Tips & FAQs
You have questions. We have answers.
Q Why should a healthcare practice complete an annual SRA?
Performing an SRA is one of the most important steps a healthcare practice can take to assess their HIPAA compliance on an annual basis. Yet, for many practices, an SRA is just a box to check. Healthcare Compliance Pros recommends that all of our clients complete an initial SRA with us. From there, the SRA should be updated as needed to ensure all threats and risks for the organization have been considered. Subsequent reviews should be completed at least annually thereafter. We understand a HIPAA compliant SRA may be a healthcare organization's best defense in the event of an OCR investigation.
Q What is an SRA, why are they needed, and how often should they be completed?
A Security Risk Analysis (SRA) is "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the organization. This includes all e-PHI that an organization creates, receives, maintains, or transmits. All forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media," are also subject to the assessment. Because risk analysis procedures are unique to each organization, the resources and time required for its performance may vary. HIPAA requires that SRAs be performed "periodically", however, HCP recommends performing one at least annually. The findings of an SRA form the foundation upon which every organization should create and institute applicable safeguards. A successful SRA will help you identify potential gaps in your safeguards and identify action items to reduce risk to your organization.
Q If I don't have an EHR, do I have to conduct an SRA?
Yes, an accurate and thorough SRA includes ALL ePHI that is created, received, maintained, or transmitted. This includes billing systems, cloud storage, email applications, copy and fax machines, personal devices such as smartphones, laptops, tablets, and any electronic media involving ePHI. So, even if a healthcare organization doesn't use an EHR, there are most likely other locations that ePHI is stored, meaning an SRA should still be conducted.
Q What is best practice and how often should vulnerability scans and penetration tests be run?
HIPAA does not require vulnerability scans or penetration testing to be performed on a specific timeline. It should be based on the specific needs of the covered entity or business associate. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you're aware of any security gaps. Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.
Frequently Asked Questions
Q Q: How often do compliance regulations change?
Q Q: Why do I need a compliance program?
Q Q: Does your program include support?
Q Q: Is your system complicated and difficult?
Q Q: Do you offer a preview of your services?
Q Q: We are a small group; can we afford a custom compliance program?
Q Q: How do you sign up for your services?
Q Q: Do you require long-term contracts?
Q Q: How long does your program take to get setup?
Q Q: Do you include a security risk analysis (SRA)?
Q Q: Do you provide Global Harmonization transitioning and training?
Q Q: Do my employees have to be trained each year?
Q Q: Do you provide Meaningful Use support?
Q Q: What if I get audited?
Q Q: Do you come onsite?
Q Is a Disaster Recovery Plan (DRP) a HIPAA requirement, and what is it?
Yes, HIPAA regulations require every organization to develop and maintain current DRPs. A DRP is a detailed listing of how your organization is set up to deal with potential disasters. It should focus on the results of your analysis of business processes and how to maintain continuity. Disaster prevention is also an essential part of a DRP. While many potential disasters are unavoidable, planning for prevention could lessen the impact on your business processes.
Q Why must I test my DRP?
Once you have developed your DRP, it is essential to determine if the DRP works or doesn't. By properly testing your DRP, you help avoid any unnecessary surprises, plus it allows you to make any necessary changes if needed. Further, a plan enables employees to know what to do and execute their responsibilities in a disaster. Your DRP must receive testing periodically because, as we all know, disasters can happen at any time, and situations are never the same.
Q What should a DRP include?
Creating a DRP is a unique and precise process for every organization. Each plan will be specific to the organization and will have different key business processes to prepare for as well as different areas of significant impact.
However, the primary goals of a DRP are to:
- Minimize interruptions to crucial business processes.
- Limit the extent of disruption and damage.
- Minimize the financial impact of the interruption.
- Establish alternate ways to continue operating in advance.
- Train all staff on emergency procedures.
- Provide for efficient and prompt restoration of service.
Each organization will need to determine which business processes are most likely to be significantly impacted by an unforeseen event or possible disaster and determine the steps and time it would take to restore those processes.
Q Do I still need a DRP if we save everything on ‘the cloud’?
More than ever, organizations are utilizing external environments to store their ePHI (often referred to as "the cloud"). While there are benefits to using cloud storage, a DRP is still necessary for maintaining your HIPAA compliance. In a cloud setting, disaster recovery planning should include procedures for access to ePHI, replacement of hardware and software. It should specify the approval process for the use of virtual machines. It should also include information on maintaining crucial business practices if your data is unavailable for a period of time. There might be potential issues in a disaster with bandwidth issues, internet access, power loss, etc., that can lead to difficulties gaining access to data, even in a cloud environment. It is important to become familiar with the specific protocols of your cloud storage or EMR vendor. You can ask your vendor to provide information on their DRP protocols, including frequency of backups, encryption levels, redundancies, and testing schedules. These protocols can design a DRP that meets both HIPAA requirements and your organization's specific needs.
Q Do you have cyber liability insurance?
With the rising rate of cybercrime in the healthcare industry, we recommend that organizations take extra steps to help protect themselves from the high cost of a cyber-attack. One way to do this is to have cyber liability insurance, which is a type of insurance designed to cover costs associated with expenses related to cyber-attacks. These expenses may include costs associated with notifying patients, business interruption expenses, fees associated with bringing systems back online, and potential fines or penalties associated with the incident.
Q Is penetration testing required for an SRA?
