13 Tips, Tools and Topics to be Thankful for

13 Tips, Tools and Topics to be Thankful for

For many of us in the United States, the holidays kick off this week with Thanksgiving. Each year on the fourth Thursday in November, we gather for a day of giving thanks, family, feasting, and football. Thanksgiving is a day of giving thanks of the harvest and giving thanks for the preceding year.

Here are 13 tips, tools and topics we shared this year that you may be thankful for summarized in one article.

1. Strong Passwords

Did you know that one of the top causes of a breach is a week or easy to guess password? Recently hackers breached the Healthcare.gov test servers. The hackers were able to install malicious code due to a device that kept its manufacturer's password instead of requiring a strong password would have prevented a breach to the Healthcare.gov test server.

A strong password is one that at a minimum:

  • Is 8 characters in length
  • Is difficult to guess
  • A combination of alphabetic, mixed case, numeric and punctuation characters

2. Safeguard all Personal, Proprietary and/or Confidential Information

As an employee, you may create, discover, use, access, or receive personal, proprietary, and/or confidential information during your employment. Your obligation to safeguard all confidential information extends to all situations in which you may collect, access, use, maintain, transport, or disclose such information including when you're away from work or working remotely.

As part of your employment you may be required to sign a statement in an employee handbook or a confidentiality form when you start work. The confidentiality agreement says that you as an employee acknowledge that violations of office policies may lead to disciplinary actions up to and including termination. By signing the confidentiality agreement you not only have an obligation to safeguard protected health information; you have an obligation to safeguard your organization's personal, proprietary, and confidential information.

3. Bring Your Own Device Policy

The use of mobile devices, cell phones, smart phones and tablets has become commonplace within the medical field workplace. Most practice administrators would agree that there is a pressing need to support the Bring Your Own Device (BYOD) movement, but many are confronted with finding real life BYOD solutions. A BYOD policy is an opportunity to maximize employee satisfaction and productivity; but care must be taken to create a secure environment for usage of personal devices in the workplace.

4. Online Breach Reporting

The days of putting together a list of breaches and sending them off to the Secretary of the Department of Health and Human Services (HHS) is over. Now, the reporting process is handled electronically for both breaches affecting less than 500 individuals and for breaches affecting more than 500 individuals. Healthcare Compliance Pros has an online Breach Log that can be used to submit suspected breaches for breach determination and mitigation, or as a place to store all suspected breaches. Please contact us for more information.

5. Security Risk Analysis

A HIPAA Security Risk Analysis should be conducted, at a minimum, on an annual basis. To comply with HIPAA, organizations must continue to review, correct or modify, and update security protections. While checklists are helpful for organizations, they are lacking in meeting the requirements for a systematic risk analysis or documenting the risk analysis has been performed. Think of security risk analysis as an action plan for protecting patient privacy, and a process of identifying and examining potential threats and vulnerabilities to protected health information. This is arguably the most important step an organization can take towards implementing safeguards that mitigate or lower risks to your ePHI.

6. Medical Assistant Credentialing

As of January 2013, to demonstrate Meaningful Use requirements under the Centers for Medicare & Medicaid Services EHR incentive program, only credentialed medical assistants are permitted to enter medication, radiology and laboratory orders into the EHR. Any medical assistant who is not currently credentialed as a Certified Medical Assistant (CMA) or a Registered Medical Assistant (RMA) should complete the Medical Assistant Credentialing module.

7. OSHA requirements for reporting severe injuries

The U.S. Department of Labor's Occupational Safety and Health Administration (OSHA) announced a final rule requiring employers to notify OSHA of work-related fatalities within eight hours, and work-related in-patient hospitalizations, amputations or losses of an eye within 24 hours. Previously, OSHA required an employer to report only work-related fatalities and in-patient hospitalizations of three or more employees. Reporting single hospitalizations, amputations or loss of an eye was not required under the previous rule.

All employers covered by OSHA, even those who are exempt from maintaining injury and illness records are required to comply with OSHA's new severe injury and illness reporting requirements. OSHA is developing a Web portal for employers to report incidents electronically, in addition the phone reporting options.

