Tips & FAQs 

You have questions. We have answers. 

Frequently Asked Questions 

Q Q: How often do compliance regulations change?
As you may well know, it seems that the government is ever changing, updating, and creating new laws on a regular basis. Because of this, HCP keeps its clients notified on a weekly basis regarding any new regulations, guidance, or other important information that comes from the federal government or any of its agencies. Where mandated, this information is also automatically incorporated into clients’ programs immediately.
Q Q: Why do I need a compliance program?
Pursuant to government regulations, healthcare organizations and their business associates, must have a custom compliance program with HIPAA, OSHA, and Corporate policies and procedures written specifically for their group and then train their employees on these policies.
Q Q: Does your program include support?
Yes. When you sign up for our core compliance program, you are assigned a specialist who is available via phone and email year round. Our support includes both technical and compliance support.
Q Q: Is your system complicated and difficult?
No. Our patented software is easy-to-use, straight forward, and only continues to improve. From the moment you sign up with our services, you are assigned a specialist who guides you through the process. You may also reach out to your specialist with any technical or compliance questions at any time.
Q Q: Do you offer a preview of your services?
Yes. We offer a free consultation and review of your current circumstances and show how our program can help fill in the gaps or create a complete compliance program. Request a free consultation by emailing [email protected]
Q Q: We are a small group; can we afford a custom compliance program?
While it is true that we have large institutions utilizing our services, our pricing is scaled based on the number of users added to your account. This allows small groups to have access to the same program and level of support as large health care organizations.
Q Q: How do you sign up for your services?
Prior to signing up, you work with and are assigned an account manager who is responsible for your billing and will activate your account with either a credit card or checking information.
Q Q: Do you require long-term contracts?
No. We pride ourselves on our product and service, and do not require any contracts with our clients. Our services are subscription-based and service may be discontinued with 30 days written (email) notice.
Q Q: How long does your program take to get setup?
The setup process is not that time consuming. Based upon the size of your practice, we can have your program developed and training reminders going out to your staff in less than a week. When you sign up, your HCP specialist works around your calendar and needs to ensure a successful launch of your compliance program.
Q Q: Do you include a security risk analysis (SRA)?
Yes. We provide a comprehensive SRA based on the NIST (National Institute of Standards and Technology) guide. We also offer an annual review, action plan, and SRA support to help assist clients with addressing any gaps in their program.
Q Q: Do you provide Global Harmonization transitioning and training?
Yes. With the adoption of the Globally Harmonized System, we now offer services for clients that helps train their staff on the new changes and assists them in transitioning their Material Safety Data Sheets (MSDS’) over to the new mandated Safety Data sheets (SDS’).
Q Q: Do my employees have to be trained each year?
Yes. Within the healthcare industry, there are statutes that support the need for annual training on HIPAA, OSHA, and Corporate Fraud, Waste & Abuse regulations.
Q Q: Do you provide Meaningful Use support?
Yes. We assist clients who are participating in the Medicare and Medicaid EHR Incentive Programs. You can include Meaningful Use services to your program.
Q Q: What if I get audited?
Whether a client is going through a Meaningful User audit, RAC audit, OSHA Inspection, or other healthcare audit, HCP provides audit support services and can help clients through audits.
Q Q: Do you come onsite?
To keep the costs down, we generally like to work with our clients remotely through phone, email, and online conferencing, but we are available to come onsite to perform setups or mock audits if needed.

September 2022

Q With COVID-19 transmission predicted to go up this fall, what can employers do to be prepared to operate during high-transmission time periods?

Healthcare organizations should follow the CDC's and OSHA's recommendations to prepare for pandemic outbreaks of varying severity levels. Additionally, the CDC recommends encouraging everyday preventative actions for employees such as staying home when you are sick, covering your coughs and sneezes with tissues, washing your hands with soap and water for at least 20 seconds as often as you can, using at least 60% alcohol-based sanitizer if soap and water are not available, and cleaning frequently touched surfaces and objects.

Beyond that, nonpharmaceutical interventions (NPIs) have been recommended by public health officials to prevent the spread of communicable diseases. These additional actions include allowing staff members to telework, flexibility in allowing staff to stay home if they or someone in their house is sick, increasing space between staff at work as much as possible, but at least 3 feet, decreasing the frequency of contact among staff members, thinking about postponing or canceling work events and canceling or postponing non-essential work travel.

Finally, because this is an evolving situation and the CDC is providing new guidance on a regular basis, we recommend keeping up with the news of the COVID-19 outbreak, following the instructions of public health officials, updating any policies to keep in line with new recommendations as they may be announced, and providing accurate and consistent information to employees reflecting the guidelines of OSHA, the CDC, and other governmental agencies that may be providing them.

Q What are the PPE requirements for administrative and clinical employees concerning COVID-19 exposure, including those clinical employees who perform aerosol-generating procedures (AGP)?

OSHA's guidance refers to the CDC's infection control guidance. Additionally, a healthcare facility must conduct a risk assessment and determine which employees are at risk, what the risk is, and what PPE would be appropriate to provide. Regardless of the risk, standard precautions should be followed. Transmission-based precautions should be implemented when in contact with a suspected COVID-19 patient.

The CDC states that healthcare providers should implement universal use of personal protective equipment for healthcare providers. In areas of substantial or high transmission, all employees should be provided additional PPE based on their job responsibilities.

Q What portions of the OSHA COVID-19 Healthcare ETS are still in effect?
The non-record-keeping portions of the COVID-19 Healthcare ETS have been withdrawn by OSHA and are not in effect anymore. However, OSHA states that employers must continue to protect employees from COVID-19 and that they will "vigorously enforce the general duty clause" and other standards such as the PPE and Respiratory Protection Standards to "help protect healthcare employees from the hazard of COVID-19." OSHA also states that continued adherence to the ETS is the simplest way for employers to ensure the continued protection of their employees in healthcare settings and comply with OSHA obligations.
Q Should an employer include an employee's name on a sharps injury log?