While penetration testing is not a named requirement for HIPAA compliance, it is a best practice. The healthcare industry has become a high target for hackers because of the amount of sensitive data that covered entities and their business associates maintain. As such, covered entities and their business associates need to have policies and processes in place in order to safeguard this data. In order to develop policies and processes that will protect PHI appropriately, a CE needs to know where their vulnerabilities are. Penetration testing is one way to achieve this. In fact, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-66, where they recommend implementing penetration testing as part of HIPAA Security to determine potential vulnerabilities and validate that the proper safeguards are in place.
Q What does an ePHI asset inventory need to include?
According to the OCR, an asset inventory includes hardware, software, and data assets. Hardware assets are "Physical elements of the organization's networks and systems, including electronic devices and media." Software assets are "Programs or applications that run on the hardware assets, including databases, email and financial record systems, backup solutions, and anti-malware tools." Data assets are "ePHI that is created, received, maintained, or transmitted on the network or with the hardware assets."
The OCR found that providers frequently do not know where all of their ePHI is located, which creates problems for compliance with risk analysis requirements under the HIPAA Security Rule. Understanding where your organization stores ePHI is essential to conducting an accurate and thorough risk analysis as required by HIPAA. This is why the OCR specifically recommends that health care providers and business associates create information technology (IT) Asset Inventories in order to track where electronic health information ePHI is located within their organization.
Q What is workplace violence?
Workplace violence is considered any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that happens in the workplace. It may include threats, verbal abuse, physical assaults, and even homicide. It can affect and involve employees, clients, patients, and visitors.
Q What is workplace harassment?
Workplace harassment involves unwelcome and offensive conduct that is based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), religion, disability, age (age 40 or older), or genetic information. Examples of harassment include offensive or derogatory jokes, racial or ethnic slurs, pressure for dates or sexual favors, unwelcome comments about a person's religion or religious garments, or offensive graffiti, cartoons, or pictures. Sexual harassment or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex.
Q When is harassment considered illegal?
No, not all workplace harassment is illegal. For workplace harassment to be illegal, the conduct must either be severe or pervasive (frequently occurred). It doesn't have to be both. The laws enforced by EEOC do not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious.
Q How can organizations make their workplace safer for their employees?
Employers are required to always maintain a safe work environment for all employees. This includes preventing and addressing unsafe work environments, harassment (including sexual harassment), and workplace violence when it arises. Organizations must have policies and procedures, including information on how to prevent and report incidents, that will support their employees' safety from violence and harassment in the workplace.
June 2023 FAQ
Q How can healthcare organizations ensure the confidentiality, integrity, and availability of patient health information?
Healthcare organizations can take several measures to ensure the confidentiality, integrity, and availability of patient health information. Here are some key practices and strategies:
- Implement strong access controls: Use role-based access controls (RBAC) to ensure that only authorized personnel have access to patient health information. Assign appropriate access levels based on job roles and responsibilities.
- Train and educate staff: Provide comprehensive training to all staff members regarding the importance of patient privacy and security. Train them on best practices for handling and safeguarding health information, including the proper use of passwords, encryption, and secure communication channels.
- Encrypt sensitive data: Utilize encryption techniques to protect patient health information both at rest and in transit. This ensures that even if data is compromised, it remains unreadable and unusable to unauthorized individuals.
- Maintain strong physical security: Implement physical security measures such as access controls, video surveillance, and secure storage to prevent unauthorized access to patient records and information.
- Use secure technology: Implement robust security measures for the organization's IT infrastructure, including firewalls, intrusion detection and prevention systems, and regular security audits. Ensure that software and hardware systems are regularly updated with the latest security patches.
- Conduct regular risk assessments: Perform periodic assessments to identify potential vulnerabilities and risks to patient health information. This includes evaluating the security of systems, networks, and applications, as well as assessing risks associated with internal processes and employee practices.
- Enforce strong password policies: Encourage the use of strong, unique passwords and implement policies that require regular password changes. Consider implementing multi-factor authentication for an added layer of security.
- Maintain backups and disaster recovery plans: Regularly back up patient health information and develop comprehensive disaster recovery plans to ensure that data can be restored in case of accidental loss, natural disasters, or cyber-attacks.
- Comply with regulations: Familiarize yourself with relevant data privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and ensure compliance with all applicable requirements.
- Monitor and audit access: Implement monitoring systems to track and log access to patient health information. Regularly review audit logs to identify any unauthorized access attempts or suspicious activities.
- Establish incident response procedures: Develop and regularly update incident response plans to address potential security incidents promptly. This includes procedures for reporting, investigating, and mitigating security breaches or unauthorized disclosures.
- Engage third-party vendors carefully: If working with third-party vendors or service providers who handle patient health information, ensure they have robust security measures in place. Establish clear expectations and contractual agreements regarding data protection and confidentiality.
By implementing these practices, healthcare organizations can significantly enhance the confidentiality, integrity, and availability of patient health information, safeguarding patient privacy and trust.
Q What are the legal and regulatory requirements for security risk analysis in the healthcare industry?
In the healthcare industry, security risk analysis is an
essential process for protecting sensitive patient information and ensuring
compliance with legal and regulatory requirements. The legal and regulatory
requirements for security risk analysis in healthcare may vary based on the
country and region, but I can provide you with an overview of some common
requirements in the United States.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA sets the standard for protecting sensitive patient data, known as protected health information (PHI). Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, are required to conduct regular security risk analyses as part of their HIPAA compliance efforts.
- HIPAA Security Rule: The HIPAA Security Rule establishes a series of administrative, physical, and technical safeguards that covered entities must implement to protect PHI. Conducting a security risk analysis is a core requirement under the Security Rule, which helps covered entities identify potential vulnerabilities and risks to the confidentiality, integrity, and availability of PHI.
