October 2024
Q - To clarify what is considered a significant publication or significant communication.
Here is additional language from the Final Rule regarding "significant communications or publications":
- Targeted to beneficiaries, enrollees, applicants, or members of the public, which may include patient handbooks, outreach publications, or written notices pertaining to rights or benefits or requiring a response from an individual.
- OCR intends to interpret "significant communications and significant publications" broadly. OCR aims to maximize covered entities' flexibility, and each covered entity is in the best position to determine which of its communications and publications related to its health programs and activities are significant.
- OCR intends the scope of significant publications and significant communications to include not only documents intended for the public, such as outreach, education, and marketing materials, but also written notices requiring a response from an individual, such as those pertaining to rights or benefits.
- OCR is not adopting an across-the-board requirement for covered entities to translate certain written documents into a threshold number of languages.
(HCP Response) Based on this information, there is room for interpretation regarding OCR's explanation of what constitutes "significant communications or publications." This could include documents such as the NPP and other items required to be given to the patient, as well as new patient materials.
- In our opinion, if you have posted the nondiscrimination notice and taglines in your facility and on your website, and you have a plan to determine what forms/publications require a statement and the top two taglines, then including the statement/top two taglines on future "significant communications or publications" (once older ones have been distributed) will ensure compliance with OCR's requirements.
Q - Do we have to post the nondiscriminatory notice in our office in all 15 languages and then print our office forms (e.g., registration forms, privacy notices, etc.) in each of these languages as well?
Covered entities, including healthcare providers who receive federal financial assistance, must post a notice of nondiscrimination and taglines in the top 15 languages spoken by individuals with LEP in your state. You are not required to post the nondiscrimination notice in all 15 languages; the notice can be posted in English, as long as you provide taglines (a short statement informing people with LEP that free language assistance services are available) in the top 15 languages of your state.
Q Do we need to have a Section 1557 Coordinator in our Organization?
Section 1557 Coordinator and designees. A covered entity that employs fifteen or more persons must designate and authorize at least one employee, a "Section 1557 Coordinator," to coordinate the covered entity's compliance with its responsibilities under section 1557 and this part in its health programs and activities, including the investigation of any grievance communicated to it alleging noncompliance with section 1557 or this part or alleging any action that would be prohibited by section 1557 or this part. A covered entity may assign one or more designees to carry out some of these responsibilities as appropriate. However, the Section 1557 Coordinator must retain ultimate oversight to ensure coordination with the covered entity's compliance with this part.
(HCP Response) Based on this information, we believe that if your organization employs fifteen or more workforce members, an individual must be assigned the role of a Section 1557 Coordinator.
- This may be your compliance officer or other designated individual. These duties include reviewing grievances, record keeping, coordinating the implementation of effective communication procedures, including effective communication with individuals with disabilities, coordinating the implementation of procedures for providing reasonable modifications for individuals with disabilities and implementing training for workforce members.
Tips & FAQs
You have questions. We have answers.
Frequently Asked Questions
Q Q: How often do compliance regulations change?
Q Q: Why do I need a compliance program?
Q Q: Does your program include support?
Q Q: Is your system complicated and difficult?
Q Q: Do you offer a preview of your services?
Q Q: We are a small group; can we afford a custom compliance program?
Q Q: How do you sign up for your services?
Q Q: Do you require long-term contracts?
Q Q: How long does your program take to get setup?
Q Q: Do you include a security risk analysis (SRA)?
Q Q: Do you provide Global Harmonization transitioning and training?
Q Q: Do my employees have to be trained each year?
Q Q: Do you provide Meaningful Use support?
Q Q: What if I get audited?
Q Q: Do you come onsite?
August 2024
Q - How often do compliance regulations change?
Assessments need to be conducted annually as healthcare compliance regulations are frequently changing.
Q - How is Open AI impacting compliance?
Proper
implementation of AI in healthcare must be used to protect medical practice,
the employees, and the patients. Here are some concerns relating to Open AI in healthcare:
Data Breaches: HIPAA's primary concern regarding AI is the storage and processing of patient data. If these systems are not adequately protected, they can become targets for cyber-attacks. Medical practices account for about a quarter of all online cyber-attacks, exposing private patient data and resulting in significant fines.
Inadequate Data Anonymization: AI models rely on substantial datasets to produce results. If patient data is not correctly anonymized, sensitive information might be exposed.
Misuse of Data: A significant concern with AI models is the potential misuse of data. AI algorithms can inadvertently use patient data for purposes beyond the intended scope. For instance, research applications of AI may proceed without proper patient consent, leading to compliance violations.
Insufficient Audit Trails: Proper documentation is critical in healthcare, and audit trails are essential for maintaining HIPAA compliance. Tracking data processed by AI is complex, increasing the risk of violations if proper measures are not in place.
Q What are the recent regulatory updates announced by HHS and the FTC regarding healthcare privacy and breach notifications?
On February 8, 2024, the Department of Health and Human Services (HHS) issued a final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulation (SUD) at 42 CFR part 2 (Part 2). This modification aligns SUD more closely with HIPAA, allowing healthcare providers to use a single consent form and implementing breach notification requirements similar to HIPAA. Additionally, the final rule replaces the criminal penalties in SUD with both civil and criminal enforcement authorities, mirroring HIPAA's enforcement mechanisms.
On April 22, 2024, the HHS Office for Civil Rights issued the final HIPAA Privacy Rule to support reproductive health care privacy, enhancing patient-provider confidentiality for those seeking lawful reproductive health care (RHC). Key updates include prohibiting covered entities from using and disclosing PHI for purposes related to RHC under certain conditions, requiring a signed attestation for requests for PHI potentially related to RHC, and necessitating updates to the Notice of Privacy Practices.
Finally, on April 26, 2024, the Federal Trade Commission (FTC) finalized changes to its Health Breach Notification Rule (HBNR) under a split party-line vote. These changes clarify the applicability of the HBNR to health apps and similar technologies. The rule now mandates that vendors of health records, including health apps—generally not covered by HIPAA—must notify individuals, the FTC, and, in some cases, the media, in the event of a breach or impermissible disclosure of unsecured personally identifiable health data. For further details, refer to the previous alert on the HBNR updates.
June 2024
Q What are the best practices for safeguarding patient data in a digital age?
Safeguarding patient data in the digital age requires a multifaceted approach that includes robust security measures, employee education, and compliance with regulatory frameworks.
- Healthcare organizations should conduct comprehensive risk assessments to identify vulnerabilities and implement measures such as encryption, firewalls, and intrusion detection systems to protect patient data.
- Regular software updates, secure backup systems, and reliable recovery processes are also crucial to ensure data integrity.
- Additionally, organizations should establish clear policies for data handling and sharing, and train employees on these policies to minimize human error.
- Implementing access controls, such as role-based access and multi-factor authentication, can further reduce the risk of unauthorized access.
By adopting these best practices, healthcare organizations can significantly enhance the security of patient data and maintain compliance with regulations like HIPAA.
Q How can healthcare organizations protect against ransomware and other cyber threats?
Healthcare organizations can protect against ransomware and other cyber threats by implementing robust cybersecurity measures. This includes conducting regular vulnerability assessments and penetration testing to identify weaknesses in their systems. Implementing advanced security tools, such as intrusion detection systems and antivirus software, can help detect and prevent cyber-attacks.
Furthermore, organizations should establish incident response plans to quickly respond to security incidents and minimize the impact of a breach. Employee education and training are also essential to prevent human error, which is a common entry point for cybercriminals. Healthcare organizations can reduce the risk of ransomware and other cyber threats by adopting a proactive approach to cybersecurity.
Q What are the legal implications of social media use for healthcare providers, and how can we mitigate risks?
The legal implications of social media use for healthcare providers are significant, as they must comply with regulations like HIPAA and maintain patient confidentiality. Healthcare providers should establish clear social media policies that outline appropriate use and ensure that employees understand the risks of sharing patient information online. Implementing training programs and regular audits can help mitigate risks and ensure compliance.
This cannot be stressed enough: Healthcare providers must be aware of the potential for cyber-attacks/data breaches through social media platforms and take steps to protect their online presence. HCP recommends a cautious approach to social media usage so healthcare providers can minimize legal risks and maintain patient trust.
Q How should organizations handle data breaches and notify affected patients in compliance with HIPAA?
In a data breach, healthcare organizations should have a clear incident response plan to respond quickly and minimize the impact. This includes notifying affected patients in compliance with HIPAA regulations, which require notification within 30 days of the breach (as soon as possible). Organizations should also provide clear instructions on how patients can protect themselves from potential identity theft and offer credit monitoring services if necessary.
Q What are the key elements of a comprehensive cybersecurity policy for healthcare organizations?
A comprehensive cybersecurity policy for healthcare organizations should include several key elements, including:
- a clear risk management strategy
- robust security measures such as encryption and firewalls
- regular vulnerability assessments and penetration testing.
- incident response procedures
- employee training and education
- access controls to minimize unauthorized access.
The policy should address compliance with regulatory frameworks like the National Institute of Standards and Technology (NIST), and ensure that all employees understand their roles and responsibilities in maintaining cybersecurity.
The
policy should address compliance with regulatory frameworks like the National
Institute of Standards and Technology (NIST) and the HIPAA Security Rule "Cyber
Security Guidance Materials" (https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html)
Finally, ensure that all employees understand their roles and responsibilities in maintaining cybersecurity. HHS Shares the NIST Guidance related to HIPAA, but you can always check out NIST directly for more information, recommendations, and guidance here (https://www.nist.gov/)
May 2024
Q What are the best practices for promoting cultural competence in healthcare settings?