A sharps injury log is intended to track injuries and the departments, devices, or procedures that are causing them. It's not meant to track injured employees. As such, the sharps injury log does not need to include the employee's name. In fact, OSHA states that including the employee's name jeopardizes their confidentiality. If an employer chooses to keep employee names on their log, they have to remove them if asked to share the report with anyone to keep the employee information on the log confidential. However, the bloodborne exposure incident report completed after an exposure incident should include the employee's information, the situation leading to the incident, etc., and be kept in their employee medical records.

Q What should clients consider when designating an infection control safety coordinator?

The infection control safety coordinator should be someone who is able to understand and identify infectious disease hazards in the workplace and must be knowledgeable in infection control principles and practices as they apply to the workplace and employee job operations. Additionally, the safety coordinator must have the authority to ensure compliance with all aspects of the organization's infectious disease plan so that they can take prompt corrective measures when hazards are identified.

Employers' designated safety coordinators should implement and monitor the infectious disease plan, but the exact responsibilities of a safety coordinator may vary based on the employer and workplace.

Q Do OSHA regulations and standards apply to the home office?

The Department of Labor's Occupational Safety and Health Administration (OSHA) does not have any regulations regarding telework in home offices. The agency issued a directive in February 2000 stating that the agency will not conduct inspections of employees' home offices, will not hold employers liable for employees' home offices, and does not expect employers to inspect the home offices of their employees. If OSHA receives a complaint about a home office, the complainant will be advised of OSHA's policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions but will not follow up with the employer or employee.

Employers who are required to keep records of work-related injuries and illnesses will continue to be responsible for keeping such records for injuries and illnesses occurring in a home office.

Q Are employers required to have all employees vaccinated against Hepatitis B?

No, employers are required to offer the Hepatitis B vaccine when the employee starts work to comply with OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030. Employees can decline the Hepatitis B vaccine and would need to sign a declination form. HCP has a form called "Certification of Hepatitis B Vaccination and Declination Form" that can be used for documentation.

Q When must employers offer employees the Hepatitis B vaccine?

OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the Hepatitis B vaccine must be offered after training and within ten days of the employee being assigned a job where there is occupational exposure unless the worker has already received the vaccine series previously.

August 2022

Q Do you have cyber liability insurance?

With the rising rate of cybercrime in the healthcare industry, we recommend that organizations take extra steps to help protect themselves from the high cost of a cyber-attack. One way to do this is to have cyber liability insurance, which is a type of insurance designed to cover costs associated with expenses related to cyber-attacks. These expenses may include costs associated with notifying patients, business interruption expenses, fees associated with bringing systems back online, and potential fines or penalties associated with the incident.

Q Is penetration testing required for an SRA?

While penetration testing is not a named requirement for HIPAA compliance, it is a best practice. The healthcare industry has become a high target for hackers because of the amount of sensitive data that covered entities and their business associates maintain. As such, covered entities and their business associates need to have policies and processes in place in order to safeguard this data. In order to develop policies and processes that will protect PHI appropriately, a CE needs to know where their vulnerabilities are. Penetration testing is one way to achieve this. In fact, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-66, where they recommend implementing penetration testing as part of HIPAA Security to determine potential vulnerabilities and validate that the proper safeguards are in place.

Q What does an ePHI asset inventory need to include?

According to the OCR, an asset inventory includes hardware, software, and data assets. Hardware assets are "Physical elements of the organization's networks and systems, including electronic devices and media." Software assets are "Programs or applications that run on the hardware assets, including databases, email and financial record systems, backup solutions, and anti-malware tools." Data assets are "ePHI that is created, received, maintained, or transmitted on the network or with the hardware assets."

The OCR found that providers frequently do not know where all of their ePHI is located, which creates problems for compliance with risk analysis requirements under the HIPAA Security Rule. Understanding where your organization stores ePHI is essential to conducting an accurate and thorough risk analysis as required by HIPAA. This is why the OCR specifically recommends that health care providers and business associates create information technology (IT) Asset Inventories in order to track where electronic health information ePHI is located within their organization.

July 2022

Q What is workplace violence

Workplace violence is considered any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that happens in the workplace. It may include threats, verbal abuse, physical assaults, and even homicide. It can affect and involve employees, clients, patients, and visitors.

Q What is workplace harassment?

Workplace harassment involves unwelcome and offensive conduct that is based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), religion, disability, age (age 40 or older), or genetic information. Examples of harassment include offensive or derogatory jokes, racial or ethnic slurs, pressure for dates or sexual favors, unwelcome comments about a person's religion or religious garments, or offensive graffiti, cartoons, or pictures. Sexual harassment or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex.

Q When is harassment considered illegal?

No, not all workplace harassment is illegal. For workplace harassment to be illegal, the conduct must either be severe or pervasive (frequently occurred). It doesn't have to be both. The laws enforced by EEOC do not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious.

Q How can organizations make their workplace safer for their employees?

Employers are required to always maintain a safe work environment for all employees. This includes preventing and addressing unsafe work environments, harassment (including sexual harassment), and workplace violence when it arises. Organizations must have policies and procedures, including information on how to prevent and report incidents, that will support their employees' safety from violence and harassment in the workplace.

June 2022

Q What does the 21st Century Cures Act provide?

The purpose of the Cures Act is to provide patients access to their information in a more transparent way. It prohibits information blocking and defines practices considered reasonable activities that wouldn't be considered information blocking.

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

Q What changes take place in October 2022?

Beginning October 6, 2022, the technical exception for practices regarding their EMRs ends, and all identified electronic PHI will be considered electronic health information (EHI). Patients will have the same rights under the HIPAA Privacy Rule to request a copy of PHI, now known as EHI. ONC also encourages that "Information Blocking Actors respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors."

Q How do organizations make sure they are following the rules of the 21st Century Cures Act?

Organizations can comply with the Cures Act requirements by making patient data requests easy and inexpensive. The Cures Act requires practices to allow patients to access their health information from EHRs using an app of their choice, implement policies that prohibit information blocking, and define how the information blocking exceptions might apply to the practice. It states that if a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking, as stated in the 21st Century Cures Act.