- Centers for Medicare and Medicaid Services (CMS) Promoting Interoperability Programs: Formerly known as the Medicare and Medicaid EHR Incentive Programs, these programs require eligible healthcare providers to conduct a security risk analysis as part of their meaningful use requirements. The analysis helps ensure the protection of electronic health records (EHRs) and the privacy of patient data.
- HITECH Act: The Health Information Technology for Economic and Clinical Health (HITECH) Act reinforces HIPAA regulations and places additional emphasis on the security and privacy of electronic health information. The Act requires covered entities to conduct a security risk analysis and notify affected individuals and regulatory bodies in the event of a data breach.
- State Data Breach Notification Laws: Many U.S. states have their own data breach notification laws that require organizations, including healthcare entities, to notify individuals and appropriate authorities in the event of a security breach. Conducting a security risk analysis is crucial to identifying and mitigating vulnerabilities that could lead to a breach.
It's important to note that these requirements are not exhaustive, and healthcare organizations should consult with legal experts and relevant regulatory bodies to ensure compliance with specific laws and regulations applicable to their jurisdiction. Additionally, other standards and frameworks, such as the National Institute of Standards and Technology (NIST) cybersecurity framework, can provide guidance for conducting security risk analyses in the healthcare industry.
Q What are the consequences of not conducting security risk analysis in the healthcare industry?
The consequences of not conducting security risk analysis in the healthcare industry can be significant and pose serious risks to both patient data and the overall functioning of healthcare organizations. Here are some potential consequences:
- Data breaches: Without conducting security risk analysis, healthcare organizations may overlook vulnerabilities in their systems and networks. This increases the likelihood of data breaches, where sensitive patient information such as medical records, personal details, and financial data can be exposed. Data breaches not only compromise patient privacy but can also result in legal and financial liabilities for healthcare providers.
- Patient harm: Inadequate security measures can lead to patient harm. For example, if unauthorized individuals gain access to medical devices or alter patient records, it could potentially impact the accuracy of diagnoses, treatments, and medications. Patient safety can be compromised, leading to incorrect or delayed care, potential medical errors, and adverse health outcomes.
- Legal and regulatory penalties: Many countries have enacted laws and regulations to protect patient data, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Failure to conduct security risk analysis and comply with these regulations can result in severe legal consequences, including fines, penalties, and legal actions.
- Damage to reputation and trust: A security breach in the healthcare industry can cause significant damage to the reputation and trust of the affected organization. Patients may lose confidence in the healthcare provider's ability to safeguard their sensitive information, leading to a decline in patient volume and potential loss of business. Rebuilding trust after a breach can be a challenging and lengthy process.
- Operational disruptions: Security incidents can disrupt the normal operations of healthcare organizations. Remediation efforts, investigations, and recovery processes can be time-consuming and costly. In some cases, organizations may need to temporarily suspend services, causing inconvenience to patients and potential financial losses.
- Financial impact: Security breaches can result in substantial financial losses. Organizations may face expenses related to incident response, forensic investigations, legal fees, credit monitoring for affected patients, and potential litigation costs. Moreover, organizations may also experience a decline in revenue due to reputational damage and decreased patient confidence.
- Loss of competitive advantage: Healthcare organizations that fail to prioritize security risk analysis may lose their competitive advantage in the industry. Patients and healthcare partners are increasingly valuing privacy and security when choosing providers. Demonstrating a robust security posture and commitment to protecting patient data can differentiate organizations in the marketplace.
Overall, the consequences of not conducting security risk analysis in the healthcare industry can be severe, affecting patient privacy, organizational reputation, financial stability, and patient care quality. It is crucial for healthcare organizations to prioritize security risk analysis and implement appropriate measures to mitigate these risks.
Q Why is it essential to complete a Security Risk Analysis?
The scope of the risk analysis includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that our organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes ePHI in all forms of electronic media, transmission media, or portable electronic media. Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, our organization's risk analysis takes into account all of its ePHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its ePHI.
Q Why does my organization need to document security policies and procedures?
entities are required to maintain implemented policies and procedures in
written or electronic format. If an action, activity, or assessment is
required, then you must maintain a written or electronic record of the action,
activity or assessment. Documentation must be maintained for six years (federal
requirement) from the date of its creation or the date when it was last in
effect, whichever is later. Documented policies and procedures are required to
be available to individuals to whom they pertain. Documented policies and
procedures are required to be reviewed periodically and updated as needed.
Q How can healthcare organizations train their staff to be aware of security risks and promote a culture of security?
Training healthcare staff to be aware of security risks and promoting a culture of security is crucial for healthcare organizations to protect patient data and maintain the integrity of their systems. Here are some strategies to achieve that:
- Develop comprehensive security policies: Establish clear and detailed security policies and procedures that outline the organization's expectations for data protection and privacy. Include guidelines for staff on handling sensitive information, using secure communication channels, and adhering to password best practices.
- Conduct regular security training sessions: Provide ongoing training sessions to educate staff about the latest security threats and best practices for data protection.
May 2023 FAQ
Q If fraudulent behavior is reported through the compliance hotline, does it need to be reported to a government agency?
The purpose of a compliance hotline is to provide an anonymous way for individuals to report "suspected" fraudulent behavior. When the report comes in, it is just a report. It must be investigated by the organization. If found to be true, then the organization should determine next steps for dealing with the fraudulent behavior. It could include self-reporting and potentially paying back claims. This decision is typically made by the organization with the guidance of legal counsel.
Q Is Corporate Compliance training only required if the organization is contracted with Medicare?