Promoting cultural competence in healthcare settings requires a multifaceted approach. Education and training are essential for healthcare professionals to improve their understanding and skills in working with diverse populations. Culturally sensitive communication is critical, recognizing the complexity of language interpretation and facilitating learning between providers and communities. A diverse workforce that reflects the patient population can also improve patient-provider interactions and satisfaction. Additionally, offering culturally and linguistically appropriate services that respond to individual preferences and needs is crucial. Community engagement and involvement in defining and addressing health disparities are also vital components of promoting cultural competence.
Q How can healthcare providers improve patient engagement and satisfaction among diverse populations?
Healthcare providers can significantly improve patient engagement and satisfaction among diverse populations by delivering culturally competent care that respects and integrates patients' cultural beliefs and values. This involves developing tailored treatment plans that address individual needs and preferences and fostering a patient-centered approach that considers patients' perspectives and values. By facilitating cross-cultural communication, healthcare providers can enhance patient understanding and build trust.
Addressing health disparities by recognizing and tackling differences in healthcare access and outcomes is crucial. By creating an inclusive environment where diverse cultural backgrounds are acknowledged and respected, healthcare providers can ensure that all patients feel valued and understood, leading to higher levels of engagement and satisfaction.
Q What are the key components of an effective cultural competence training program?
Key components of an effective cultural competence training program include:
- Cultural Awareness: Educating healthcare professionals about their own cultural biases and assumptions.
- Cross-Cultural Skills: Teaching cross-cultural communication and interaction skills.
- Cultural Knowledge: Providing knowledge about diverse cultural backgrounds and health beliefs.
- Practice and Feedback: Offering opportunities for practice and feedback to improve cultural competence.
- Organizational Support: Ensuring organizational support and commitment to cultural competence.
Q How can organizations assess and address health disparities within their patient population?
There are five key areas for any organization to assess and address health disparities within its patient population by:
- Data Analysis: Analyzing data to identify disparities in healthcare access and outcomes.
- Community Engagement: Engaging with the community to understand their needs and preferences.
- Cultural Competence Training: Providing cultural competence training for healthcare professionals.
- Language Access Services: Ensuring language access services are available to address language barriers.
- Quality Improvement Initiatives: Implementing quality improvement initiatives to address disparities and improve health outcomes.
For more information, check out HCP's blog about "Cultural Competency Rules: What Health Providers Must Know Going Forward" here: (https://www.healthcarecompliancepros.com/blog/cultural-competency-rules-what-health-providers-must-know-forward)
April 2024
Q What are the essential elements of a robust corporate compliance program?
An effective compliance program should include the following essential elements:
- Written Policies and Procedures: Clearly define the organization's commitment to compliance with federal and state regulations.
- Designated Compliance Officer and Committee: Appoint a Chief Compliance Officer (CCO) independent from business operations and establish a Corporate Compliance Committee with senior management and departmental representatives.
- Effective Training and Education: Develop and implement regular training programs for all employees and related entities, covering topics such as compliance, HIPAA, fraud, waste, and abuse prevention.
- Strong Lines of Communication: Foster an open and transparent communication environment, encouraging employees to report suspected compliance violations without fear of retaliation.
- Enforcement and Discipline: Clearly define disciplinary actions for non-compliance and apply them consistently and fairly.
- Internal Monitoring and Auditing: Regularly monitor and audit operational activities to identify potential compliance risks.
- Prompt Response to Compliance Issues: Establish a process for investigating reported compliance violations, taking appropriate disciplinary action, and implementing corrective action plans to prevent future violations.
Q How can healthcare organizations detect and prevent fraud, waste, and abuse?
Detecting and preventing fraud, waste, and abuse in healthcare organizations requires a multi-faceted approach. At the core lies a robust compliance program emphasizing regular training, monitoring, and auditing of operational activities. This proactive stance empowers employees to identify potential risks and vulnerabilities within the organization's systems and processes. However, merely having a compliance program is not enough. Healthcare organizations must leverage advanced data analytics and machine learning algorithms to uncover suspicious patterns and anomalies that may indicate fraudulent activities. These sophisticated tools and a confidential reporting system for employees to voice concerns without fear of retaliation create a comprehensive defense against fraud, waste, and abuse. Ultimately, fostering a culture of transparency and collaboration with law enforcement agencies is crucial to staying ahead of ever-evolving schemes and sharing best practices in fraud prevention.
Q What are the latest guidelines from the OIG regarding corporate compliance and fraud prevention?
The Office of Inspector General (OIG) has developed guidelines for corporate compliance and fraud prevention, including:
Seven Fundamental Elements of an Effective Compliance Program:
- View the OIG's PDF Guide here: "The Seven Fundamental Elements of an Effective Compliance Program." (https://oig.hhs.gov/documents/provider-compliance-training/945/Compliance101tips508.pdf)
General Compliance Program Guidance:
- The General Compliance Program Guidance (GCPG) is a reference guide for healthcare professionals and other stakeholders. The GCPG provides information on pertinent federal legislation, compliance program architecture, OIG tools, and other information that might help you understand health care compliance.
- The GCPG is a voluntary guideline that outlines broad compliance risks and compliance initiatives. The GCPG is not legally obligatory on any individual or corporation. Notably, the OIG utilizes the word "should" in the GCPG to give voluntary, nonbinding guidance.
- For more information, view the OIG's guide here: "General Compliance Program Guidance (GCPG)." (https://oig.hhs.gov/compliance/general-compliance-program-guidance/)
Q How should organizations handle whistleblower reports and ensure confidentiality?
Organizations must treat whistleblower reports with the utmost seriousness and confidentiality to foster an environment where employees feel safe to report misconduct without fear of retaliation. This begins with establishing a secure and anonymous reporting system, managed by a designated compliance officer who is trained to handle such sensitive information discreetly.
Upon receiving a report, the compliance officer should initiate a prompt and thorough investigation to address the alleged misconduct. Throughout this process, it is crucial to maintain the confidentiality of the whistleblower to protect them from any potential retaliation.
Additionally, organizations should keep detailed documentation of all reports and the subsequent actions taken, not only to ensure accountability but also to monitor the effectiveness of the compliance program in identifying and mitigating risks.
Q What are the consequences of non-compliance with the False Claims Act?
Non-compliance with the False Claims Act (FCA) carries severe consequences for healthcare organizations, including substantial civil penalties for each false claim filed, and in egregious cases, criminal charges. Organizations may also face exclusion from participating in federal healthcare programs, which can have a devastating impact on their operational consistency and brand reputation. Suffice it to say that non-compliance will always be the most costly option.
Q How can an organization minimize these risks?
The only certain protection against legal scrutiny is effective compliance with good faith effort documentation.
To minimize risk, organizations can:
- Implement an effective compliance program: Establishing effective compliance programs that include regular training, monitoring, and auditing.
- Conduct regular risk assessments: Identifying potential risks and vulnerabilities in the organization's systems and processes.
- Implement fraud detection tools: Utilizing data analytics and machine learning algorithms to identify suspicious patterns and anomalies.
- Respond to law enforcement as soon as possible and collaborate: Working with law enforcement agencies to share information and best practices in fraud prevention.
March 2024
Q What are the new OSHA regulations for 2024 that healthcare organizations need to be aware of?
Organizations need to be aware of several new OSHA regulations that aim to enhance workplace safety and reduce the risk of injuries and illnesses. These regulations include expanded electronic submission requirements, new requirements for injury and illness recordkeeping, and a nationwide emphasis program for warehouse and distribution center operations. Healthcare organizations must ensure they understand and comply with these regulations to avoid penalties and maintain a safe work environment.
Q What are the best practices for maintaining an effective OSHA compliance program?
Organizations can prepare for an unexpected OSHA inspection by:
1. Designating a compliance officer: Designate a compliance officer to serve as the primary point of contact during an OSHA inspection.
2. Maintaining accurate and up-to-date records: Ensure that all records, including OSHA 300 logs and hazard assessments, are accurate and up-to-date.
3. Conducting regular self-audits: Conduct regular self-audits to identify and address potential hazards and compliance issues.
4. Developing an OSHA inspection protocol: Develop an OSHA inspection protocol to ensure that employees know what to expect and how to respond during an inspection.
5. Regular workforce training is needed: Provide training to employees on OSHA regulations and workplace safety, as well as how to respond during an inspection.
Q How should healthcare facilities conduct a comprehensive workplace hazard assessment?
Conducting a comprehensive workplace hazard assessment in healthcare facilities involves several critical steps. Initially, it's essential to identify potential hazards across various categories, including physical, chemical, biological, and psychological risks. Once identified, each hazard's likelihood and potential impact should be thoroughly evaluated. This evaluation helps prioritize which hazards need immediate attention and mitigation. Implementing appropriate controls and preventive measures is crucial to effectively minimizing the identified risks. Additionally, regular reviews and updates of the hazard assessment are necessary to ensure its continued relevance and effectiveness in addressing new and emerging threats. By following these steps, healthcare facilities can create a safer working environment for their employees.
Q How can organizations prepare for an unexpected OSHA inspection?
The key components of an effective workplace safety training program for healthcare employees include:
- OSHA regulations and compliance: Training on OSHA regulations and compliance requirements.
- Workplace hazards and risk management: Training on identifying and managing workplace hazards and risks.
- Emergency response and preparedness: Training on emergency response and preparedness, including fire safety, evacuation procedures, and more.
- Personal protective equipment (PPE) and safety protocols: Training on the proper use of PPE and safety protocols, such as infection control and bloodborne pathogen protocols.