If an EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, health care providers could be subject to these disincentives, including not being able to attest to MIPS.

Q What is "Information Blocking"?

Information blocking is defined by the ONC as "a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks, or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI." Any claims or reports of alleged information blocking would be evaluated on the specific circumstances of each situation.

Q What is the Preventing Harm Exception?

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information to prevent harm will not be considered information when the "reasonable belief" and "practice breadth" conditions are met, and it will not be considered information blocking. For more information on this exception, continue here.

May 2022

Q How long do HIPAA-related medical records need to be retained?

HIPAA regulations require that all HIPAA-related records and documents be retained for six (6) years. This applies to authorizations, audit records, business associate agreements, and contracts, etc. They may then be destroyed in a manner that does not allow for the disclosure of any PHI (e.g., burning, shredding, etc.).

Q What should be included in a well-documented medical record?

A properly documented medical record should:

  • Be complete and legible
  • Include the reason for the encounter, any relevant history, physical examination findings, prior diagnostic test results, assessment, clinical impressions or diagnosis, plan for care, the date and identity of the observer
  • Include the rationale for ordering diagnostic and other ancillary services
  • Support the CPT and ICD-10-CM codes used for claims submission
  • Identify appropriate health risk factors
  • Document the patient's progress, response to or changes in treatment, or any revision in diagnosis
Q Where should the signed release of information and assignment of benefits forms be kept?

All patients must sign a release of information and assignment of benefits form before they receive services. These forms should be placed in the patient's chart or record after the patient and/or the responsible party signs them. There are strict rules regarding the assignment and reassignment of billing rights in both Medicare and Medicaid programs.

Q How long do the Centers for Medicare & Medicaid Services (CMS) require healthcare providers and organizations to retain patient records for?

CMS requires healthcare providers and organizations to retain patient records for Medicare beneficiaries for at least five (5) years. CMS requires Medicare managed care program providers to retain records for ten (10) years.

Q What are the stages of a record?

The lifecycle of a record includes four basic steps:

  • Creation - Once a document is completed, it becomes a record. At this point, it enters the records management cycle.
  • Active use - When in active use, records are stored in file folders if they are paper-based, electronically in files on a computer system if they are electronic, or filed on microfilm or other recording media for regular use. As most records age, they are referred to less often. When records reach the time that they are referred to less often than once every six months, they should be moved to less costly storage.
  • Inactive use - When records become inactive, they are normally boxed if in paper form or achieved electronically to a CD or magnetic tape. Inactive storage is considerably less expensive than active storage and frees up space for active storage of more active records.
  • Disposition - The final step in the life cycle of a record is its final disposition. This can mean simple destruction by throwing it in a waste can or have the record shredded or incinerated. Some records should not be destroyed, and they need to have a way to be identified and stored for very long time periods.

April 2022

Q What types of security issues affect the healthcare industry?

Cyber threats are constantly changing, and the threat to healthcare offices and organizations is real! The most common way for bad actors to infiltrate an organization is through the workforce with tactics such as email phishing. Other cyber threats include spam, distributed denial of services (DDoS) attacks, malware or ransomware, data breaches, third-party risks, and medical device security vulnerabilities.

Q How do you address cybersecurity threats in healthcare?

Healthcare organizations need to address cyber security threats by having the following:

  • Train employees to identify a cyberattack and what to do when it occurs.
  • Have your software protected and up to date with antivirus and antimalware protection.
  • Have policies and procedures in place for system control, password protection, device policies, etc.
  • Conduct a Security Risk Assessment (SRA) regularly for your organization.
  • Install structural security measures such as alarms, security cameras, guards, etc.
  • Have a detailed data recovery plan that includes backing up on your organization's daily basis and have the backup on a remote
Q Do healthcare organizations need to have cyber liability insurance?

Cyber liability insurance is designed for organizations as an insurance policy with protective coverage against events like data breaches or other cyber security issues. Cyber liability insurance policies require immediate notification as soon as an organization becomes aware or detects a possible breach following a cyber-attack, such as ransomware.

If your organization does not have cyber insurance coverage yet, HCP highly recommends discussing a policy with your insurance agent. Cyber insurance is a critical part of a secure IT environment within the healthcare industry due to the imminent threat of cyber-attacks from bad actors.

Q What makes a password strong and safe?

A strong password should have at least ten characters or more long and includes uppercase and lowercase letters, numbers, and special characters such as, !%#$&*. Recent research suggests users could also consider using "passphrases," which are sentences that may be easier to remember than a very complex password. Passwords should be updated every six months, when an employee leaves or is terminated, or however often as required under the organization's password policy.

March 2022

Q What is the No Surprises Act?

Starting January 1, 2022, it will be illegal for providers to bill patients for more than the in-network cost-sharing price if the patient did not choose or know that the service would come from an out-of-network provider. For more information about the No Surprises Act, check out the recommended article "The No Surprises Act — What Your Organization Needs to Know" here:

Q What is the purpose of the No Surprises Act?

  • To protect those covered under group and individual health plans from receiving surprise medical bills when they receive:
    o Emergency Services from out-of-network providers
    o Non-emergency services from out-of-network providers at in-network facilities
    o Services from out-of-network air ambulance providers
  • To protect the uninsured and self-pay patients from unexpected costs.
  • Mandate transparency regarding healthcare costs.
  • Does not apply to government-reimbursed care (Medicare and Medicaid, etc.) because these payers already prohibit balance billing.

Q Does the No Surprises Act supersede state laws?

Federal regulations are the default when states provide no similar laws. In states that do have laws, federal law takes priority when the state law provides less protection to the patient.

Q Can you define convening provider, co-provider, and co-facility?

  • Convening Provider - the provider that is treating the patient and determining their care.
  • Co-Provider - Is needed by the convening provider to care for the patient (anesthesiologist, lab, on-call provider, etc.)
  • Co-facility - Location that may involve in the patient's care. For example, hospital, surgical care, etc.

Q What additional responsibilities does the provider have?