No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors are contractual obligated to ensure that all of their FDRs maintain a corporate compliance program. Healthcare providers would be considered an FDR and therefore would be required by their contracts with payors to have a compliance program which includes training.
It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.
Q Does the Corporate assessment need to be filled out for each physical location, if there are different tax IDs, or just for the main office?
It is not necessary for each physical location to complete the assessment. However, if each location is billing under a different Tax ID number, then each organization would need to have their own compliance program. Completing our assessment would be a part of that process. Because these situations are so unique, clients should reach out to their support team for additional guidance.
Q Is the hotline only for FW&A or can clients use it as they choose?
It is not used exclusively for FW&A reports. It can be used to report harassment, discrimination, HIPAA violations, etc. Clients can utilize the hotline however they choose.
Q Does a compliance committee meeting need to include a certain number of people and do they need to be the same assigned people each time?
We recommend that the members of the compliance committee include anyone who has oversight over compliance issues; HIPAA, OSHA, contracting, billing/coding, etc. This will include compliance officers and can include other managers/administrators. If not met already through the inclusion of managers, it should also have representatives from the various departments of the organization to make sure that the various needs and perspectives of those departments are being represented. Additional members can be added temporarily as the focus of the compliance activities change; i.e. an audit or other special project, but the core members will always be the same.
Q I have heard the terms "cultural competence," "cultural humility," and "cultural responsiveness." Do these words mean the same?
As in any field or topic of discussion, you can articulate multiple words that mean similar ideas from subtle perspectives, and that is the case with these three terms.
- Cultural competence implies that one can meet the needs of culturally diverse clients. Perhaps a person might shy away from the term's use because of a misconception: you either have or do not have the skills (i.e., that one can actually "arrive," so to speak). However, a person does not arrive at cultural competence. Instead, a individual can find instructive exposure to diverse cultures, having conversations, routinely discussing diversity, and learning new skills may help us appreciate the perspectives of culturally distinct people.
- Cultural humility is the awareness that working with culturally diverse individuals may require experts who understand a specific culture and thought processes. An individual can remain humble by allowing these experts to help guide this process. This does not mean the practitioner knows nothing. Instead, the practitioner engages each family as unique, from a strengths perspective, and allows for mutual learning toward a common goal: inclusive care.
- Cultural responsiveness helps people learn about culture, ethnicity, and language. The key difference is "responsiveness," which does not imply that one can be perfect and have attained all the skills and views needed to work with culturally diverse clients. It assumes one has the openness to adapt to the cultural needs of those with whom they work.
Q Are cultural competence trainings the way to ensure that my organization is culturally competent?
Cultural competence is an ongoing developmental process. While cultural competence trainings serve as a good means to increase provider knowledge, skills, and awareness, it is insufficient in and of itself to make your organization culturally competent. Cultural competence trainings work best when they exist within a complete framework that supports it, such as, but certainly not limited to:
- The existence of policies that ensure equitable hiring practices;
- An environment that is welcoming to those of different cultures (e.g., pictures and brochures that have people of different ethnicities or types of families);
- Connections with cultural resources in the community.
Q What is my role as administrator in working towards cultural competence?
As an administrator, you can work to ensure cultural competence in a variety of ways. However, it is important that you see yourself as part of the change process. It does little good to schedule cultural competence trainings for your staff, if you and other administrators do not attend these trainings. You are a cultural being, and as such, you are also prone to bias. Increasing your knowledge, skills, and awareness will help you better scrutinize practices in your organization to ensure that bias does not exist. It also supports your role as a leader and change agent. In addition, your attendance at these workshops also shows your staff how much you care about the ideas of cultural competence. There are other means of working towards cultural competence. Your attendance at trainings alone will not do the trick. You can:
- Avail yourself of resources on cultural competence
- Regularly assess cultural competence on both the practitioner and organizational level
- Include items that assess progress towards becoming culturally competent in staff evaluations
- Include cultural competence in your strategic plan
- Enact policies that make cultural competence a priority
- Recruit staff that is representative of the population you serve
- Reward & incentivize personal and professional attempts at becoming more culturally competent • Engage your staff in regular discussions about diversity • Consider culture in treatment planning and staff meetings • Form relationships with cultural brokers/liaisons/resources in your community and seek their expertise when in doubt • Evaluate whether or not there are barriers to service provision based on cultural preference for treatment options
There are many things that can be done at the level of administration. This list is not exhaustive, but will definitely point you in the right direction.
Q What is ethnicity? How is it different from race?
Ethnicity and race are often spoken about interchangeably, but they are not the same. Ethnicity refers to one's ethnic culture; the vast structures of behaviors, ideas, values, habits, rituals, ceremonies, and practices common to a particular group of people that provides them with a general design for living and patterns for interpreting reality. Conversely, race is a fictitious construct. There is no biological basis for race. That being said, when we say, "Race," we typically are identifying people by skin color; black, white, Asian or Indian. Race, or skin color, is not a way to identify ethnicity or culture. One can be a black American or a white American. As well as one can be a black Trinidadian or an Indian Trinidadian; a white Puerto Rican or a black Puerto Rican. The two often intersect.
Q What are the typical areas in which there will be cross-cultural differences?
Kevin Avruch and Peter Black, who primarily work from the business relations' perspective, outline six fundamental patterns of cross-cultural differences:
- Communication styles
- Attitudes towards conflict
- Approaches to completing tasks
- Decision making styles
- Attitudes towards disclosure
- Approaches to knowing
A simple Google search for these authors will yield detailed, insightful information with definitions and examples of what these differences mean as well as what they look like. However, as it pertains to mental health, there will be more differences, such as; differences in the ways in which we describe these issues (some cultures have a limited vocabulary for emotion words, and the notion of "mental illness," does not exist), differences in what we think causes these issues ("God must be mad with us," "She is being punished for her early promiscuity," etc.), and differences in the ways we think we should go about solving these problems (individual therapy, medication management, prayer, reiki, chi gong, meditation, etc.).