- Regular refresher training and updates: Regular refresher training and updates to ensure that employees remain knowledgeable and competent in workplace safety and OSHA regulations.
February 2024
Q What are the key HIPAA updates or changes should healthcare organizations be aware of in 2024?
In 2024, healthcare organizations should be aware of the increased penalties for HIPAA violations and new policy initiatives to scrutinize healthcare-related anticompetitive practices. Additionally, there will be enhanced oversight of private equity (PE) firms' ownership structures and new regulations addressing the use of artificial intelligence in healthcare.
Q What are the best practices for conducting a comprehensive Security Risk Analysis (SRA) to identify potential vulnerabilities?
Best practices for conducting a comprehensive SRA include:
1. Identifying potential vulnerabilities: Conducting a thorough risk assessment to identify potential vulnerabilities in the organization's systems and processes.
2. Evaluating the likelihood and impact of each vulnerability: Assessing the likelihood and potential impact of each identified vulnerability.
3. Prioritizing and mitigating risks: Prioritizing and mitigating the identified risks based on their likelihood and potential impact.
4. Implementing security measures: Implementing security measures to address the identified vulnerabilities.
5. Regularly reviewing and updating the SRA: Regularly reviewing and updating the SRA to ensure that it remains comprehensive and effective.
Q How can healthcare organizations ensure compliance with the latest OCR guidance on patient privacy and data breaches?
Healthcare organizations can ensure compliance with the latest OCR guidance on patient privacy and data breaches by implementing robust compliance programs that include written policies and procedures, training and education, effective lines of communication with the compliance officer, and risk assessments, auditing, and monitoring. They should also be aware of the OCR's December 2022 bulletin, which provides clarity on tracking technologies and how the HIPAA Rules apply.
Q What steps should be taken to protect against the latest cybersecurity threats targeting healthcare data?
To protect against the latest cybersecurity threats, healthcare organizations should implement robust cybersecurity measures, including regular risk assessments, vulnerability scanning, and penetration testing. They should also ensure that their staff is trained on cybersecurity best practices and that they have incident response plans in place in case of a breach. Additionally, they should stay informed about the latest threats and updates from regulatory agencies such as the OCR and the Cybersecurity and Infrastructure Security Agency (CISA).
Q How can healthcare providers ensure their telehealth services remain HIPAA compliant in 2024?
Healthcare providers can ensure their telehealth services remain HIPAA compliant in 2024 by:
1. Implementing robust security measures: Implementing robust security measures to protect patient data, including encryption and secure authentication.
2. Conducting regular risk assessments: Conducting regular risk assessments to identify potential vulnerabilities in their telehealth systems and processes.
3. Providing training to staff: Providing training to staff on HIPAA compliance and cybersecurity best practices.
4. Ensuring business associate agreements are in place: Ensuring that business associate agreements are in place with any vendors or contractors involved in the telehealth services.
5_Staying informed about the latest regulatory updates: Staying informed about the latest regulatory updates and guidance from the OCR and other agencies.
January 2024
Q A healthcare provider is required by state law to offer patients one free copy of their medical records, but HIPAA allows the provider to charge a fee. Does HIPAA supersede State law?
No, in this scenario the health care provider must abide by
state legislation and provide the one complimentary copy. HIPAA does not
supersede State laws that give people more access rights to their health
information than the HIPAA Privacy Rule does, in contrast to State laws that
authorize fees that are higher or different than those allowed under HIPAA (See
45 CFR 160.202 and 160.203).
"This includes State laws that: (1) prohibit fees to be charged to provide individuals with copies of their PHI; or (2) allow only lesser fees than what the Privacy Rule would allow to be charged for copies." - HHS
Q When a covered entity uses a patient's payment of the permitted charge for a copy of their PHI to settle an unpaid bill for services rendered, can a health care provider refuse to give the patient the copy even though the patient requested it?
No, just as a covered entity cannot refuse or withhold access to a person's PHI on the grounds that the person has not paid the bill for the medical services the covered entity rendered to them, neither can a covered entity refuse or withhold access on the grounds that the person's payment of the fee for a copy of his PHI was used to settle or cover the person's unpaid medical bill.
Q When a covered entity uses a patient's payment of the permitted charge for a copy of their PHI to settle an unpaid bill for services rendered, can a healthcare provider refuse to give the patient the copy even though the patient requested it?
No, just as a covered entity cannot refuse or withhold access to a person's PHI on the grounds that the person has not paid the bill for the medical services the covered entity rendered to them, neither can a covered entity refuse or withhold access on the grounds that the person's payment of the fee for a copy of his PHI was used to settle or cover the person's unpaid medical bill.
Q When a covered entity uses a patient's payment of the permitted charge for a copy of their PHI to settle an unpaid bill for services rendered, can a health care provider refuse to give the patient the copy even though the patient requested it?
No, just as a covered entity cannot refuse or withhold access to a person's PHI on the grounds that the person has not paid the bill for the medical services the covered entity rendered to them, neither can a covered entity refuse or withhold access on the grounds that the person's payment of the fee for a copy of his PHI was used to settle or cover the person's unpaid medical bill.
Q What are the stages of a record?
The lifecycle of a record includes four basic steps:
- Creation - Once a document is completed, it becomes a record. At this point, it enters the records management cycle.
- Active use - When in active use, records are stored in file folders if they are paper-based, electronically in files on a computer system if they are electronic, or filed on microfilm or other recording media for regular use. As most records age, they are referred to less often. When records reach the time that they are referred to less often than once every six months, they should be moved to less costly storage.
- Inactive use - When records become inactive, they are normally boxed if in paper form or achieved electronically to a CD or magnetic tape. Inactive storage is considerably less expensive than active storage and frees up space for active storage of more active records.
- Disposition - The final step in the life cycle of a record is its final disposition. This can mean simple destruction by throwing it in a waste can or have the record shredded or incinerated. Some records should not be destroyed, and they need to have a way to be identified and stored for very long time periods.
Q When someone just asks to see her PHI at a covered entity—that is, without asking the covered organization to create a copy of the PHI—can they still be assessed a fee?
No. Fees for persons who exercise their right to access their PHI are only applicable when such individuals are receiving a copy of their PHI rather than just having the option to view and inspect it. In addition to requiring covered businesses to arrange for a suitable time and location for the individual to view their PHI, the HIPAA Privacy Rule gives individuals the right to inspect their PHI maintained in a specified record set. See § (1) and § (2) of 45 CFR 164.524.
As a result, covered entities must set up appropriate processes that allow individuals to view their PHI. Requests for inspections should also result in the least amount of extra work on the part of the entity, especially if the PHI is the kind that can be readily accessed on-site by the entity during regular business hours. If the persons consent to the use of this functionality, covered entities may, for instance, utilize Certified EHR Technology (CEHRT) to allow individuals to inspect their PHI.
Furthermore, a covered entity is not allowed to charge someone who makes notes, takes pictures of her PHI using a smartphone or other device, or uses other personal resources to record the information while viewing her PHI. The covered entity may not charge a fee for copies of PHI that the individual makes using her own resources since she is the one creating the copies, not the entity. To ensure that an individual's use of her own camera or other device for copying PHI does not interfere with the entity's operations and is used in a way that allows her to copy or otherwise memorialize only the records to which she is entitled, a covered entity may set reasonable policies and safeguards. Furthermore, connecting a personal device to a covered entity's systems is not a requirement for the covered entity.
Q Is it possible for a person's personal representative to request that their health care provider or health plan communicate their personal health information to a third party under the HIPAA right of access?
Indeed. A person's personal representative—typically, someone authorized by state law to make health care decisions on the person's behalf—has the right to obtain a copy of PHI about the person in a designated record set and to instruct the covered entity, in accordance with the parameters of such representation and 45 CFR 164.524 requirements, to forward a copy of the PHI to another individual or entity upon request. 45 CFR 164.502(g) is cited. those made by an individual's personal representative must meet the same standards as those made by the individual to communicate the individual's PHI to a third party (e.g., regarding timeliness, form and format, basis for refusal, fee limitations, etc.).
Q When a person requests access to their PHI, what obligations does a covered entity have when replying to their request?
For the purpose of confirming that the designated third party is an authorized receiver, covered organizations may rely on the written information supplied by the individual regarding the name of the designated person and the address to which to send the PHI. Covered entities must, however, put adequate safeguards in place before fulfilling the request in any other way. For example, they must take reasonable measures to confirm the identity of the person submitting the access request and to ensure that the right data is entered into the covered entity's system. For instance, a covered organization must have reasonable procedures in place to guarantee that the supplied email address is accurately entered into the covered entity's system, even though the covered entity is not required to verify that the person submitted the third party's proper email address.
Moreover, covered entities are accountable for breach reporting, must protect PHI while it is in transit, and may be held accountable for any unauthorized disclosures of PHI, with the exception of the specific circumstances outlined below. The only exception is when a person, who has the right to request it, asks for the PHI to be communicated to a third party via unencrypted email or in another insecure way. The covered entity is exempt from breach reporting obligations and liability for disclosures made during transmission as long as the individual was informed of and consented to the security risks to the PHI connected with the insecure transfer. Furthermore, after the selected third party receives the information as instructed by the individual in the access request, the covered entity is not responsible for what happens to the PHI.
Q What is a covered entity's responsibility under theBreach Notification Rule if it sends a person's PHI to a third party that theperson designates access to and later finds out the data was compromised intransit?