  • If a provider ends a contractual relationship with an insurance plan, they must ensure continuity of care. They must accept payment from the plan for up to 90 days after the date on which the patient was notified of the change in network status. They must also continue to adhere to all contract policies imposed by the plan during that period.
  • The provider must maintain health plan directories with which they have a contractual relationship. At a minimum, they must submit provider directory information
    o At the beginning of the network agreement o At the termination of the network agreement
    o Any time there are material changes to the content of the provider directory information
    o Upon the request of the plan o Any other time deemed appropriate by the provider, facility or HHS.
  • The provider must reimburse the patient who relied on incorrect provider directory information and paid the provider more than the in-network cost-sharing amount.

Q Are there sample forms or resources available to help navigate the NSA?

Q Where does information about the No Surprises Act need to be posted for our patients?

Providers must post this information prominently at their physical location(s), post it on their website, and provide it to the patient

Q What is required to be included in the Notice and Consent form?

  • That the provider does not participate in the patient's health plan.
  • The good faith estimated amount the provider may charge the patient for all services that would reasonably be included.
  • Notice that the service might need to be authorized by the plan.
  • Clearly state that signing the notice is optional, and the patient does not have to consent.
  • Clearly state the patient may get service from an available in-network provider.

Q What is the timeframe for providing a Notice and Consent to the patient?

A Notice and Consent must be provided at least 72 hours (3 days) before a service is provided. If the service is scheduled within 3 days, the notice must be given at least 3 hours ahead of time.

Q What types of providers are required to provide a Good Faith Estimate?

All providers, including all types of doctors, dental offices, hospitals, optometry, ASC, diagnostic and imaging centers, laboratories, etc., must provide a good faith estimate of expected changes to any self-pay or uninsured patient.

Q What is required to be included in the Good Faith Estimate?

  • Patient name and date of birth
  • Description of the primary item or service in clear and understandable language (and if possible, the date the service is scheduled)
  • Items and services reasonably expected to be furnished for the period of care
  • CPT codes
  • ICD-10 codes
  • Expected charges
  • Names of providers and facilities
  • Tax ID number
  • National Provider Identifier (NPI)
  • Disclaimer that states:
    o The Good Faith Estimate is an estimate and subject to change
    o There may be additional items or services not contained in the estimate
    o Their right to initiate a patient-provider dispute resolution process
    o The estimate is not a contract

Q How long do you have to provide a Good Faith Estimate?

  • The estimate must be provided no more than 3 business days after the service is scheduled, or
  • No later than 1 business day if the services is scheduled in less than 10 days.

Q What form does the Good Faith Estimate need to be in?

  • The estimate must be in written form and can be either paper or electronic. Electronic formats must be in a form that allows the patient to save and print. The language must be clear and understandable and in a manner that the average individual can easily understand.
  • If the patient requests the estimate orally over the phone or in person, you may provide it orally but must follow up with a written copy to meet regulatory requirements.

February 2022

Q What if there is more than one provider involved in the patient's procedure?

  • If more than one provider is furnishing care, the "convening provider" must provide the Good Faith Estimate to the patient. This estimate should include all the items and services expected to be provided by the convening facility and other services expected to be provided by co-providers and co-facilities.
  • The convening provider is the provider scheduling the services. Other facilities providing services are considered co-providers.
  • No later than one day after scheduling the services, the convening provider must contact all co-providers and request good faith estimate information for expected charges associated with the co-provider.

Q What if the patient is new and the complexity of their condition is unknown?

Good Faith Estimates are required to list any service that is reasonably expected to be furnished. It does not require estimates to include unanticipated services that are not reasonably expected due to unforeseen circumstances. Providers should estimate anticipated services based on the information available as provided by the patient, previous medical records, and information from referring providers.

Q How can a Good Faith Estimate with a diagnosis be given before seeing the patient?

When scheduling a patient, it is required that they receive a GFE. The patient's initial visit should be covered in their first GFE. After examining the patient for their next appointment or treatment (procedure, surgery, lab, etc.), a new GFE must be provided.

Q Can patients go to our website and view prices? Does the Good Faith Estimate need to be signed?

Yes, prices can be published on the website. However, a GFE is not required to be signed, but must be kept for seven years as documentation.

Q Regarding the Good Faith Estimate, when a biopsy is performed on a patient in a dermatology office, do we need to provide how much lab charges when we send it out?

The convening provider is required to obtain the estimate from the lab. There is enforcement discretion in place as providers get policies and procedures in place. However, the treating provider or facility must still obtain the information for the Good Faith Estimate for the patient.

Q Can we update the GFE after we learn more about the patient's needs?

Yes, after providing a GFE after an initial interaction. After this initial visit and subsequent visits, a GFE should be given according to any care they will need to receive. For example, a patient with stomach pain can be referred to the nutritionist, and the convening provider would need to contact the nutritionist for a GFE. For continued care, the nutritionist would provide GFE. Or, after the initial visit, it is determined that surgery is required, a GFE would be provided to reflect the updated information.

Q If a self-pay uninsured patient does not ask for an estimate, is it the facility's requirement to give them one?

Yes, the provider or facility for any self-insured or uninsured patient must provide one. Regardless of if it is requested or not.

Q Do we have to provide an interpreter or translator service for Good Faith Estimates under Section 1557?

Yes, just like other types of forms and services, the GFE must be translated to the top 15 languages as requested.

Q What is the GFE dispute process for out-of-network patients?

  • When unable to reach a price agreement for services in which balance billing was prohibited, an out-of-network provider and insurer may utilize the Independent Dispute Resolution (IDR) process.
  • Prior to initiating the IDR, the provider and insurer must engage in a 30-day open negotiation period. If the provider and insurer do not agree, either can initiate the IDR process within four days after the open negotiation period ends. The IDR entity chosen to review the claim will issue a binding decision after reviewing documentation submitted by both parties.
  • Important deadlines exist for parties involved in the IDR process and a chart of those dates can be found here -

Q What is the dispute process for uninsured and self-pay patients?

