OSHA Issues an Emergency Temporary Standard, Are You Prepared? If Not, You Will Need Our OSHA COVID-19 Emergency Temporary Standard (ETS) Plan.


Tips & FAQs 

You have questions. We have answers. 

Frequently Asked Questions 

November 2021

Q What are the seven elements of an effective compliance program?
A

1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards

Q How do you know what is expected of you?
A

Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.

Q Is Corporate Compliance Training only required if the organization is contracted with Medicare?
A

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Q Are there compliance policies and procedures that should be in place if an employee is allowed to work remotely from home?
A

Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.

October 2021

Q Is a Disaster Recovery Plan (DRP) a HIPAA requirement, and what is it?
A

Yes, HIPAA regulations require every organization to develop and maintain current DRPs. A DRP is a detailed listing of how your organization is set up to deal with potential disasters. It should focus on the results of your analysis of business processes and how to maintain continuity. Disaster prevention is also an essential part of a DRP. While many potential disasters are unavoidable, planning for prevention could lessen the impact on your business processes.

Q Why must I test my DRP?
A

Once you have developed your DRP, it is essential to determine if the DRP works or doesn't. By properly testing your DRP, you help avoid any unnecessary surprises, plus it allows you to make any necessary changes if needed. Further, a plan enables employees to know what to do and execute their responsibilities in a disaster. Your DRP must receive testing periodically because, as we all know, disasters can happen at any time, and situations are never the same.

Q What should a DRP include?
A

Creating a DRP is a unique and precise process for every organization. Each plan will be specific to the organization and will have different key business processes to prepare for as well as different areas of significant impact.

However, the primary goals of a DRP are to:

  • Minimize interruptions to crucial business processes.
  • Limit the extent of disruption and damage.
  • Minimize the financial impact of the interruption.
  • Establish alternate ways to continue operating in advance.
  • Train all staff on emergency procedures.
  • Provide for efficient and prompt restoration of service.

Each organization will need to determine which business processes are most likely to be significantly impacted by an unforeseen event or possible disaster and determine the steps and time it would take to restore those processes.

Q Do I still need a DRP if we save everything on ‘the cloud’?
A

More than ever, organizations are utilizing external environments to store their ePHI (often referred to as "the cloud"). While there are benefits to using cloud storage, a DRP is still necessary for maintaining your HIPAA compliance. In a cloud setting, disaster recovery planning should include procedures for access to ePHI, replacement of hardware and software. It should specify the approval process for the use of virtual machines. It should also include information on maintaining crucial business practices if your data is unavailable for a period of time. There might be potential issues in a disaster with bandwidth issues, internet access, power loss, etc., that can lead to difficulties gaining access to data, even in a cloud environment. It is important to become familiar with the specific protocols of your cloud storage or EMR vendor. You can ask your vendor to provide information on their DRP protocols, including frequency of backups, encryption levels, redundancies, and testing schedules. These protocols can design a DRP that meets both HIPAA requirements and your organization's specific needs.

September 2021

Q What is an SRA, why are they needed, and how often should they be completed?
A

A Security Risk Analysis (SRA) is "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the organization. This includes all e-PHI that an organization creates, receives, maintains, or transmits. All forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media," are also subject to the assessment. Because risk analysis procedures are unique to each organization, the resources and time required for its performance may vary. HIPAA requires that SRAs be performed "periodically", however, HCP recommends performing one at least annually. The findings of an SRA form the foundation upon which every organization should create and institute applicable safeguards. A successful SRA will help you identify potential gaps in your safeguards and identify action items to reduce risk to your organization.

Q Will the ETS be an annual training?
A

Although the standard currently does not have a set fixed schedule for periodic training, it most likely will become a permanent standard in some shape or form and then would be subject to the same annual training requirements that OSHA has for all its other standards. Currently the ETS (paragraph (n)(2)) requires additional or repeated training when:

1) There are changes that affect the employee's risk of contracting COVID-19 at work;
2) Policies or procedures are changed; or
3) There is an indication that the employee has not retained the necessary understanding or skill. For example, if an employer observes an employee engaging in activities that contradict knowledge gained through training, it is a sign to the employer that the employee may require a reminder or periodic retraining on work practices.

Q Why should a healthcare practice complete an annual SRA?
A

Performing an SRA is one of the most important steps a healthcare practice can take to assess their HIPAA compliance on an annual basis. Yet, for many practices, an SRA is just a box to check. Healthcare Compliance Pros recommends that all of our clients complete an initial SRA with us. From there, the SRA should be updated as needed to ensure all threats and risks for the organization have been considered. Subsequent reviews should be completed at least annually thereafter. We understand a HIPAA compliant SRA may be a healthcare organization's best defense in the event of an OCR investigation.

Q If I don't have an EHR, do I have to conduct an SRA?
A

Yes, an accurate and thorough SRA includes ALL ePHI that is created, received, maintained, or transmitted. This includes billing systems, cloud storage, email applications, copy and fax machines, personal devices such as smartphones, laptops, tablets, and any electronic media involving ePHI. So, even if a healthcare organization doesn't use an EHR, there are most likely other locations that ePHI is stored, meaning an SRA should still be conducted.