In general, a covered entity must notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D, if it finds that the PHI was compromised while it was being transferred to the designated third party and that the PHI was "unsecured PHI" as defined at 45 CFR 164.402. The covered entity is not liable for any disclosure of PHI to the designated third party while it is being transmitted, including any breach notification obligations that would otherwise be necessary, if the individual requested that the PHI be transmitted in an insecure manner (such as unencrypted) and she maintained her preference to have the PHI sent in that manner after being informed of the security risks to the PHI associated with the insecure transmission. Furthermore, after the information is sent to the authorized third party under the requester's instructions, a covered business is not responsible for what happens to the PHI.
The covered entity is exempt from reporting requirements under the Breach Notification Rule if the compromised PHI is "secured" in accordance with the guidelines in the HHS Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (accessible at https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html).
December 2023
Q How long do HIPAA-related medical records need to be retained?
HIPAA regulations require that all HIPAA-related records and documents be retained for six (6) years. This applies to authorizations, audit records, business associate agreements, and contracts, etc. They may then be destroyed in a manner that does not allow for the disclosure of any PHI (e.g., burning, shredding, etc.).
Q What should be included in a well-documented medical record?
A properly documented medical record should:
- Be complete and legible
- Include the reason for the encounter, any relevant history, physical examination findings, prior diagnostic test results, assessment, clinical impressions or diagnosis, plan for care, the date and identity of the observer
- Include the rationale for ordering diagnostic and other ancillary services
- Support the CPT and ICD-10-CM codes used for claims submission
- Identify appropriate health risk factors
- Document the patient's progress, response to or changes in treatment, or any revision in diagnosis
Q Where should the signed release of information and assignment of benefits forms be kept?
All patients must sign a release of information and assignment of benefits form before they receive services. These forms should be placed in the patient's chart or record after the patient and/or the responsible party signs them. There are strict rules regarding the assignment and reassignment of billing rights in both Medicare and Medicaid programs.
Q How long do the Centers for Medicare & Medicaid Services (CMS) require healthcare providers and organizations to retain patient records for?
CMS requires healthcare providers and organizations to retain patient records for Medicare beneficiaries for at least five (5) years. CMS requires Medicare managed care program providers to retain records for ten (10) years.
Q What are the stages of a record?
The lifecycle of a record includes four basic steps:
- Creation - Once a document is completed, it becomes a record. At this point, it enters the records management cycle.
- Active use - When in active use, records are stored in file folders if they are paper-based, electronically in files on a computer system if they are electronic, or filed on microfilm or other recording media for regular use. As most records age, they are referred to less often. When records reach the time that they are referred to less often than once every six months, they should be moved to less costly storage.
- Inactive use - When records become inactive, they are normally boxed if in paper form or achieved electronically to a CD or magnetic tape. Inactive storage is considerably less expensive than active storage and frees up space for active storage of more active records.
- Disposition - The final step in the life cycle of a record is its final disposition. This can mean simple destruction by throwing it in a waste can or have the record shredded or incinerated. Some records should not be destroyed, and they need to have a way to be identified and stored for very long time periods.
November 2024
Q What does the 21st Century Cures Act provide?
The purpose of the Cures Act is to provide patients access to their information in a more transparent way. It prohibits information blocking and defines practices considered reasonable activities that wouldn't be considered information blocking.
In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).
Q What changes take place in October 2022?
Beginning October 6, 2022, the technical exception for practices regarding their EMRs ends, and all identified electronic PHI will be considered electronic health information (EHI). Patients will have the same rights under the HIPAA Privacy Rule to request a copy of PHI, now known as EHI. ONC also encourages that "Information Blocking Actors respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors."
Q How do organizations make sure they are following the rules of the 21st Century Cures Act?
Organizations can comply with the Cures Act requirements by making patient data requests easy and inexpensive. The Cures Act requires practices to allow patients to access their health information from EHRs using an app of their choice, implement policies that prohibit information blocking, and define how the information blocking exceptions might apply to the practice. It states that if a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking, as stated in the 21st Century Cures Act.
If an EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, health care providers could be subject to these disincentives, including not being able to attest to MIPS.
Q What is "Information Blocking"?
Information blocking is defined by the ONC as "a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks, or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI." Any claims or reports of alleged information blocking would be evaluated on the specific circumstances of each situation.
Q What is the Preventing Harm Exception?
An actor's practice that is likely to interfere with the access,
exchange, or use of electronic health information to prevent harm will not be
considered information when
the "reasonable belief" and "practice breadth" conditions
are met, and it will not be considered information blocking. For
more information on this exception, continue
here.
October 2023
Q Why should a healthcare practice complete an annual SRA?
Performing an SRA is one of the most important steps a healthcare practice can take to assess their HIPAA compliance on an annual basis. Yet, for many practices, an SRA is just a box to check. Healthcare Compliance Pros recommends that all of our clients complete an initial SRA with us. From there, the SRA should be updated as needed to ensure all threats and risks for the organization have been considered. Subsequent reviews should be completed at least annually thereafter. We understand a HIPAA compliant SRA may be a healthcare organization's best defense in the event of an OCR investigation.
Q What is an SRA, why are they needed, and how often should they be completed?
A Security Risk Analysis (SRA) is "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the organization. This includes all e-PHI that an organization creates, receives, maintains, or transmits. All forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media," are also subject to the assessment. Because risk analysis procedures are unique to each organization, the resources and time required for its performance may vary. HIPAA requires that SRAs be performed "periodically", however, HCP recommends performing one at least annually. The findings of an SRA form the foundation upon which every organization should create and institute applicable safeguards. A successful SRA will help you identify potential gaps in your safeguards and identify action items to reduce risk to your organization.
Q If I don't have an EHR, do I have to conduct an SRA?
Yes, an accurate and thorough SRA includes ALL ePHI that is created, received, maintained, or transmitted. This includes billing systems, cloud storage, email applications, copy and fax machines, personal devices such as smartphones, laptops, tablets, and any electronic media involving ePHI. So, even if a healthcare organization doesn't use an EHR, there are most likely other locations that ePHI is stored, meaning an SRA should still be conducted.
Q What is best practice and how often should vulnerability scans and penetration tests be run?
HIPAA does not require vulnerability scans or penetration testing to be performed on a specific timeline. It should be based on the specific needs of the covered entity or business associate. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you're aware of any security gaps. Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.
September 2023
Q Is a Disaster Recovery Plan (DRP) a HIPAA requirement, and what is it?
Yes, HIPAA regulations require every organization to develop and maintain current DRPs. A DRP is a detailed listing of how your organization is set up to deal with potential disasters. It should focus on the results of your analysis of business processes and how to maintain continuity. Disaster prevention is also an essential part of a DRP. While many potential disasters are unavoidable, planning for prevention could lessen the impact on your business processes.
Q Why must I test my DRP?
Once you have developed your DRP, it is essential to determine if the DRP works or doesn't. By properly testing your DRP, you help avoid any unnecessary surprises, plus it allows you to make any necessary changes if needed. Further, a plan enables employees to know what to do and execute their responsibilities in a disaster. Your DRP must receive testing periodically because, as we all know, disasters can happen at any time, and situations are never the same.
Q What should a DRP include?
Creating a DRP is a unique and precise process for every organization. Each plan will be specific to the organization and will have different key business processes to prepare for as well as different areas of significant impact.
However, the primary goals of a DRP are to:
- Minimize interruptions to crucial business processes.
- Limit the extent of disruption and damage.
- Minimize the financial impact of the interruption.
- Establish alternate ways to continue operating in advance.
- Train all staff on emergency procedures.
- Provide for efficient and prompt restoration of service.
Each organization will need to determine which business processes are most likely to be significantly impacted by an unforeseen event or possible disaster and determine the steps and time it would take to restore those processes.
Q Do I still need a DRP if we save everything on ‘the cloud’?
More than ever, organizations are utilizing external environments to store their ePHI (often referred to as "the cloud"). While there are benefits to using cloud storage, a DRP is still necessary for maintaining your HIPAA compliance. In a cloud setting, disaster recovery planning should include procedures for access to ePHI, replacement of hardware and software. It should specify the approval process for the use of virtual machines. It should also include information on maintaining crucial business practices if your data is unavailable for a period of time. There might be potential issues in a disaster with bandwidth issues, internet access, power loss, etc., that can lead to difficulties gaining access to data, even in a cloud environment. It is important to become familiar with the specific protocols of your cloud storage or EMR vendor. You can ask your vendor to provide information on their DRP protocols, including frequency of backups, encryption levels, redundancies, and testing schedules. These protocols can design a DRP that meets both HIPAA requirements and your organization's specific needs.
August 2023
Q Do you have cyber liability insurance?
With the rising rate of cybercrime in the healthcare industry, we recommend that organizations take extra steps to help protect themselves from the high cost of a cyber-attack. One way to do this is to have cyber liability insurance, which is a type of insurance designed to cover costs associated with expenses related to cyber-attacks. These expenses may include costs associated with notifying patients, business interruption expenses, fees associated with bringing systems back online, and potential fines or penalties associated with the incident.
Q Is penetration testing required for an SRA?
While penetration testing is not a named requirement for HIPAA compliance, it is a best practice. The healthcare industry has become a high target for hackers because of the amount of sensitive data that covered entities and their business associates maintain. As such, covered entities and their business associates need to have policies and processes in place in order to safeguard this data. In order to develop policies and processes that will protect PHI appropriately, a CE needs to know where their vulnerabilities are. Penetration testing is one way to achieve this. In fact, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-66, where they recommend implementing penetration testing as part of HIPAA Security to determine potential vulnerabilities and validate that the proper safeguards are in place.
Q What does an ePHI asset inventory need to include?