  • In situations where the uninsured patient receives an estimate but is billed a substantially greater amount, HHS has established a Select Dispute Resolution (SDR) process.
  • The patient has 120 days after they receive their bill to initiate this process. Substantial has been defined as the billed charges being at least $400 more than the Good Faith Estimate. The patient is only eligible for an SDR if they received a good faith estimate and submit a copy with their dispute claim.
  • Healthcare providers must submit supporting documentation within 10 days of the receipt of the SDR notice. They must cease all collection efforts and pause the accumulation of fees. The SRA entity chosen to review the claim will issue a binding determination within 30 days after receiving the necessary documentation. Only charges the provider could not have reasonably anticipated will be considered.

Q Are there exceptions to no balance billing for out-of-network providers? For the No Surprises Act Billing and Coding

  • A provider cannot balance bill for services furnished because of urgent medical needs regardless of the provider satisfying the notice and consent criteria.
  • Emergency services providers can only bill if all the following conditions have been met.
    o The patient can travel using non-emergency transportation to a participating facility within a reasonable travel distance. The patient also needs to be in a condition to receive a notice and provide informed consent.
    o The non-participating provider provides the patient with written notice and obtains consent within the specified period and format outlined in regulations. o The provider satisfies all other state law requirements.
  • Non-participating providers at a participating facility
    o Cannot bill patients for amounts greater than the in-network cost-sharing requirement for such services unless notice and consent requirements are met.
    o Healthcare facilities include hospitals, hospital outpatient departments, critical access hospitals, and ambulatory surgical centers.
  • Notice and consent requirements do not apply to the following ancillary services, for which balance billing remains prohibited:
    o Services and items related to emergency care, anesthesia, pathology, radiology, and neonatology.
    o Services provided by assistant surgeons, hospitalists, and intensivists.
    o Diagnostic services like radiology and laboratory services.
    o Services and items provided by a non-participating provider if there was no participating provider that could provide the service at the facility.

Q For OON balance billing portion, does the No Surprises Act apply?

Different areas of the No Surprises Act apply to different facilities. Generally, all providers for uninsured or self-pay individuals, or when a Good Faith Estimate (GFE) is requested from a co-provider, must be provided a Good Faith Estimate. A GFE must be provided to any uninsured or self-pay patient or when one is asked for regardless of facility or provider type.

January 2022

Q Can biohazard specimen bags be reused if not visibly soiled?

Biohazard specimen transport bags should not be reused. Best practice and OSHA's recommendation is to dispose of each bag after use. Looking for visible contamination is not infallible because certain body fluids are colorless, meaning that although you may not see a spill, there is still the possibility of contamination. While the idea of reusing them to reduce waste is a valid one, the need for infection control precautions outweighs financial or excess trash considerations.

Q How long should autoclave results logs be kept?

We recommend following the CDC's guidelines as a best practice and retaining them for at least 3 years or as long as your state law requires if it is a longer timeframe. Healthcare providers may want to check with their local health department as well to see if there are local retention requirements.

Q Should a healthcare provider keep a log of biohazardous waste that is collected from them for disposal?

Yes, we recommend maintaining a log of when the hazardous waste is collected and removed from a healthcare provider's facility in addition to when they received the manifest that it was destroyed. Additionally, federal regulations require providers to keep the manifest, along with the biohazardous waste log and any other pertinent documents related to the packaging, storage, transport, or disposal of the medical waste for at least 3 years. HCP has a sample log available for clients to use when tracking the removal of biohazard waste, along with the transporter and date the certification of destruction is received.

Q What is considered “regulated waste”?

OSHA's Bloodborne Pathogens Standard uses the term, "regulated waste," to refer to the following categories of waste:

  • liquid or semi-liquid blood or other potentially infectious materials (OPIM)
  • items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed
  • items that are caked with dried blood or OPIM and are capable of releasing these materials during handling
  • contaminated sharps
  • pathological and microbiological wastes containing blood or OPIM.

December 2021

Q What are the differences between personal and professional use on social media platforms?

Personal use of social media is often referred to as social media use on an account registered to an individual who is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider.

Q If your organization has a social media account for professional use, what should be included in a social media policy for employees?

You may have language in place in a social media policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional help of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be published, etc. We have a Social Media template available for customization for your organization. Ask your support team for access.

Q What are the risks involved with making social media posts?

Whether you are posting on your own or a professional account, it is important to understand the potential risks.

Some risks include:

  • Anything that is posted has a risk of receiving negative feedback from the public that could hurt the success of the business and its reputation.
  • The accidental sharing of PHI, proprietary information, or other content that could be used by those with malicious intent from the post.
  • Having a difficult time managing and/or responding to posts and comments from users. Organizations need to train employees on how to respond to negative or inaccurate statements made on their posts.

Q Can healthcare organizations post pictures?

Never post any photos involving patients without authorization! Even then, be extremely cautious and always have written authorization. When pictures or patient information are used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.

Q Can organizations respond directly to patients who post comments or questions on social media?

When posting a response to a question, use limited information and suggest another communication method. If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.

When posting on your personal social media account, if it is something you don't want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in "private" groups.

November 2021

Q What are the seven elements of an effective compliance program?

1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards

Q How do you know what is expected of you?

Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.

Q Is Corporate Compliance Training only required if the organization is contracted with Medicare?

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Q Are there compliance policies and procedures that should be in place if an employee is allowed to work remotely from home?

Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.

October 2021

Q Is a Disaster Recovery Plan (DRP) a HIPAA requirement, and what is it?

Yes, HIPAA regulations require every organization to develop and maintain current DRPs. A DRP is a detailed listing of how your organization is set up to deal with potential disasters. It should focus on the results of your analysis of business processes and how to maintain continuity. Disaster prevention is also an essential part of a DRP. While many potential disasters are unavoidable, planning for prevention could lessen the impact on your business processes.

Q Why must I test my DRP?

Once you have developed your DRP, it is essential to determine if the DRP works or doesn't. By properly testing your DRP, you help avoid any unnecessary surprises, plus it allows you to make any necessary changes if needed. Further, a plan enables employees to know what to do and execute their responsibilities in a disaster. Your DRP must receive testing periodically because, as we all know, disasters can happen at any time, and situations are never the same.

