, but potentially also deter whistleblowers as well as potentially have a negative impact on privacy law in general.  A decision will not be made until spring of next year. For a more in-depth explanation of the issues involved and an overview of tomorrow's Oral Arguments, visit ScotusBlog, or generally, CNN.com.      

HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare?

Posted by Helen Oscislawski on November 17, 2011

The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted auditor, KPMG, is required to audit up to 150 entities by the end of 2012!  HHS’s website provides detailed information regarding when the audits will begin, who may be audited, how the audit program will work, what the general timeline will be for an audit, and, generally, what will happen after an audit is completed. In addition, HHS's sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs, and that certain “information” and “documents” will be requested in connection with the audit. However, no additional details are given regarding what covered entities and business associates may be asked to produce. 

Presumably, KPMG will not be letting the HIPAA audit cat out of the bag too soon by telling organizations exactly what information and documents they may ask for in connection with such audits, especially where one of their objectives is to identify gaps in HIPAA compliance. Nevertheless, covered entities and business associates may gain valuable insight into what to expect by looking to past guidance regarding HIPAA audits issued by HSS’s Office of e-Health Standards and Services (the “HIPAA Audit Checklist”), as well as by reviewing HIPAA audits and investigations that have taken place over the last few years. 

In its formerly-released HIPAA Audit Checklist, the Office of e-Health lists out the types of personnel that may be interviewed, and the the types of policies, procedures and other documentation and evidence that may be requested.  In addition, the audit of Atlanta, Georgia’s Piedmont Hospital is informative. In February of 2007, HHS through the Office of Inspector General conducted a random HIPAA audit of Piedmont hospital.  The letter to Piedmont’s CIO announced that the focus of the audit would be on the organization’s compliance with the Security Rule and indicated that the audit would begin with an “entrance conference” 10 days after Piedmont’s receipt of the audit letter from the Regional Inspector General for Audit Services (note that the proposed timeframe for coming KPMG audits is 30-90 calendar days from the date on the applicable HHS Audit Letter).  The Piedmont audit letter also included an enclosure asking for a list of documents and information to be provided, which overlapped significantly with the Office of e-Health’s HIPAA Audit Checklist!   

Covered entities and business associates may also glean additional insight from what HHS/OCR has asked for in connection with complaint-driven HIPAA investigations. HHS/OCR has posted on its website several Resolution Agreements with covered entities who have been through a HIPAA investigation.  These agreements also contain hints as to what covered entities and business associates may be asked for during a HIPAA Audit.

Until news of organizations starting to receive HIPAA audit letters starts to trickle out and KPMG begins its work, it is not possible to know exactly what KPMG will ask for and focus on.  Nevertheless, covered entities and business associates should not sit back and take a “wait and see” approach.  Rather, organizations should prepare now by completing an internal review of their HIPAA compliance program to ensure that their policies are current and are being followed by their workforce, and all other required HIPAA documentation is in place and ready to be produced in case a HIPAA Audit letter arrives in the mailbox tomorrow.

Click here to download a copy of our November edition of "Health Law Diagnosis" which includes a list of HIPAA compliance items that all covered entities and business associates should have in order to be prepared for a HIPAA Audit.