Q Why does cultural competence matter?
Cultural competence is essential for a few reasons. The first major reason is because we live in a diverse society. We are diverse with respect to race/ethnicity, social class, gender, sexual orientation, ability, age and religion/spirituality. It should not be assumed that any perspective is better than the other. Each perspective is valid. Despite this truth, those who have traditionally been in positions of power have made rules and policies that are reflective of their cultural points of view, without realizing that they look at the world from a particular cultural lens. This unintentional bias has resulted in such things as the overrepresentation of African American and Hispanic groups in prison, juvenile detention, special education and foster care. In addition, these and other ethnic minority groups have been underrepresented in less punitive, treatment-oriented systems such as mental health and inpatient facilities.
Q We talk about ethnicity a lot, are there other culture or diversity issues we should be aware of?
Q How does OSHA define a recordable injury or illness?
- Any work-related fatality.
- Any work-related injury or illness that results in loss of consciousness, days away from work, restricted work, or transfer to another job.
- Any work-related injury or illness requiring medical treatment beyond first aid.
- Any work-related diagnosed case of cancer, chronic irreversible diseases, fractured or cracked bones or teeth, and punctured eardrums.
- There are also special recording criteria for work-related cases involving: needlesticks and sharps injuries; medical removal; hearing loss; and tuberculosis.
Q How does OSHA define first aid?
- Using a non-prescription medication at nonprescription strength (for medications available in both prescription and non-prescription form, a recommendation by a physician or other licensed health care professional to use a non-prescription medication at prescription strength is considered medical treatment for recordkeeping purposes);
- Administering tetanus immunizations (other immunizations, such as Hepatitis B vaccine or rabies vaccine, are considered medical treatment);
- Cleaning, flushing or soaking wounds on the surface of the skin Using wound coverings such as bandages, Band-Aids™, gauze pads, etc.; or using butterfly bandages or Steri-Strips™ (other wound closing devices such as sutures, staples, etc., are considered medical treatment);
- Using hot or cold therapy;
- Using any non-rigid means of support, such as elastic bandages, wraps, non-rigid back belts, etc. (devices with rigid stays or other systems designed to immobilize parts of the body are considered medical treatment for recordkeeping purposes);
- Using temporary immobilization devices while transporting an accident victim (e.g., splints, slings, neck collars, back boards, etc.). Drilling of a fingernail or toenail to relieve pressure, or draining fluid from a blister;
- Using eye patches;
- Removing foreign bodies from the eye using only irrigation or a cotton swab;
- Removing splinters or foreign material from areas other than the eye by irrigation, tweezers, cotton swabs or other simple means;
- Using finger guards;
- Using massages (physical therapy or chiropractic treatment are considered medical treatment for recordkeeping purposes); or
- Drinking fluids for relief of heat stress.
Q What is the HIPAA Breach Notification Rule?
The Breach Notification Rule says that covered entities and business associates must tell affected patients, HHS, and the media when there is a breach of PHI. You must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. Submit notifications of smaller breaches affecting fewer than 500 patients to HHS annually.
Most of the time, a HIPAA breach is an unauthorized use, transmission, or disclosure of PHI that compromises its security or privacy. If PHI is used or shared without permission, this is a breach, unless a risk assessment shows that there is a low chance that the PHI has been compromised. The severity of a breach incident are determined by factors including, but are not limited to:
- The nature and extent of the PHI involved (i.e., the types of identification or the chances of re-identification)
- The unauthorized person who used the PHI or got the disclosed PHI
- Whether an individual acquired or viewed the PHI
- The extent to which you reduced the PHI risk
HIPAA requirements detail how a covered entity and business associate can handle protected health information (PHI). When a covered entity discovers a breach of unsecured PHI, the Department of Health and Human Services (HHS.gov) sets different recordkeeping and notification requirements depending on the severity of the incident.
Learn more specific information about "Submitting Notice of a Breach to the Secretary" here: (https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html)
Q What if a PHI breach incident affects 500 or moreindividuals?
The HIPAA Breach Notification Rule outlines the requirements for breach incidents affecting 500 or more individuals. A covered business must notify the Secretary within 60 days of discovering a breach of unsecured protected health information (PHI) affecting 500 or more individuals. The covered entity must submit the breach notification form electronically and fill out all essential fields of the breach notification form.
View a list of breaches affecting 500 or more individuals on OCR Portal here: (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
Q What if a PHI breach incident affects fewer than 500 individuals?
For breaches that affect fewer than 500 individuals, a covered business shall notify the Secretary within 60 days of the end of the calendar year in which a breach of unsecured protected health information (PHI) affects fewer than 500 people. A covered entity can report breaches impacting fewer than 500 people at the moment they are detected. The covered company may notify all breaches impacting fewer than 500 people on one date, but each breach incidence must be reported separately. The covered entity must fill out the breach notification form to submit the notice electronically.
Q Who enforces HIPAA rules and regulations?
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is a primary enforcement agency for rules set within the Health Insurance Portability and Accountability Act (HIPAA). The aim is for safeguards that ensure the privacy and security of protected health information (PHI).
Q Who must comply with HIPAA rules?