8. Integrity is more than just a piece of the healthcare compliance puzzle

In terms of healthcare compliance, are we doing everything we can to ensure the integrity of all ePHI we receive, maintain or transmit? Are we following the policies and procedures that are in place to mitigate risks? In medical practice terms, are we checking on patients to make sure they aren't left wondering if they are ever going to be seen? Are we doing our part to ensure our workplace is one that is viewed as a culture that has trust, respect and professionalism? These are important considerations when measuring our integrity and are more than just pieces of the healthcare compliance puzzle. Integrity is in many ways derived from the way in which we are viewed by others and a measure of what we do and how we do it on a daily basis.

9. More time for compliance with the delay of ICD-10

Since some time has been freed up thanks to the delay of ICD-10 implementation, now is a good time to focus on compliance as a continuous process. It is a good time for an organization to ensure compliance with HIPAA, OSHA and Medicare requirements is a continual process, rather than a process of completing the requirements at the last minute. Compliance as a continuous approach is a great way to be prepared for an unexpected audit, to prevent a breach of protected health information and to prevent panic that may set in during a last minute race to complete compliance requirements.

10. Encrypted and Unencrypted Electronic Communications

Encrypted email is considered safe and provides adequate protection of health information being sent and received electronically. Encrypted email has several benefits such as hiding the content from an eavesdropper, the use of a digital signature mechanism and the use of a secret private key to decrypt messages. Encryption is preferred when communicating electronically.

According to the HIPAA Omnibus Final Rule, covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.

11. Healthcare ID Theft First Aid Kit

CPAs encountered an unexpected "taxing" event that caught many taxpayers by surprise as well as the healthcare professionals who filed their tax returns. Many have asked:

  • What should I be doing to protect myself from Identity Theft?
  • What do I need to do if it happens to me?
  • What about software? What can I use to help me combat it?

For this reason tax professional, Michael L. DeVries, CFP, CHBC, EA, has developed an invaluable Identity Theft First Aid Kit" for healthcare professionals and the like. This Kit provides valuable information including: (1) tips to protect you from identity theft; (2) steps to report identity theft; (3) ID theft resources for victims; and (4) resources to protect yourself from becoming a victim. As a free gift, Mr. DeVries is offering this Identity Theft First Aid Kit to all that are interested. Contact us if you would like more information.

12. Corporate Compliance Training

Initial training and education on Corporate Compliance and fraud, waste and abuse training should be completed during the orientation process for new employees. All employees should complete annual General Corporate Compliance refresher training thereafter. The "deeming" exception of enrollment/participation in Medicare Parts A or B of the Medicare program, or accreditation as a supplier of Durable Medical Equipment, Prosthetics, Orthotics, and Supplies applies to fraud, waste and abuse training requirements. Unless this exception applies to your organization, fraud, waste and abuse training should be completed annually. In addition to training requirements, all entities contracted to perform work related to Medicare programs are required to have appropriate policies and procedures to address fraud, waste, and abuse.

13. Enhanced guidance form the CDC on personal protective equipment for Ebola

The CDC is tightening previous infection control guidance for healthcare workers caring for patients with Ebola. The guidance focuses on specific personal protective equipment health care workers should use including step by step instructions how to put the equipment on and take it off safely. According to the CDC, workers who have followed the enhanced guidance have not contracted the illness.

The enhanced guidance from the CDC is centered on three principles:

  • All healthcare workers undergo rigorous training and are practiced and competent with PPE, including taking it on and off in a systematic manner.
  • No skin exposure when PPE is worn.
  • All workers are supervised by a trained monitor who watches each worker taking PPE on and off.


While these 13 tips, tools and topics are by no means all inclusive; they are some of the most requested and topics that are frequently questioned.

We would like to thank each and every one of you for giving us the opportunity to provide you with up-to-date information, and we would like to wish you all a very Happy Thanksgiving.

If you have any questions about any of the 13 Tips, Tools or Topics, or any other compliance related questions, please do not hesitate to contact one of our professional consultants.

'Tis the season to Give Thanks! We'd love to Thank You with a cash credit on your account. We'll "Thank" you with these credits for every referral that signs up for HCP services.