According to the OCR, an asset inventory includes hardware, software, and data assets. Hardware assets are "Physical elements of the organization's networks and systems, including electronic devices and media." Software assets are "Programs or applications that run on the hardware assets, including databases, email and financial record systems, backup solutions, and anti-malware tools." Data assets are "ePHI that is created, received, maintained, or transmitted on the network or with the hardware assets."
The OCR found that providers frequently do not know where all of their ePHI is located, which creates problems for compliance with risk analysis requirements under the HIPAA Security Rule. Understanding where your organization stores ePHI is essential to conducting an accurate and thorough risk analysis as required by HIPAA. This is why the OCR specifically recommends that health care providers and business associates create information technology (IT) Asset Inventories in order to track where electronic health information ePHI is located within their organization.
July 2023
Q What is workplace violence?
Workplace violence is considered any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that happens in the workplace. It may include threats, verbal abuse, physical assaults, and even homicide. It can affect and involve employees, clients, patients, and visitors.
Q What is workplace harassment?
Workplace harassment involves unwelcome and offensive conduct that is based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), religion, disability, age (age 40 or older), or genetic information. Examples of harassment include offensive or derogatory jokes, racial or ethnic slurs, pressure for dates or sexual favors, unwelcome comments about a person's religion or religious garments, or offensive graffiti, cartoons, or pictures. Sexual harassment or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex.
Q When is harassment considered illegal?
No, not all workplace harassment is illegal. For workplace harassment to be illegal, the conduct must either be severe or pervasive (frequently occurred). It doesn't have to be both. The laws enforced by EEOC do not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious.
Q How can organizations make their workplace safer for their employees?
Employers are required to always maintain a safe work environment for all employees. This includes preventing and addressing unsafe work environments, harassment (including sexual harassment), and workplace violence when it arises. Organizations must have policies and procedures, including information on how to prevent and report incidents, that will support their employees' safety from violence and harassment in the workplace.
June 2023 FAQ
Q How can healthcare organizations ensure the confidentiality, integrity, and availability of patient health information?
Healthcare organizations can take several measures to ensure
the confidentiality, integrity, and availability of patient health information.
Here are some key practices and strategies:
- Implement strong access
controls: Use role-based access controls (RBAC) to ensure that only
authorized personnel have access to patient health information. Assign
appropriate access levels based on job roles and responsibilities.
- Train and educate staff:
Provide comprehensive training to all staff members regarding the
importance of patient privacy and security. Train them on best practices
for handling and safeguarding health information, including the proper use
of passwords, encryption, and secure communication channels.
- Encrypt sensitive data:
Utilize encryption techniques to protect patient health information both
at rest and in transit. This ensures that even if data is compromised, it
remains unreadable and unusable to unauthorized individuals.
- Maintain strong physical
security: Implement physical security measures such as access controls,
video surveillance, and secure storage to prevent unauthorized access to
patient records and information.
- Use secure technology:
Implement robust security measures for the organization's IT
infrastructure, including firewalls, intrusion detection and prevention
systems, and regular security audits. Ensure that software and hardware
systems are regularly updated with the latest security patches.
- Conduct regular risk
assessments: Perform periodic assessments to identify potential
vulnerabilities and risks to patient health information. This includes
evaluating the security of systems, networks, and applications, as well as
assessing risks associated with internal processes and employee practices.
- Enforce strong password
policies: Encourage the use of strong, unique passwords and implement
policies that require regular password changes. Consider implementing
multi-factor authentication for an added layer of security.
- Maintain backups and
disaster recovery plans: Regularly back up patient health information and
develop comprehensive disaster recovery plans to ensure that data can be
restored in case of accidental loss, natural disasters, or cyber-attacks.
- Comply with regulations:
Familiarize yourself with relevant data privacy and security regulations,
such as the Health Insurance Portability and Accountability Act (HIPAA) in
the United States, and ensure compliance with all applicable requirements.
- Monitor and audit
access: Implement monitoring systems to track and log access to patient
health information. Regularly review audit logs to identify any
unauthorized access attempts or suspicious activities.
- Establish incident
response procedures: Develop and regularly update incident response plans
to address potential security incidents promptly. This includes procedures
for reporting, investigating, and mitigating security breaches or
unauthorized disclosures.
- Engage third-party
vendors carefully: If working with third-party vendors or service
providers who handle patient health information, ensure they have robust
security measures in place. Establish clear expectations and contractual
agreements regarding data protection and confidentiality.
By implementing these practices, healthcare organizations
can significantly enhance the confidentiality, integrity, and availability of
patient health information, safeguarding patient privacy and trust.
Q What are the legal and regulatory requirements for security risk analysis in the healthcare industry?
In the healthcare industry, security risk analysis is an
essential process for protecting sensitive patient information and ensuring
compliance with legal and regulatory requirements. The legal and regulatory
requirements for security risk analysis in healthcare may vary based on the
country and region, but I can provide you with an overview of some common
requirements in the United States.
- Health Insurance
Portability and Accountability Act (HIPAA): HIPAA sets the standard for
protecting sensitive patient data, known as protected health information
(PHI). Covered entities, such as healthcare providers, health plans, and
healthcare clearinghouses, are required to conduct regular security risk
analyses as part of their HIPAA compliance efforts.
- HIPAA Security Rule: The
HIPAA Security Rule establishes a series of administrative, physical, and
technical safeguards that covered entities must implement to protect PHI.
Conducting a security risk analysis is a core requirement under the
Security Rule, which helps covered entities identify potential
vulnerabilities and risks to the confidentiality, integrity, and
availability of PHI.
- Centers for Medicare and
Medicaid Services (CMS) Promoting Interoperability Programs: Formerly
known as the Medicare and Medicaid EHR Incentive Programs, these programs
require eligible healthcare providers to conduct a security risk analysis
as part of their meaningful use requirements. The analysis helps ensure
the protection of electronic health records (EHRs) and the privacy of
patient data.
- HITECH Act: The Health
Information Technology for Economic and Clinical Health (HITECH) Act
reinforces HIPAA regulations and places additional emphasis on the
security and privacy of electronic health information. The Act requires
covered entities to conduct a security risk analysis and notify affected
individuals and regulatory bodies in the event of a data breach.
- State Data Breach
Notification Laws: Many U.S. states have their own data breach
notification laws that require organizations, including healthcare
entities, to notify individuals and appropriate authorities in the event
of a security breach. Conducting a security risk analysis is crucial to
identifying and mitigating vulnerabilities that could lead to a breach.
It's important to note that these requirements are not
exhaustive, and healthcare organizations should consult with legal experts and
relevant regulatory bodies to ensure compliance with specific laws and
regulations applicable to their jurisdiction. Additionally, other standards and
frameworks, such as the National Institute of Standards and Technology (NIST)
cybersecurity framework, can provide guidance for conducting security risk
analyses in the healthcare industry.
Q What are the consequences of not conducting security risk analysis in the healthcare industry?
The consequences of not conducting security risk analysis in
the healthcare industry can be significant and pose serious risks to both
patient data and the overall functioning of healthcare organizations. Here are
some potential consequences:
- Data breaches: Without
conducting security risk analysis, healthcare organizations may overlook
vulnerabilities in their systems and networks. This increases the
likelihood of data breaches, where sensitive patient information such as
medical records, personal details, and financial data can be exposed. Data
breaches not only compromise patient privacy but can also result in legal
and financial liabilities for healthcare providers.
- Patient harm: Inadequate
security measures can lead to patient harm. For example, if unauthorized
individuals gain access to medical devices or alter patient records, it
could potentially impact the accuracy of diagnoses, treatments, and
medications. Patient safety can be compromised, leading to incorrect or
delayed care, potential medical errors, and adverse health outcomes.
- Legal and regulatory
penalties: Many countries have enacted laws and regulations to protect
patient data, such as the Health Insurance Portability and Accountability
Act (HIPAA) in the United States. Failure to conduct security risk
analysis and comply with these regulations can result in severe legal
consequences, including fines, penalties, and legal actions.
- Damage to reputation and
trust: A security breach in the healthcare industry can cause significant
damage to the reputation and trust of the affected organization. Patients
may lose confidence in the healthcare provider's ability to safeguard
their sensitive information, leading to a decline in patient volume and
potential loss of business. Rebuilding trust after a breach can be a
challenging and lengthy process.
- Operational disruptions:
Security incidents can disrupt the normal operations of healthcare
organizations. Remediation efforts, investigations, and recovery processes
can be time-consuming and costly. In some cases, organizations may need to
temporarily suspend services, causing inconvenience to patients and
potential financial losses.
- Financial impact:
Security breaches can result in substantial financial losses.
Organizations may face expenses related to incident response, forensic
investigations, legal fees, credit monitoring for affected patients, and
potential litigation costs. Moreover, organizations may also experience a
decline in revenue due to reputational damage and decreased patient
confidence.
- Loss of competitive
advantage: Healthcare organizations that fail to prioritize security risk
analysis may lose their competitive advantage in the industry. Patients
and healthcare partners are increasingly valuing privacy and security when
choosing providers. Demonstrating a robust security posture and commitment
to protecting patient data can differentiate organizations in the
marketplace.
Overall, the consequences of not conducting security risk
analysis in the healthcare industry can be severe, affecting patient privacy,
organizational reputation, financial stability, and patient care quality. It is
crucial for healthcare organizations to prioritize security risk analysis and
implement appropriate measures to mitigate these risks.
Q Why is it essential to complete a Security Risk Analysis?
The scope of the risk analysis includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that our organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes ePHI in all forms of electronic media, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, our organization's risk analysis takes into account all of its ePHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its ePHI.