Covered entities and business associates must follow HIPAA rules. The goal is to protect the privacy and security of protected health information (PHI) and ensure a patients' right of access. Examples of a Covered Entity may include, but are not limited to:
A Healthcare Provider
- Nursing Homes
A Health Plan:
- Health insurance companies
- Health Maintenance Organizations (HMO)
- Company health plans
- Government programs that pay for health care including Medicare, Medicaid, Military, and Veteren's health care programs
A Health Care Clearinghouse:
- Including establishments that process nonstandard health information received from another entity into a standard (i.e., data content or standard electron formats, or vice versa).
If you don't meet the definition of a covered entity or business associate, you don't have to comply with the HIPAA rules. For definitions of covered entities and business associates, see 45 CFR 150.103 (https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103)
Q Can biohazard specimen bags be reused if not visibly soiled?
Biohazard specimen transport bags should not be reused. Best practice and OSHA's recommendation is to dispose of each bag after use. Looking for visible contamination is not infallible because certain body fluids are colorless, meaning that although you may not see a spill, there is still the possibility of contamination. While the idea of reusing them to reduce waste is a valid one, the need for infection control precautions outweighs financial or excess trash considerations.
Q How long should autoclave results logs be kept?
We recommend following the CDC's guidelines as a best practice and retaining them for at least 3 years or as long as your state law requires if it is a longer timeframe. Healthcare providers may want to check with their local health department as well to see if there are local retention requirements.
Q Should a healthcare provider keep a log of biohazardous waste that is collected from them for disposal?
Yes, we recommend maintaining a log of when the hazardous waste is collected and removed from a healthcare provider's facility in addition to when they received the manifest that it was destroyed. Additionally, federal regulations require providers to keep the manifest, along with the biohazardous waste log and any other pertinent documents related to the packaging, storage, transport, or disposal of the medical waste for at least 3 years. HCP has a sample log available for clients to use when tracking the removal of biohazard waste, along with the transporter and date the certification of destruction is received.
Q What is considered “regulated waste”?
OSHA's Bloodborne Pathogens Standard uses the term, "regulated waste," to refer to the following categories of waste:
- liquid or semi-liquid blood or other potentially infectious materials (OPIM)
- items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed
- items that are caked with dried blood or OPIM and are capable of releasing these materials during handling
- contaminated sharps
- pathological and microbiological wastes containing blood or OPIM.
Q What are the differences between personal and professional use on social media platforms?
Personal use of social media is often referred to as social media use on an account registered to an individual who is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider.
Q Can organizations respond directly to patients who post comments or questions on social media?
When posting a response to a question, use limited information and suggest another communication method. If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.
When posting on your personal social media account, if it is something you don't want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in "private" groups.
Q What are the risks involved with making social media posts?
Whether you are posting on your own or a professional account, it is important to understand the potential risks.
Some risks include:
- Anything that is posted has a risk of receiving negative feedback from the public that could hurt the success of the business and its reputation.
- The accidental sharing of PHI, proprietary information, or other content that could be used by those with malicious intent from the post.
- Having a difficult time managing and/or responding to posts and comments from users. Organizations need to train employees on how to respond to negative or inaccurate statements made on their posts.
Q If your organization has a social media account for professional use, what should be included in a social media policy for employees?
You may have language in place in a social media policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional help of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be published, etc. We have a Social Media template available for customization for your organization. Ask your support team for access.
Q Can healthcare organizations post pictures?
Never post any photos involving patients without authorization! Even then, be extremely cautious and always have written authorization. When pictures or patient information are used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.
Q What if we are a non-medical facility? Does HCP offer a compliance program that suits us?
Yes! HCP offers a program tailored for Non-Medical Facilities. We help you maintain compliance with the following areas: OSHA, Human Resources, and Learning Management System. Working with HCP means you no longer have to wonder if you comply with your industry requirements.
Q We are Business Associates. How can HCP help support us in our compliance journey?
HCP offers a Healthcare Business Associate Package. That package helps you maintain compliance as it applies to HIPAA, Corporate, Human Resources, and Learning Management Systems, with an optional Compliance Risk Analyzer.
Q With so many compliance programs out there, what sets HCP apart from its competitors?
With HCP, you get a
custom program tailored to meet your needs and have access to a dedicated
support team that is there to work with you every step of the way. With our
support team, you have a personally dedicated group to your facility. They are
consistently monitoring your program and reaching out to you with quarterly
updates to keep you informed on how you are doing and assist you with any areas
that need improvement. You also have the ability to meet with your support team
and discuss any questions or concerns that may arise. You will have their
direct phone numbers and email addresses. So please, reach out to them and you
will truly see the value of HCPs Compliance Services, and why our Support Team
is one of our best features!
Q How is our Employee Handbook incorporated into HCP online training?
Healthcare Compliance Pros provides your organization with HIPAA Privacy, HIPAA Security, Corporate Compliance, OSHA, and Human Resources policies and procedures. While these policies and procedures are a blanket set, meaning these policies and procedures ensure your organization follows Federal requirements; taking some time to add language specific to your organization is an important step. (The first step of our program is completing the Organization Questionnaire - we take your answers and incorporated them into the compliance training.)
Q How does HCP help us stay compliant?
Being Compliant is a process that does not need to be completed all at once and doesn't need to be complicated. Rather, it is an ongoing process that we will be working with you to complete. For example, when you submit a Security Risk Analysis (SRA), a big part of that process is discussing HIPAA Security Policies and Procedures - addressable and required. Most of the policies that are discussed in your SRA, in addition to HIPAA Privacy policies and procedures, are included in our training modules.
Q How often Does HCP update their training information?