Q What is best practice and how often should vulnerability scans and penetration tests be run?
A

HIPAA does not require vulnerability scans or penetration testing to be performed on a specific timeline. It should be based on the specific needs of the covered entity or business associate. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you're aware of any security gaps. Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.


August 2021

Q How does OSHA's Emergency Temporary Standard (ETS) apply to a clinic where healthcare services are performed on an outpatient basis?
A

The OSHA COVID-19 ETS does not apply to non-hospital healthcare services providing ambulatory care as long as all non-employees are screened before entering and those with COVID-19 symptoms are not permitted to enter your facility. Since ambulatory care refers to healthcare services performed on an outpatient basis, clinics providing care in private practice would not have to comply with the ETS as long as you meet the screening requirements. If you are hospital-based in a well-defined area, you would not be covered if all employees are vaccinated, and you meet the screening requirements.

However, if you are seeing patients who are COVID-19 positive or not screening non-visitors, then the ETS would apply to you. With the ETS, there are several requirements, including developing a COVID-19 Plan, designating COVID-19 Safety coordinator(s) who are knowledgeable about infection control and providing training to employees on the plan, just to name a few.

If you are not covered, OSHA has said that healthcare facilities still need to follow the CDC's guidelines for managing healthcare facilities during this time as well as have a COVID-19 plan that shows you've evaluated the risks to your employees and provided the necessary safeguards.

Q Are employers who aren't covered by the ETS still required to develop a COVID-19 plan?
A

Based on OSHA's guidance, employers must keep employees safe from harm under the general duty clause even when not covered under the ETS. HCP recommends that clients conduct a COVID-19 hazard assessment and review their current COVID-19 plan or develop a COVID-19 plan if none exists, to ensure they address the identified hazards. Once developed, employees should receive training on the plan to understand the risk of COVID-19 to them and the policies and procedures in place to help mitigate that risk. OSHA states this training should include:

  • Basic facts about COVID-19, including how it is spread and the importance of physical distancing (including remote work), ventilation, vaccination, use of face coverings, and hand hygiene.
  • Workplace policies and procedures implemented to protect workers from COVID-19 hazards.

HCP also recommends additional training when policies change, an employee's job duties change, and at least annually, much like any other training provided to comply with OSHA's requirements and recommendations.


Q What are the screening requirements under the ETS?
A

Screening requirements can be customized based on the facility's design and size. However, OSHA notes that asking questions about COVID-19 and illness is the minimum requirement for screening. OSHA also states that screening can include questions about wearing face-coverings as recommended by the CDC and individual's recent exposures to COVID-19. Finally, some examples OSHA gives of screening methods are at the clinic entrance before allowing patients into the clinic or over the phone prior to their arrival for their appointment at your facility.

Q What are the Effective Dates of the Emergency Temporary Standard?
A

Employers must comply with all requirements of the ETS, apart from the requirements relating to ventilation, barriers, and training, by July 6, 2021. Employers must comply with the remaining requirements by July 21, 2021. This means that employers should have reviewed the standard and applied its requirements to their workplace, if applicable, at this time.

July 2021

Q What kinds of eyewash stations meet OSHA standards?  
A

Based on OSHA and ANSI standards, we believe that any chemicals used to clean or sanitize that can cause injury (eye irritation) or is corrosive should be labeled as hazardous. If an employee may be exposed to such chemicals, an employer is required to provide and maintain a plumbed, permanent eyewash station or a self-contained, gravity-fed portable eyewash station.

If an employer determines an eyewash station is needed, then it must meet the standards provided in ANSI Z358.1-2014. OSHA often refers to ANSI for the most recent standard consensus. Those standards include having at least a .4GPM flow rate for 15 minutes, having a valve mechanism that doesn't have to be held on, being supplied with suitable flushing fluid, located 10 seconds or less from possible contaminants, and having a flow meter and test gauge for weekly testing. If a self-contained system does not meet these standards, it cannot be the only eyewash station available.

Q What are the mask requirements for vaccinated employees who work for an employer who is not covered by OSHA's ETS? 
A

OSHA's Emergency Temporary Standard (ETS) doesn't apply to an employer in "non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings" (1910.502(a)(2)(iii)). However, the ETS does encourage employers to "follow public health guidance from the Centers for Disease Control and Prevention (CDC) even when not required" by the ETS. https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1910.502

Also, OSHA states in "Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace" that "where the ETS does not apply, employers are required under the General Duty Clause, Section 5(a)(1) of the OSH Act, to provide a safe and healthful workplace free from recognized hazards that are causing or likely to cause death or serious physical harm." This means that employers still must have some sort of COVID-19 plan in place to prevent injury or illness to their employees, even if they don't have to comply with the ETS itself. https://www.osha.gov/coronavirus/safework

The CDC's "Updated Healthcare Infection Prevention and Control Recommendations in Response to COVID-19 Vaccination" information for Healthcare Personnel states, "In general, fully vaccinated HCP should continue to wear source control while at work. However, fully vaccinated HCP could dine and socialize together in break rooms and conduct in-person meetings without source control or physical distancing. If unvaccinated HCP are present, everyone should wear source control and unvaccinated HCP should physically distance from others." https://www.cdc.gov/coronavirus/2019-ncov/hcp/infection-control-after-vaccination.html

In our opinion, this means that OSHA is referring healthcare facilities to the CDC's recommendations if the ETS doesn't apply to them. Since the CDC says that vaccinated HCP should continue to wear masks in most situations, we believe that healthcare facilities who are not covered by the ETS still need to follow the CDC's guidance and have all employees wear masks unless they are by themselves or with only other vaccinated employees.