Q Why does my organization need to document security policies and procedures?
Covered
entities are required to maintain implemented policies and procedures in
written or electronic format. If an action, activity, or assessment is
required, then you must maintain a written or electronic record of the action,
activity or assessment. Documentation must be maintained for six years (federal
requirement) from the date of its creation or the date when it was last in
effect, whichever is later. Documented policies and procedures are required to
be available to individuals to whom they pertain. Documented policies and
procedures are required to be reviewed periodically and updated as needed.
Q How can healthcare organizations train their staff to be aware of security risks and promote a culture of security?
Training healthcare staff to be aware of security risks and
promoting a culture of security is crucial for healthcare organizations to
protect patient data and maintain the integrity of their systems. Here are some
strategies to achieve that:
- Develop comprehensive
security policies: Establish clear and detailed security policies and
procedures that outline the organization's expectations for data
protection and privacy. Include guidelines for staff on handling sensitive
information, using secure communication channels, and adhering to password
best practices.
- Conduct regular security training sessions: Provide ongoing training sessions to educate staff about the latest security threats and best practices for data protection.
May 2023 FAQ
Q If fraudulent behavior is reported through the compliance hotline, does it need to be reported to a government agency?
The purpose of a compliance hotline is to provide an anonymous way for individuals
to report "suspected" fraudulent behavior. When the report comes in, it is just
a report. It must be investigated by the organization. If found to be true,
then the organization should determine next steps for dealing with the
fraudulent behavior. It could include self-reporting and potentially paying
back claims. This decision is typically made by the organization with the
guidance of legal counsel.
Q Is Corporate Compliance training only required if the organization is contracted with Medicare?
No. As part of participation in any
federal payment program, like Tricare or Medicaid, a provider is required to
have an effective corporate compliance program. Part of an effective program
includes corporate compliance training. Additionally, many payors are
contractual obligated to ensure that all of their FDRs maintain a corporate
compliance program. Healthcare providers would be considered an FDR and
therefore would be required by their contracts with payors to have a compliance
program which includes training.
It's a good idea for our clients who
think they don't have to have a corporate compliance program in place to check
their payor contracts to see exactly what is required of them and if a
corporate compliance program with training is a requirement of their payors.
The only time that a corporate compliance program is certain to not be required
is if the provider only accepts cash-paying patients.
Q Does the Corporate assessment need to be filled out for each physical location, if there are different tax IDs, or just for the main office?
It
is not necessary for each physical location to complete the assessment.
However, if each location is billing under a different Tax ID number, then each
organization would need to have their own compliance program. Completing our
assessment would be a part of that process. Because these situations are so
unique, clients should reach out to their support team for additional guidance.
Q Is the hotline only for FW&A or can clients use it as they choose?
It is
not used exclusively for FW&A reports. It can be used to report harassment,
discrimination, HIPAA violations, etc. Clients can utilize the hotline however
they choose.
Q Does a compliance committee meeting need to include a certain number of people and do they need to be the same assigned people each time?
We
recommend that the members of the compliance committee include anyone who has
oversight over compliance issues; HIPAA, OSHA, contracting, billing/coding,
etc. This will include compliance officers and can include other
managers/administrators. If not met already through the inclusion of managers,
it should also have representatives from the various departments of the
organization to make sure that the various needs and perspectives of those
departments are being represented. Additional members can be added temporarily
as the focus of the compliance activities change; i.e. an audit or other
special project, but the core members will always be the same.
April 2023
Q I have heard the terms "cultural competence," "cultural humility," and "cultural responsiveness." Do these words mean the same?
As in any field or topic of discussion, you can articulate multiple words that mean similar ideas from subtle perspectives, and that is the case with these three terms.
- Cultural competence implies that one can meet the needs of culturally diverse clients. Perhaps a person might shy away from the term's use because of a misconception: you either have or do not have the skills (i.e., that one can actually "arrive," so to speak). However, a person does not arrive at cultural competence. Instead, a individual can find instructive exposure to diverse cultures, having conversations, routinely discussing diversity, and learning new skills may help us appreciate the perspectives of culturally distinct people.
- Cultural humility is the awareness that working with culturally diverse individuals may require experts who understand a specific culture and thought processes. An individual can remain humble by allowing these experts to help guide this process. This does not mean the practitioner knows nothing. Instead, the practitioner engages each family as unique, from a strengths perspective, and allows for mutual learning toward a common goal: inclusive care.
- Cultural responsiveness helps people learn about culture, ethnicity, and language. The key difference is "responsiveness," which does not imply that one can be perfect and have attained all the skills and views needed to work with culturally diverse clients. It assumes one has the openness to adapt to the cultural needs of those with whom they work.
Q Are cultural competence trainings the way to ensure that my organization is culturally competent?
Cultural competence is an ongoing developmental process. While cultural competence trainings serve as a good means to increase provider knowledge, skills, and awareness, it is insufficient in and of itself to make your organization culturally competent. Cultural competence trainings work best when they exist within a complete framework that supports it, such as, but certainly not limited to:
- The existence of policies that ensure equitable hiring practices;
- An environment that is welcoming to those of different cultures (e.g., pictures and brochures that have people of different ethnicities or types of families);
- Connections with cultural resources in the community.
Q What is my role as administrator in working towards cultural competence?
As an administrator, you can work to ensure cultural competence in a variety of ways. However, it is important that you see yourself as part of the change process. It does little good to schedule cultural competence trainings for your staff, if you and other administrators do not attend these trainings. You are a cultural being, and as such, you are also prone to bias. Increasing your knowledge, skills, and awareness will help you better scrutinize practices in your organization to ensure that bias does not exist. It also supports your role as a leader and change agent. In addition, your attendance at these workshops also shows your staff how much you care about the ideas of cultural competence. There are other means of working towards cultural competence. Your attendance at trainings alone will not do the trick. You can:
- Avail yourself of resources on cultural competence
- Regularly assess cultural competence on both the practitioner and organizational level
- Include items that assess progress towards becoming culturally competent in staff evaluations
- Include cultural competence in your strategic plan
- Enact policies that make cultural competence a priority
- Recruit staff that is representative of the population you serve
- Reward & incentivize personal and professional attempts at becoming more culturally competent • Engage your staff in regular discussions about diversity • Consider culture in treatment planning and staff meetings • Form relationships with cultural brokers/liaisons/resources in your community and seek their expertise when in doubt • Evaluate whether or not there are barriers to service provision based on cultural preference for treatment options
There are many things that can be done at the level of administration. This list is not exhaustive, but will definitely point you in the right direction.
Q What is ethnicity? How is it different from race?
Ethnicity and race are often spoken about interchangeably, but they are not the same. Ethnicity refers to one's ethnic culture; the vast structures of behaviors, ideas, values, habits, rituals, ceremonies, and practices common to a particular group of people that provides them with a general design for living and patterns for interpreting reality. Conversely, race is a fictitious construct. There is no biological basis for race. That being said, when we say, "Race," we typically are identifying people by skin color; black, white, Asian or Indian. Race, or skin color, is not a way to identify ethnicity or culture. One can be a black American or a white American. As well as one can be a black Trinidadian or an Indian Trinidadian; a white Puerto Rican or a black Puerto Rican. The two often intersect.
Q What are the typical areas in which there will be cross-cultural differences?
Kevin Avruch and Peter Black, who primarily work from the business relations' perspective, outline six fundamental patterns of cross-cultural differences:
- Communication styles
- Attitudes towards conflict
- Approaches to completing tasks
- Decision making styles
- Attitudes towards disclosure
- Approaches to knowing
A simple Google search for these authors will yield detailed, insightful information with definitions and examples of what these differences mean as well as what they look like. However, as it pertains to mental health, there will be more differences, such as; differences in the ways in which we describe these issues (some cultures have a limited vocabulary for emotion words, and the notion of "mental illness," does not exist), differences in what we think causes these issues ("God must be mad with us," "She is being punished for her early promiscuity," etc.), and differences in the ways we think we should go about solving these problems (individual therapy, medication management, prayer, reiki, chi gong, meditation, etc.).
Q Why does cultural competence matter?
Cultural competence is essential for a few reasons. The first major reason is because we live in a diverse society. We are diverse with respect to race/ethnicity, social class, gender, sexual orientation, ability, age and religion/spirituality. It should not be assumed that any perspective is better than the other. Each perspective is valid. Despite this truth, those who have traditionally been in positions of power have made rules and policies that are reflective of their cultural points of view, without realizing that they look at the world from a particular cultural lens. This unintentional bias has resulted in such things as the overrepresentation of African American and Hispanic groups in prison, juvenile detention, special education and foster care. In addition, these and other ethnic minority groups have been underrepresented in less punitive, treatment-oriented systems such as mental health and inpatient facilities.
Q We talk about ethnicity a lot, are there other culture or diversity issues we should be aware of?
March 2023
Q How does OSHA define a recordable injury or illness?
- Any work-related fatality.
- Any work-related injury or illness that results in loss of consciousness, days away from work, restricted work, or transfer to another job.
- Any work-related injury or illness requiring medical treatment beyond first aid.
- Any work-related diagnosed case of cancer, chronic irreversible diseases, fractured or cracked bones or teeth, and punctured eardrums.
- There are also special recording criteria for work-related cases involving: needlesticks and sharps injuries; medical removal; hearing loss; and tuberculosis.
Q How does OSHA define first aid?