Whether HIPAA, OSHA, Corporate Compliance, and/or Human Resources, the policies and procedures are always reviewed and updated, as necessary. These policies and procedures are always available wherever you have internet access, can be printed out as necessary, and provide a good way for your employees to complete their training.
Q What are the seven elements from The Office of Inspector General (OIG) for an effective compliance program, and how can Healthcare Compliance Pros (HCP) help me?
- Implementing written policies, procedures, and standards of conduct: HCP has customized training modules, policies, and procedures for your organization. We also have a huge library of sample policies, procedures, and forms.
- Designating a compliance officer and compliance committee: Once you have designated a compliance committee, HCP can help store your compliance committee meeting minutes.
- Conducting effective training and education. - HCP has many training modules from Compliance, Code of Conduct, HIPAA, OSHA, HR, and many more, all of which are customizable for your organization.
- Developing effective lines of communication. - HCP can also help your organization establish an anonymous hotline.
- Conducting internal monitoring and auditing. - HCP is here to help check your employees and vendors monthly against the OIG Exclusion List and the SAMs List. We can even help run background checks. We also have a HIPAA incident reporting log that can help you determine if it is reportable or not reportable and provide steps in the mitigation process. We also offer a billing and coding audit service through our Compliance Risk Analyzer (CRA).
- Enforcing standards through well-publicized disciplinary guidelines. - HCP can help you develop a disciplinary policy, for we offer many sample templates of policies and procedures.
- Responding promptly to detected offenses and undertaking corrective action. - HCP has several ways to help you track and log compliance and HIPAA issues, along with forms to help you through the process of logging and responding and putting a corrective action plan in place. Plus, we also offer an anonymous hotline for your employees to report compliance issues.
Q What are the seven elements of an effective compliance program?
1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards
Q How do you know what is expected of you?
Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.
Q Is Corporate Compliance Training only required if the organization is contracted with Medicare?
No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.
Q Are there compliance policies and procedures that should be in place if an employee is allowed to work remotely from home?
Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.
Q Are there penalties for not training employees on Fraud, Waste, and Abuse (FWA) laws?
Yes. Laws and regulations exist that prohibit FWA. CMS and the OIG have stated that organizations must create and implement effective training and education on these laws and have policies and procedures in place to maintain compliance. Penalties for violating these laws may include but are not limited to civil monetary penalties, civil prosecution, criminal conviction, fines, exclusion from all federal healthcare program participation, imprisonment, and loss of professional license.
Q False Claims. What are the consequences of violating the False Claims Act?
Knowingly submitting false or fraudulent claims to Medicare and Medicaid is illegal. You may receive fines of up to 3x the program's loss plus $11,000.00 per claim filed for filing false or misleading claims.
Q What penalties can you face for violating any of the laws or regulations of fraud, waste, and abuse?
Penalties for violating these laws may include but are not limited to Civil Monetary Penalties, Civil prosecution, Criminal conviction/fines, Exclusion from participation in ALL Federal Healthcare programs, Imprisonment, and even Loss of provider license.
Q What sets Fraud apart from Waste and Abuse? And what are the consequences of Fraud?
Fraud requires the person to have the intent to obtain payment and know that their actions are wrong. Waste and Abuse may involve obtaining an improper payment but do not require the same intent and knowledge. Fraud, being the more severe of the 3, has a devastating impact on not only the practice but the victims. Criminal penalties for submitting fraudulent claims include imprisonment and criminal fines. No one is safe from these repercussions. Even physicians have gone to prison for submitting false claims.
Q How serious is information blocking?
What are the penalties for blocking information? The 21st Century Cures Act empowers the HHS Office of Inspector General (OIG) to issue civil monetary penalties of up to $1 Million against software developers, networks, or exchanges that interfere with the proper exchange of ePHI. To put it simply, blocking health information is illegal.
Q How has the pandemic made fraud prevention more difficult?
Due to the increase in Remote working, this new work environment has made it more difficult to prevent fraud within organizations. With the new hurdles, a rise in security and fraud risk has become the new challenge. What is the main reason for this rise in fraud? More than a third of organizations are claiming to not have suitable fraud prevention and response plans established and in place.
Q What are the most common types of fraud the governments are seeing this year?
Kickback Schemes, Medically Unnecessary Services, Failure to properly charge Medicare/Medicaid patients for prescriptions, Allowing Nurses and Staff to Perform Examinations (essentially any staff members performing outside of their job duties/knowledge/training), and Upcoding.
Q What is the importance of completing compliance training?
When considering the requirement of providing a security awareness and training program, there are many real-life examples from which to learn. For example, recently, an Office for Civil Rights (OCR) investigation of an entity found long-standing non-compliance with HIPAA Rules, including failures to conduct a security risk analysis, provide a training program on security awareness, and implement HIPAA Security Rule policies and procedures. As a result of this investigation, the entity agreed to pay the Office for Civil Rights (OCR) $65,000 and adopt a corrective action plan to settle these violations of the HIPAA Security Rule.
Q Why is it essential to run my physicians, employees, and vendors through the OIG and SAM Exclusion List?
The Office of Inspector General was established to identify and eliminate fraud, waste, and Abuse in the U.S. Department of Health and Human Services. The Secretary gave authority to the OIG to exclude from participation in Medicare, Medicaid, and other Federal healthcare programs individuals that have engaged in fraud or Abuse, in which they may impose civil money penalties (CMPs) for misconduct related to Federal healthcare programs. Here is a recent example of CMPs set on an eye care provider. This provider had to pay civil monetary penalties of $17,562.24 for employing an individual excluded from participation in the Federal health care programs.
Q With COVID-19 transmission predicted to go up this fall, what can employers do to be prepared to operate during high-transmission time periods?