Q What should a DRP include?

Creating a DRP is a unique and precise process for every organization. Each plan will be specific to the organization and will have different key business processes to prepare for as well as different areas of significant impact.

However, the primary goals of a DRP are to:

  • Minimize interruptions to crucial business processes.
  • Limit the extent of disruption and damage.
  • Minimize the financial impact of the interruption.
  • Establish alternate ways to continue operating in advance.
  • Train all staff on emergency procedures.
  • Provide for efficient and prompt restoration of service.

Each organization will need to determine which business processes are most likely to be significantly impacted by an unforeseen event or possible disaster and determine the steps and time it would take to restore those processes.

Q Do I still need a DRP if we save everything on ‘the cloud’?

More than ever, organizations are utilizing external environments to store their ePHI (often referred to as "the cloud"). While there are benefits to using cloud storage, a DRP is still necessary for maintaining your HIPAA compliance. In a cloud setting, disaster recovery planning should include procedures for access to ePHI, replacement of hardware and software. It should specify the approval process for the use of virtual machines. It should also include information on maintaining crucial business practices if your data is unavailable for a period of time. There might be potential issues in a disaster with bandwidth issues, internet access, power loss, etc., that can lead to difficulties gaining access to data, even in a cloud environment. It is important to become familiar with the specific protocols of your cloud storage or EMR vendor. You can ask your vendor to provide information on their DRP protocols, including frequency of backups, encryption levels, redundancies, and testing schedules. These protocols can design a DRP that meets both HIPAA requirements and your organization's specific needs.

September 2021

Q Will the ETS be an annual training?

Although the standard currently does not have a set fixed schedule for periodic training, it most likely will become a permanent standard in some shape or form and then would be subject to the same annual training requirements that OSHA has for all its other standards. Currently the ETS (paragraph (n)(2)) requires additional or repeated training when:

1) There are changes that affect the employee's risk of contracting COVID-19 at work;
2) Policies or procedures are changed; or
3) There is an indication that the employee has not retained the necessary understanding or skill. For example, if an employer observes an employee engaging in activities that contradict knowledge gained through training, it is a sign to the employer that the employee may require a reminder or periodic retraining on work practices.

Q What is best practice and how often should vulnerability scans and penetration tests be run?

HIPAA does not require vulnerability scans or penetration testing to be performed on a specific timeline. It should be based on the specific needs of the covered entity or business associate. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you're aware of any security gaps. Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.

Q What is an SRA, why are they needed, and how often should they be completed?

A Security Risk Analysis (SRA) is "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the organization. This includes all e-PHI that an organization creates, receives, maintains, or transmits. All forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media," are also subject to the assessment. Because risk analysis procedures are unique to each organization, the resources and time required for its performance may vary. HIPAA requires that SRAs be performed "periodically", however, HCP recommends performing one at least annually. The findings of an SRA form the foundation upon which every organization should create and institute applicable safeguards. A successful SRA will help you identify potential gaps in your safeguards and identify action items to reduce risk to your organization.

Q Why should a healthcare practice complete an annual SRA?

Performing an SRA is one of the most important steps a healthcare practice can take to assess their HIPAA compliance on an annual basis. Yet, for many practices, an SRA is just a box to check. Healthcare Compliance Pros recommends that all of our clients complete an initial SRA with us. From there, the SRA should be updated as needed to ensure all threats and risks for the organization have been considered. Subsequent reviews should be completed at least annually thereafter. We understand a HIPAA compliant SRA may be a healthcare organization's best defense in the event of an OCR investigation.

Q If I don't have an EHR, do I have to conduct an SRA?

Yes, an accurate and thorough SRA includes ALL ePHI that is created, received, maintained, or transmitted. This includes billing systems, cloud storage, email applications, copy and fax machines, personal devices such as smartphones, laptops, tablets, and any electronic media involving ePHI. So, even if a healthcare organization doesn't use an EHR, there are most likely other locations that ePHI is stored, meaning an SRA should still be conducted.

August 2021

Q How does OSHA's Emergency Temporary Standard (ETS) apply to a clinic where healthcare services are performed on an outpatient basis?

The OSHA COVID-19 ETS does not apply to non-hospital healthcare services providing ambulatory care as long as all non-employees are screened before entering and those with COVID-19 symptoms are not permitted to enter your facility. Since ambulatory care refers to healthcare services performed on an outpatient basis, clinics providing care in private practice would not have to comply with the ETS as long as you meet the screening requirements. If you are hospital-based in a well-defined area, you would not be covered if all employees are vaccinated, and you meet the screening requirements.

However, if you are seeing patients who are COVID-19 positive or not screening non-visitors, then the ETS would apply to you. With the ETS, there are several requirements, including developing a COVID-19 Plan, designating COVID-19 Safety coordinator(s) who are knowledgeable about infection control and providing training to employees on the plan, just to name a few.

If you are not covered, OSHA has said that healthcare facilities still need to follow the CDC's guidelines for managing healthcare facilities during this time as well as have a COVID-19 plan that shows you've evaluated the risks to your employees and provided the necessary safeguards.

Q Are employers who aren't covered by the ETS still required to develop a COVID-19 plan?

Based on OSHA's guidance, employers must keep employees safe from harm under the general duty clause even when not covered under the ETS. HCP recommends that clients conduct a COVID-19 hazard assessment and review their current COVID-19 plan or develop a COVID-19 plan if none exists, to ensure they address the identified hazards. Once developed, employees should receive training on the plan to understand the risk of COVID-19 to them and the policies and procedures in place to help mitigate that risk. OSHA states this training should include:

  • Basic facts about COVID-19, including how it is spread and the importance of physical distancing (including remote work), ventilation, vaccination, use of face coverings, and hand hygiene.
  • Workplace policies and procedures implemented to protect workers from COVID-19 hazards.

HCP also recommends additional training when policies change, an employee's job duties change, and at least annually, much like any other training provided to comply with OSHA's requirements and recommendations.

Q What are the screening requirements under the ETS?