- Using a non-prescription medication at nonprescription strength (for medications available in both prescription and non-prescription form, a recommendation by a physician or other licensed health care professional to use a non-prescription medication at prescription strength is considered medical treatment for recordkeeping purposes);
- Administering tetanus immunizations (other immunizations, such as Hepatitis B vaccine or rabies vaccine, are considered medical treatment);
- Cleaning, flushing or soaking wounds on the surface of the skin Using wound coverings such as bandages, Band-Aids™, gauze pads, etc.; or using butterfly bandages or Steri-Strips™ (other wound closing devices such as sutures, staples, etc., are considered medical treatment);
- Using hot or cold therapy;
- Using any non-rigid means of support, such as elastic bandages, wraps, non-rigid back belts, etc. (devices with rigid stays or other systems designed to immobilize parts of the body are considered medical treatment for recordkeeping purposes);
- Using temporary immobilization devices while transporting an accident victim (e.g., splints, slings, neck collars, back boards, etc.). Drilling of a fingernail or toenail to relieve pressure, or draining fluid from a blister;
- Using eye patches;
- Removing foreign bodies from the eye using only irrigation or a cotton swab;
- Removing splinters or foreign material from areas other than the eye by irrigation, tweezers, cotton swabs or other simple means;
- Using finger guards;
- Using massages (physical therapy or chiropractic treatment are considered medical treatment for recordkeeping purposes); or
- Drinking fluids for relief of heat stress.
Q What is the HIPAA Breach Notification Rule?
The Breach Notification Rule says that covered entities and business associates must tell affected patients, HHS, and the media when there is a breach of PHI. You must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. Submit notifications of smaller breaches affecting fewer than 500 patients to HHS annually.
Most of the time, a HIPAA breach is an unauthorized use, transmission, or disclosure of PHI that compromises its security or privacy. If PHI is used or shared without permission, this is a breach, unless a risk assessment shows that there is a low chance that the PHI has been compromised. The severity of a breach incident are determined by factors including, but are not limited to:
- The nature and extent of the PHI involved (i.e., the types of identification or the chances of re-identification)
- The unauthorized person who used the PHI or got the disclosed PHI
- Whether an individual acquired or viewed the PHI
- The extent to which you reduced the PHI risk
HIPAA requirements detail how a covered entity and business associate can handle protected health information (PHI). When a covered entity discovers a breach of unsecured PHI, the Department of Health and Human Services (HHS.gov) sets different recordkeeping and notification requirements depending on the severity of the incident.
Learn more specific information about "Submitting Notice of a Breach to the Secretary" here: (https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html)
Q What if a PHI breach incident affects 500 or moreindividuals?
The HIPAA Breach Notification Rule outlines the requirements
for breach incidents affecting 500 or more individuals. A covered business must
notify the Secretary within 60 days of discovering a breach of unsecured
protected health information (PHI) affecting 500 or more individuals. The
covered entity must submit the breach notification form electronically and fill
out all essential fields of the breach notification form.
View a list of breaches affecting 500 or more individuals on
OCR Portal here: (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
Q What if a PHI breach incident affects fewer than 500 individuals?
For breaches that affect fewer than 500 individuals, a covered business shall notify the Secretary within 60 days of the end of the calendar year in which a breach of unsecured protected health information (PHI) affects fewer than 500 people. A covered entity can report breaches impacting fewer than 500 people at the moment they are detected. The covered company may notify all breaches impacting fewer than 500 people on one date, but each breach incidence must be reported separately. The covered entity must fill out the breach notification form to submit the notice electronically.
Q Who enforces HIPAA rules and regulations?
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is a primary enforcement agency for rules set within the Health Insurance Portability and Accountability Act (HIPAA). The aim is for safeguards that ensure the privacy and security of protected health information (PHI).
Q Who must comply with HIPAA rules?
Covered entities and business associates must follow HIPAA rules. The goal is to protect the privacy and security of protected health information (PHI) and ensure a patients' right of access. Examples of a Covered Entity may include, but are not limited to:
A Healthcare Provider
- Doctors
- Clinics
- Psychologists
- Dentists
- Chiropractors
- Nursing Homes
- Pharmacies
A Health Plan:
- Health insurance companies
- Health Maintenance Organizations (HMO)
- Company health plans
- Government programs that pay for health care including Medicare, Medicaid, Military, and Veteren's health care programs
A Health Care Clearinghouse:
- Including establishments that process nonstandard health information received from another entity into a standard (i.e., data content or standard electron formats, or vice versa).
If you don't meet the definition of a covered entity or business associate, you don't have to comply with the HIPAA rules. For definitions of covered entities and business associates, see 45 CFR 150.103 (https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103)
February 2023
Q Can biohazard specimen bags be reused if not visibly soiled?
Biohazard specimen transport bags should not be reused. Best practice and OSHA's recommendation is to dispose of each bag after use. Looking for visible contamination is not infallible because certain body fluids are colorless, meaning that although you may not see a spill, there is still the possibility of contamination. While the idea of reusing them to reduce waste is a valid one, the need for infection control precautions outweighs financial or excess trash considerations.
Q How long should autoclave results logs be kept?
We recommend following the CDC's guidelines as a best practice and retaining them for at least 3 years or as long as your state law requires if it is a longer timeframe. Healthcare providers may want to check with their local health department as well to see if there are local retention requirements.
Q Should a healthcare provider keep a log of biohazardous waste that is collected from them for disposal?
Yes, we recommend maintaining a log of when the hazardous waste is collected and removed from a healthcare provider's facility in addition to when they received the manifest that it was destroyed. Additionally, federal regulations require providers to keep the manifest, along with the biohazardous waste log and any other pertinent documents related to the packaging, storage, transport, or disposal of the medical waste for at least 3 years. HCP has a sample log available for clients to use when tracking the removal of biohazard waste, along with the transporter and date the certification of destruction is received.
Q What is considered “regulated waste”?
OSHA's Bloodborne Pathogens Standard uses the term, "regulated waste," to refer to the following categories of waste:
- liquid or semi-liquid blood or other potentially infectious materials (OPIM)
- items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed
- items that are caked with dried blood or OPIM and are capable of releasing these materials during handling
- contaminated sharps
- pathological and microbiological wastes containing blood or OPIM.
January 2023
Q What are the differences between personal and professional use on social media platforms?
Personal use of social media is often referred to as social media use on an account registered to an individual who is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider.
Q Can organizations respond directly to patients who post comments or questions on social media?
When posting a response to a question, use limited information and suggest another communication method. If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.
When posting on your personal social media account, if it is something you don't want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in "private" groups.
Q What are the risks involved with making social media posts?
Whether you are posting on your own or a professional account, it is important to understand the potential risks.
Some risks include:
- Anything that is posted has a risk of receiving negative feedback from the public that could hurt the success of the business and its reputation.
- The accidental sharing of PHI, proprietary information, or other content that could be used by those with malicious intent from the post.
- Having a difficult time managing and/or responding to posts and comments from users. Organizations need to train employees on how to respond to negative or inaccurate statements made on their posts.
Q If your organization has a social media account for professional use, what should be included in a social media policy for employees?
You may have language in place in a social media policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional help of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be published, etc. We have a Social Media template available for customization for your organization. Ask your support team for access.
Q Can healthcare organizations post pictures?
Never post any photos involving patients without authorization! Even then, be extremely cautious and always have written authorization. When pictures or patient information are used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.
December 2022
Q What if we are a non-medical facility? Does HCP offer a compliance program that suits us?
Yes! HCP offers a program tailored for Non-Medical Facilities. We help you maintain compliance with the following areas: OSHA, Human Resources, and Learning Management System. Working with HCP means you no longer have to wonder if you comply with your industry requirements.
Q We are Business Associates. How can HCP help support us in our compliance journey?
HCP offers a Healthcare Business Associate Package. That package helps you maintain compliance as it applies to HIPAA, Corporate, Human Resources, and Learning Management Systems, with an optional Compliance Risk Analyzer.
Q With so many compliance programs out there, what sets HCP apart from its competitors?
With HCP, you get a
custom program tailored to meet your needs and have access to a dedicated
support team that is there to work with you every step of the way. With our
support team, you have a personally dedicated group to your facility. They are
consistently monitoring your program and reaching out to you with quarterly
updates to keep you informed on how you are doing and assist you with any areas
that need improvement. You also have the ability to meet with your support team
and discuss any questions or concerns that may arise. You will have their
direct phone numbers and email addresses. So please, reach out to them and you
will truly see the value of HCPs Compliance Services, and why our Support Team
is one of our best features!
Q How is our Employee Handbook incorporated into HCP online training?
Healthcare Compliance Pros provides your organization with HIPAA Privacy, HIPAA Security, Corporate Compliance, OSHA, and Human Resources policies and procedures. While these policies and procedures are a blanket set, meaning these policies and procedures ensure your organization follows Federal requirements; taking some time to add language specific to your organization is an important step. (The first step of our program is completing the Organization Questionnaire - we take your answers and incorporated them into the compliance training.)
Q How does HCP help us stay compliant?
Being Compliant is a process that does not need to be completed all at once and doesn't need to be complicated. Rather, it is an ongoing process that we will be working with you to complete. For example, when you submit a Security Risk Analysis (SRA), a big part of that process is discussing HIPAA Security Policies and Procedures - addressable and required. Most of the policies that are discussed in your SRA, in addition to HIPAA Privacy policies and procedures, are included in our training modules.
Q How often Does HCP update their training information?
Whether HIPAA, OSHA, Corporate Compliance, and/or Human Resources, the policies and procedures are always reviewed and updated, as necessary. These policies and procedures are always available wherever you have internet access, can be printed out as necessary, and provide a good way for your employees to complete their training.