Healthcare organizations should follow the CDC's and OSHA's recommendations to prepare for pandemic outbreaks of varying severity levels. Additionally, the CDC recommends encouraging everyday preventative actions for employees such as staying home when you are sick, covering your coughs and sneezes with tissues, washing your hands with soap and water for at least 20 seconds as often as you can, using at least 60% alcohol-based sanitizer if soap and water are not available, and cleaning frequently touched surfaces and objects.
Beyond that, nonpharmaceutical interventions (NPIs) have been recommended by public health officials to prevent the spread of communicable diseases. These additional actions include allowing staff members to telework, flexibility in allowing staff to stay home if they or someone in their house is sick, increasing space between staff at work as much as possible, but at least 3 feet, decreasing the frequency of contact among staff members, thinking about postponing or canceling work events and canceling or postponing non-essential work travel.
Finally, because this is an evolving situation and the CDC is providing new guidance on a regular basis, we recommend keeping up with the news of the COVID-19 outbreak, following the instructions of public health officials, updating any policies to keep in line with new recommendations as they may be announced, and providing accurate and consistent information to employees reflecting the guidelines of OSHA, the CDC, and other governmental agencies that may be providing them.
Q What are the PPE requirements for administrative and clinical employees concerning COVID-19 exposure, including those clinical employees who perform aerosol-generating procedures (AGP)?
OSHA's guidance refers to the CDC's infection control guidance. Additionally, a healthcare facility must conduct a risk assessment and determine which employees are at risk, what the risk is, and what PPE would be appropriate to provide. Regardless of the risk, standard precautions should be followed. Transmission-based precautions should be implemented when in contact with a suspected COVID-19 patient.
The CDC states that healthcare providers should implement universal use of personal protective equipment for healthcare providers. In areas of substantial or high transmission, all employees should be provided additional PPE based on their job responsibilities.
Q What portions of the OSHA COVID-19 Healthcare ETS are still in effect?
Q Should an employer include an employee's name on a sharps injury log?
A sharps injury log is intended to track injuries and the departments, devices, or procedures that are causing them. It's not meant to track injured employees. As such, the sharps injury log does not need to include the employee's name. In fact, OSHA states that including the employee's name jeopardizes their confidentiality. If an employer chooses to keep employee names on their log, they have to remove them if asked to share the report with anyone to keep the employee information on the log confidential. However, the bloodborne exposure incident report completed after an exposure incident should include the employee's information, the situation leading to the incident, etc., and be kept in their employee medical records.
Q What should clients consider when designating an infection control safety coordinator?
The infection control safety coordinator should be someone who is able to understand and identify infectious disease hazards in the workplace and must be knowledgeable in infection control principles and practices as they apply to the workplace and employee job operations. Additionally, the safety coordinator must have the authority to ensure compliance with all aspects of the organization's infectious disease plan so that they can take prompt corrective measures when hazards are identified.
Employers' designated safety coordinators should implement and monitor the infectious disease plan, but the exact responsibilities of a safety coordinator may vary based on the employer and workplace.
Q Do OSHA regulations and standards apply to the home office?
The Department of Labor's Occupational Safety and Health Administration (OSHA) does not have any regulations regarding telework in home offices. The agency issued a directive in February 2000 stating that the agency will not conduct inspections of employees' home offices, will not hold employers liable for employees' home offices, and does not expect employers to inspect the home offices of their employees. If OSHA receives a complaint about a home office, the complainant will be advised of OSHA's policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions but will not follow up with the employer or employee.
Employers who are required to keep records of work-related injuries and illnesses will continue to be responsible for keeping such records for injuries and illnesses occurring in a home office.
Q Are employers required to have all employees vaccinated against Hepatitis B?
No, employers are required to offer the Hepatitis B vaccine when the employee starts work to comply with OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030. Employees can decline the Hepatitis B vaccine and would need to sign a declination form. HCP has a form called "Certification of Hepatitis B Vaccination and Declination Form" that can be used for documentation.
Q When must employers offer employees the Hepatitis B vaccine?
OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the Hepatitis B vaccine must be offered after training and within ten days of the employee being assigned a job where there is occupational exposure unless the worker has already received the vaccine series previously.
Q What does the 21st Century Cures Act provide?
The purpose of the Cures Act is to provide patients access to their information in a more transparent way. It prohibits information blocking and defines practices considered reasonable activities that wouldn't be considered information blocking.
In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).
Q What changes take place in October 2022?
Beginning October 6, 2022, the technical exception for practices regarding their EMRs ends, and all identified electronic PHI will be considered electronic health information (EHI). Patients will have the same rights under the HIPAA Privacy Rule to request a copy of PHI, now known as EHI. ONC also encourages that "Information Blocking Actors respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors."
Q How do organizations make sure they are following the rules of the 21st Century Cures Act?
Organizations can comply with the Cures Act requirements by making patient data requests easy and inexpensive. The Cures Act requires practices to allow patients to access their health information from EHRs using an app of their choice, implement policies that prohibit information blocking, and define how the information blocking exceptions might apply to the practice. It states that if a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking, as stated in the 21st Century Cures Act.
If an EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, health care providers could be subject to these disincentives, including not being able to attest to MIPS.
Q What is "Information Blocking"?
Information blocking is defined by the ONC as "a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks, or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI." Any claims or reports of alleged information blocking would be evaluated on the specific circumstances of each situation.
Q What is the Preventing Harm Exception?
An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information to prevent harm will not be considered information when the "reasonable belief" and "practice breadth" conditions are met, and it will not be considered information blocking. For more information on this exception, continue here.