Screening requirements can be customized based on the facility's design and size. However, OSHA notes that asking questions about COVID-19 and illness is the minimum requirement for screening. OSHA also states that screening can include questions about wearing face-coverings as recommended by the CDC and individual's recent exposures to COVID-19. Finally, some examples OSHA gives of screening methods are at the clinic entrance before allowing patients into the clinic or over the phone prior to their arrival for their appointment at your facility.

Q What are the Effective Dates of the Emergency Temporary Standard?

Employers must comply with all requirements of the ETS, apart from the requirements relating to ventilation, barriers, and training, by July 6, 2021. Employers must comply with the remaining requirements by July 21, 2021. This means that employers should have reviewed the standard and applied its requirements to their workplace, if applicable, at this time.

July 2021

Q What kinds of eyewash stations meet OSHA standards?  

Based on OSHA and ANSI standards, we believe that any chemicals used to clean or sanitize that can cause injury (eye irritation) or is corrosive should be labeled as hazardous. If an employee may be exposed to such chemicals, an employer is required to provide and maintain a plumbed, permanent eyewash station or a self-contained, gravity-fed portable eyewash station.

If an employer determines an eyewash station is needed, then it must meet the standards provided in ANSI Z358.1-2014. OSHA often refers to ANSI for the most recent standard consensus. Those standards include having at least a .4GPM flow rate for 15 minutes, having a valve mechanism that doesn't have to be held on, being supplied with suitable flushing fluid, located 10 seconds or less from possible contaminants, and having a flow meter and test gauge for weekly testing. If a self-contained system does not meet these standards, it cannot be the only eyewash station available.

Q What are the mask requirements for vaccinated employees who work for an employer who is not covered by OSHA's ETS? 

OSHA's Emergency Temporary Standard (ETS) doesn't apply to an employer in "non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings" (1910.502(a)(2)(iii)). However, the ETS does encourage employers to "follow public health guidance from the Centers for Disease Control and Prevention (CDC) even when not required" by the ETS.

Also, OSHA states in "Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace" that "where the ETS does not apply, employers are required under the General Duty Clause, Section 5(a)(1) of the OSH Act, to provide a safe and healthful workplace free from recognized hazards that are causing or likely to cause death or serious physical harm." This means that employers still must have some sort of COVID-19 plan in place to prevent injury or illness to their employees, even if they don't have to comply with the ETS itself.

The CDC's "Updated Healthcare Infection Prevention and Control Recommendations in Response to COVID-19 Vaccination" information for Healthcare Personnel states, "In general, fully vaccinated HCP should continue to wear source control while at work. However, fully vaccinated HCP could dine and socialize together in break rooms and conduct in-person meetings without source control or physical distancing. If unvaccinated HCP are present, everyone should wear source control and unvaccinated HCP should physically distance from others."

In our opinion, this means that OSHA is referring healthcare facilities to the CDC's recommendations if the ETS doesn't apply to them. Since the CDC says that vaccinated HCP should continue to wear masks in most situations, we believe that healthcare facilities who are not covered by the ETS still need to follow the CDC's guidance and have all employees wear masks unless they are by themselves or with only other vaccinated employees.

Q Do vaccinated healthcare personnel employees have to wear masks while at work? What are the OSHA penalties for non-compliance? 

OSHA's Emergency Temporary Standard (ETS) doesn't apply to an employer in "non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings" (1910.502(a)(2)(iii)). However, the ETS does encourage employers to "follow public health guidance from the Centers for Disease Control and Prevention (CDC) even when not required" by the ETS.

Also, OSHA states in "Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace" that "where the ETS does not apply, employers are required under the General Duty Clause, Section 5(a)(1) of the OSH Act, to provide a safe and healthful workplace free from recognized hazards that are causing or likely to cause death or serious physical harm." So, employers still must have some sort of COVID-19 plan in place to prevent injury or illness to their employees, even if they don't have to comply with the ETS itself.

The CDC's "Updated Healthcare Infection Prevention and Control Recommendations in Response to COVID-19 Vaccination" information for Healthcare Personnel states, "In general, fully vaccinated HCP should continue to wear source control while at work. However, fully vaccinated HCP could dine and socialize together in break rooms and conduct in-person meetings without source control or physical distancing. If unvaccinated HCP are present, everyone should wear source control and unvaccinated HCP should physically distance from others."

Based on the references above, in our opinion, OSHA is referring HCPs to the CDC's recommendations if the ETS doesn't apply to them. Since the CDC says that vaccinated HCP have to wear masks in most situations, we believe that you need to follow the CDC's guidance and have all employees wear masks unless they are by themselves or with only other vaccinated employees if the ETS doesn't apply to you.

Also, penalties for failing to follow OSHA standards can be punished civilly with fines of up to $134,937 per violation. The penalties are as follows:

Penalties for Civil OSHA Violations:


  • Penalty range - From $964 to $13,494 per violation


  • Penalty range - From $0 to $13,494 per violation

Willful or Repeated

  • Penalty range - From $9639 to $134,937 per violation

Posting Requirements

  • Penalty range - From $0 to $13,494 per violation

Failure to Abate

  • Penalty range - $13,494 per day unabated beyond the abatement date [generally limited to 30 days maximum]

Q The ETS requires me to conduct a hazard assessment of my workplace. What does that entail?  

The hazard assessment process is intended to help employers identify and understand where COVID-19 hazards potentially exist and what controls must be implemented in their workplace in order to minimize the risk of transmission of COVID-19. As part of the hazard assessment, employers must inspect the entire workplace to find existing and potential risks of employee exposure to COVID-19.

Employers have flexibility to determine the best approach to accomplish the overall hazard assessment. However, the hazard assessment must include an evaluation of employees' potential workplace exposure to all people present at the workplace, including patients, coworkers, employees of other entities, members of the public, clients, independent contractors, visitors, and other non-employees. Places and times where people may congregate or come in contact with one another must be identified and addressed, regardless of whether employees are performing an assigned work task or not. Employers must also consider how employees and other persons enter, leave, and travel through the workplace, in addition to addressing potential COVID-19 hazards employees are exposed to at fixed work locations. While conducting the hazard assessment, employers must assess each employee's potential COVID-19 exposure, but can do so generally.