Q What are the seven elements from The Office of Inspector General (OIG) for an effective compliance program, and how can Healthcare Compliance Pros (HCP) help me?
- Implementing written policies, procedures, and standards of conduct: HCP has customized training modules, policies, and procedures for your organization. We also have a huge library of sample policies, procedures, and forms.
- Designating a compliance officer and compliance committee: Once you have designated a compliance committee, HCP can help store your compliance committee meeting minutes.
- Conducting effective training and education. - HCP has many training modules from Compliance, Code of Conduct, HIPAA, OSHA, HR, and many more, all of which are customizable for your organization.
- Developing effective lines of communication. - HCP can also help your organization establish an anonymous hotline.
- Conducting internal monitoring and auditing. - HCP is here to help check your employees and vendors monthly against the OIG Exclusion List and the SAMs List. We can even help run background checks. We also have a HIPAA incident reporting log that can help you determine if it is reportable or not reportable and provide steps in the mitigation process. We also offer a billing and coding audit service through our Compliance Risk Analyzer (CRA).
- Enforcing standards through well-publicized disciplinary guidelines. - HCP can help you develop a disciplinary policy, for we offer many sample templates of policies and procedures.
- Responding promptly to detected offenses and undertaking corrective action. - HCP has several ways to help you track and log compliance and HIPAA issues, along with forms to help you through the process of logging and responding and putting a corrective action plan in place. Plus, we also offer an anonymous hotline for your employees to report compliance issues.
November 2022
Q What are the seven elements of an effective compliance program?
1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards
Q How do you know what is expected of you?
Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.
Q Is Corporate Compliance Training only required if the organization is contracted with Medicare?
No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.
Q Are there compliance policies and procedures that should be in place if an employee is allowed to work remotely from home?
Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.
October 2022
Q Are there penalties for not training employees on Fraud, Waste, and Abuse (FWA) laws?
Yes. Laws and regulations exist that prohibit FWA. CMS and the OIG have stated that organizations must create and implement effective training and education on these laws and have policies and procedures in place to maintain compliance. Penalties for violating these laws may include but are not limited to civil monetary penalties, civil prosecution, criminal conviction, fines, exclusion from all federal healthcare program participation, imprisonment, and loss of professional license.
Q False Claims. What are the consequences of violating the False Claims Act?
Knowingly submitting false or fraudulent claims to Medicare and Medicaid is illegal. You may receive fines of up to 3x the program's loss plus $11,000.00 per claim filed for filing false or misleading claims.
Q What penalties can you face for violating any of the laws or regulations of fraud, waste, and abuse?
Penalties for violating these laws may include but are not limited to Civil Monetary Penalties, Civil prosecution, Criminal conviction/fines, Exclusion from participation in ALL Federal Healthcare programs, Imprisonment, and even Loss of provider license.
Q What sets Fraud apart from Waste and Abuse? And what are the consequences of Fraud?
Fraud requires the person to have the intent to obtain payment and know that their actions are wrong. Waste and Abuse may involve obtaining an improper payment but do not require the same intent and knowledge. Fraud, being the more severe of the 3, has a devastating impact on not only the practice but the victims. Criminal penalties for submitting fraudulent claims include imprisonment and criminal fines. No one is safe from these repercussions. Even physicians have gone to prison for submitting false claims.
Q How serious is information blocking?
What are the penalties for blocking information? The 21st Century Cures Act empowers the HHS Office of Inspector General (OIG) to issue civil monetary penalties of up to $1 Million against software developers, networks, or exchanges that interfere with the proper exchange of ePHI. To put it simply, blocking health information is illegal.
Q How has the pandemic made fraud prevention more difficult?
Due to the increase in Remote working, this new work environment has made it more difficult to prevent fraud within organizations. With the new hurdles, a rise in security and fraud risk has become the new challenge. What is the main reason for this rise in fraud? More than a third of organizations are claiming to not have suitable fraud prevention and response plans established and in place.
Q What are the most common types of fraud the governments are seeing this year?
Kickback Schemes, Medically Unnecessary Services, Failure to properly charge Medicare/Medicaid patients for prescriptions, Allowing Nurses and Staff to Perform Examinations (essentially any staff members performing outside of their job duties/knowledge/training), and Upcoding.
Q What is the importance of completing compliance training?
When considering the requirement of providing a security awareness and training program, there are many real-life examples from which to learn. For example, recently, an Office for Civil Rights (OCR) investigation of an entity found long-standing non-compliance with HIPAA Rules, including failures to conduct a security risk analysis, provide a training program on security awareness, and implement HIPAA Security Rule policies and procedures. As a result of this investigation, the entity agreed to pay the Office for Civil Rights (OCR) $65,000 and adopt a corrective action plan to settle these violations of the HIPAA Security Rule.
Q Why is it essential to run my physicians, employees, and vendors through the OIG and SAM Exclusion List?
The Office of Inspector General was established to identify and eliminate fraud, waste, and Abuse in the U.S. Department of Health and Human Services. The Secretary gave authority to the OIG to exclude from participation in Medicare, Medicaid, and other Federal healthcare programs individuals that have engaged in fraud or Abuse, in which they may impose civil money penalties (CMPs) for misconduct related to Federal healthcare programs. Here is a recent example of CMPs set on an eye care provider. This provider had to pay civil monetary penalties of $17,562.24 for employing an individual excluded from participation in the Federal health care programs.
September 2022
Q With COVID-19 transmission predicted to go up this fall, what can employers do to be prepared to operate during high-transmission time periods?
Healthcare organizations should follow the CDC's and OSHA's recommendations to prepare for pandemic outbreaks of varying severity levels. Additionally, the CDC recommends encouraging everyday preventative actions for employees such as staying home when you are sick, covering your coughs and sneezes with tissues, washing your hands with soap and water for at least 20 seconds as often as you can, using at least 60% alcohol-based sanitizer if soap and water are not available, and cleaning frequently touched surfaces and objects.
Beyond that, nonpharmaceutical interventions (NPIs) have been recommended by public health officials to prevent the spread of communicable diseases. These additional actions include allowing staff members to telework, flexibility in allowing staff to stay home if they or someone in their house is sick, increasing space between staff at work as much as possible, but at least 3 feet, decreasing the frequency of contact among staff members, thinking about postponing or canceling work events and canceling or postponing non-essential work travel.
Finally, because this is an evolving situation and the CDC is providing new guidance on a regular basis, we recommend keeping up with the news of the COVID-19 outbreak, following the instructions of public health officials, updating any policies to keep in line with new recommendations as they may be announced, and providing accurate and consistent information to employees reflecting the guidelines of OSHA, the CDC, and other governmental agencies that may be providing them.
Q What are the PPE requirements for administrative and clinical employees concerning COVID-19 exposure, including those clinical employees who perform aerosol-generating procedures (AGP)?
OSHA's guidance refers to the CDC's infection control guidance. Additionally, a healthcare facility must conduct a risk assessment and determine which employees are at risk, what the risk is, and what PPE would be appropriate to provide. Regardless of the risk, standard precautions should be followed. Transmission-based precautions should be implemented when in contact with a suspected COVID-19 patient.
The CDC states that healthcare providers should implement universal use of personal protective equipment for healthcare providers. In areas of substantial or high transmission, all employees should be provided additional PPE based on their job responsibilities.
Q What portions of the OSHA COVID-19 Healthcare ETS are still in effect?
Q Should an employer include an employee's name on a sharps injury log?
A sharps injury log is intended to track injuries and the departments, devices, or procedures that are causing them. It's not meant to track injured employees. As such, the sharps injury log does not need to include the employee's name. In fact, OSHA states that including the employee's name jeopardizes their confidentiality. If an employer chooses to keep employee names on their log, they have to remove them if asked to share the report with anyone to keep the employee information on the log confidential. However, the bloodborne exposure incident report completed after an exposure incident should include the employee's information, the situation leading to the incident, etc., and be kept in their employee medical records.
Q What should clients consider when designating an infection control safety coordinator?
The infection control safety coordinator should be someone who is able to understand and identify infectious disease hazards in the workplace and must be knowledgeable in infection control principles and practices as they apply to the workplace and employee job operations. Additionally, the safety coordinator must have the authority to ensure compliance with all aspects of the organization's infectious disease plan so that they can take prompt corrective measures when hazards are identified.
Employers' designated safety coordinators should implement and monitor the infectious disease plan, but the exact responsibilities of a safety coordinator may vary based on the employer and workplace.
Q Do OSHA regulations and standards apply to the home office?
The Department of Labor's Occupational Safety and Health Administration (OSHA) does not have any regulations regarding telework in home offices. The agency issued a directive in February 2000 stating that the agency will not conduct inspections of employees' home offices, will not hold employers liable for employees' home offices, and does not expect employers to inspect the home offices of their employees. If OSHA receives a complaint about a home office, the complainant will be advised of OSHA's policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions but will not follow up with the employer or employee.
Employers who are required to keep records of work-related injuries and illnesses will continue to be responsible for keeping such records for injuries and illnesses occurring in a home office.
Q Are employers required to have all employees vaccinated against Hepatitis B?
No, employers are required to offer the Hepatitis B vaccine when the employee starts work to comply with OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030. Employees can decline the Hepatitis B vaccine and would need to sign a declination form. HCP has a form called "Certification of Hepatitis B Vaccination and Declination Form" that can be used for documentation.
Q When must employers offer employees the Hepatitis B vaccine?
OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the Hepatitis B vaccine must be offered after training and within ten days of the employee being assigned a job where there is occupational exposure unless the worker has already received the vaccine series previously.