When conducting hazard assessments, employers should document the following information to assist them in developing and implementing their COVID-19 plans:

  • Specific hazards or risk factors identified
  • A plan to abate the identified hazards or risk factors in a timely manner
  • Date(s) the assessment was performed
  • The names and titles of the individuals who participated in the evaluation and contributed to the written plan
  • A description of the actions to be taken
  • Actions planned to address and prioritize mitigation of identified hazards or risk factors
  • Identification of high-risk area(s), tasks, and occupations
  • Communication of the status of planned or completed actions to employees who may be affected by the identified hazards or risk factors
  • The dates by which planned actions are to be completed
  • Written documentation of completed actions including:
    • What method(s) of control was/were decided upon
    • Area(s) where control(s) was/were implemented
    • Specific date(s) of completion
    • The names and titles of the individuals who authorized and managed implementation of control.

If an employer identifies a COVID-19-related exposure hazard during the hazard assessment, then the employer must implement controls to eliminate or mitigate the hazard, such as physical distancing, physical barriers where appropriate, and when distancing is infeasible, PPE, and cleaning and disinfection protocols. These hazard controls must be consistent with the relevant requirements in this ETS. The employer must develop a reasonable plan to abate identified COVID-19 hazards.

June 2021 FAQ

Q Can you make it mandatory for your employees to have the COVID vaccination as part of the requirement for employment?

Federal EEO laws do not prevent an employer from requiring all employees physically entering a workplace to be vaccinated. However, Title VII and ADA laws required employers to provide reasonable accommodations for employees who, because of disability or sincerely held religious belief, practice, or observance, do not get vaccinated against COVID-19 unless providing the accommodation would pose an undue hardship.

Examples of accommodations include the use of a face mask, physical locations changes, or distancing from coworkers, working a modified shift, period testing for COVID-19 and telehealth opportunities.

Q What is the purpose of a compliance committee? Does this requirement apply to smaller healthcare organizations?

Based on the guidance provided by the OIG, it is our recommendation that a corporate compliance committee meets quarterly to review the results of coding audits, the lists of excluded individuals and entities, as well as the complaints that have been submitted, the results of investigations, and corrective action taken. This is also a good time to discuss any changes in compliance policies and procedures that may be needed.

When an organization is small, such as yours, a compliance committee can be comprised of the compliance officer, doctor/owner, and/or HR officer. If all the organization has is a compliance officer, then the compliance officer should meet with the doctor/owner to discuss compliance at least quarterly. If that's not possible, the compliance officer or department manager can go through a compliance meeting checklist themselves every quarter and write down what is going on and what needs to be improved on. However, regardless of the size of your organization, you still need to be reviewing your compliance program regularly and making changes or updates as needed.

Q Is an employer permitted to ask employees about their COVID-19 vaccination status?  

An employer is permitted to ask if an employee obtained a COVID-19 vaccination. Employers may also request documentation that shows the employee obtained the vaccine. If an employer requires employees to provide documentation that they have received a COVID-19 vaccination, the employer may want to warn the employee not to provide any medical information as part of the proof to avoid implicating the ADA. Also, any documentation or other confirmation that an employee provides as proof of their vaccination status must be protected just like any other employee medical information and kept confidential. It may not be released to anyone else without the employee's consent.

Q What will happen if a covered entity uses an EMR that is not certified after April 5, 2021?

If a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking as stated in the 21st Century Cures Act. If your EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, you could be subject to these disincentives, including not being able to attest to MIPS.

However, there is a content and manner exception that currently exists for requests made before October 2022. If your EMR does not have the technical ability to fulfill patient access requests as stated in the Act, you can negotiate with the patient to provide the information in another manner. When providing this information, you would be required to provide the same data as the adopted USCDI standard using technology certified to the same standard. If that is not possible, you can provide the data in an alternative machine-readable format that includes the appropriate software in order to interpret the information.

If your EMR provider has stated they are actively working to make the necessary changes, you should be able to meet the interoperability requirements once April rolls around. However, we recommend being prepared to provide an alternate format for the patients who make these requests so you can meet the content and manner exception if needed until your EMR provider publishes the necessary updates.

May 2021 FAQ

Q If fraudulent behavior is reported through the compliance hotline, does it need to be reported to a government agency? 

The purpose of a compliance hotline is to provide an anonymous way for individuals to report "suspected" fraudulent behavior. When the report comes in, it is just a report. It must be investigated by the organization. If found to be true, then the organization should determine next steps for dealing with the fraudulent behavior. It could include self-reporting and potentially paying back claims. This decision is typically made by the organization with the guidance of legal counsel.

Q Is Corporate Compliance training only required if the organization is contracted with Medicare?

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors are contractual obligated to ensure that all of their FDRs maintain a corporate compliance program. Healthcare providers would be considered an FDR and therefore would be required by their contracts with payors to have a compliance program which includes training.

It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Q Does the Corporate assessment need to be filled out for each physical location, if there are different tax IDs, or just for the main office?

It is not necessary for each physical location to complete the assessment. However, if each location is billing under a different Tax ID number, then each organization would need to have their own compliance program. Completing our assessment would be a part of that process. Because these situations are so unique, clients should reach out to their support team for additional guidance.

Q Is the hotline only for FW&A or can clients use it as they choose? 

It is not used exclusively for FW&A reports. It can be used to report harassment, discrimination, HIPAA violations, etc. Clients can utilize the hotline however they choose.

Q Does a compliance committee meeting need to include a certain number of people and do they need to be the same assigned people each time? 

We recommend that the members of the compliance committee include anyone who has oversight over compliance issues; HIPAA, OSHA, contracting, billing/coding, etc. This will include compliance officers and can include other managers/administrators. If not met already through the inclusion of managers, it should also have representatives from the various departments of the organization to make sure that the various needs and perspectives of those departments are being represented. Additional members can be added temporarily as the focus of the compliance activities change; i.e. an audit or other special project, but the core members will always be the same.