Q Do vaccinated healthcare personnel employees have to wear masks while at work? What are the OSHA penalties for non-compliance? 
A

OSHA's Emergency Temporary Standard (ETS) doesn't apply to an employer in "non-hospital ambulatory care settings where all non-employees are screened prior to entry and people with suspected or confirmed COVID-19 are not permitted to enter those settings" (1910.502(a)(2)(iii)). However, the ETS does encourage employers to "follow public health guidance from the Centers for Disease Control and Prevention (CDC) even when not required" by the ETS. https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1910.502

Also, OSHA states in "Protecting Workers: Guidance on Mitigating and Preventing the Spread of COVID-19 in the Workplace" that "where the ETS does not apply, employers are required under the General Duty Clause, Section 5(a)(1) of the OSH Act, to provide a safe and healthful workplace free from recognized hazards that are causing or likely to cause death or serious physical harm." So, employers still must have some sort of COVID-19 plan in place to prevent injury or illness to their employees, even if they don't have to comply with the ETS itself. https://www.osha.gov/coronavirus/safework

The CDC's "Updated Healthcare Infection Prevention and Control Recommendations in Response to COVID-19 Vaccination" information for Healthcare Personnel states, "In general, fully vaccinated HCP should continue to wear source control while at work. However, fully vaccinated HCP could dine and socialize together in break rooms and conduct in-person meetings without source control or physical distancing. If unvaccinated HCP are present, everyone should wear source control and unvaccinated HCP should physically distance from others." https://www.cdc.gov/coronavirus/2019-ncov/hcp/infection-control-after-vaccination.html

Based on the references above, in our opinion, OSHA is referring HCPs to the CDC's recommendations if the ETS doesn't apply to them. Since the CDC says that vaccinated HCP have to wear masks in most situations, we believe that you need to follow the CDC's guidance and have all employees wear masks unless they are by themselves or with only other vaccinated employees if the ETS doesn't apply to you.

Also, penalties for failing to follow OSHA standards can be punished civilly with fines of up to $134,937 per violation. The penalties are as follows:

Penalties for Civil OSHA Violations:

Serious

  • Penalty range - From $964 to $13,494 per violation

Other-Than-Serious

  • Penalty range - From $0 to $13,494 per violation

Willful or Repeated

  • Penalty range - From $9639 to $134,937 per violation

Posting Requirements

  • Penalty range - From $0 to $13,494 per violation

Failure to Abate

  • Penalty range - $13,494 per day unabated beyond the abatement date [generally limited to 30 days maximum]


Q The ETS requires me to conduct a hazard assessment of my workplace. What does that entail?  
A

The hazard assessment process is intended to help employers identify and understand where COVID-19 hazards potentially exist and what controls must be implemented in their workplace in order to minimize the risk of transmission of COVID-19. As part of the hazard assessment, employers must inspect the entire workplace to find existing and potential risks of employee exposure to COVID-19.

Employers have flexibility to determine the best approach to accomplish the overall hazard assessment. However, the hazard assessment must include an evaluation of employees' potential workplace exposure to all people present at the workplace, including patients, coworkers, employees of other entities, members of the public, clients, independent contractors, visitors, and other non-employees. Places and times where people may congregate or come in contact with one another must be identified and addressed, regardless of whether employees are performing an assigned work task or not. Employers must also consider how employees and other persons enter, leave, and travel through the workplace, in addition to addressing potential COVID-19 hazards employees are exposed to at fixed work locations. While conducting the hazard assessment, employers must assess each employee's potential COVID-19 exposure, but can do so generally.

When conducting hazard assessments, employers should document the following information to assist them in developing and implementing their COVID-19 plans:

  • Specific hazards or risk factors identified
  • A plan to abate the identified hazards or risk factors in a timely manner
  • Date(s) the assessment was performed
  • The names and titles of the individuals who participated in the evaluation and contributed to the written plan
  • A description of the actions to be taken
  • Actions planned to address and prioritize mitigation of identified hazards or risk factors
  • Identification of high-risk area(s), tasks, and occupations
  • Communication of the status of planned or completed actions to employees who may be affected by the identified hazards or risk factors
  • The dates by which planned actions are to be completed
  • Written documentation of completed actions including:
    • What method(s) of control was/were decided upon
    • Area(s) where control(s) was/were implemented
    • Specific date(s) of completion
    • The names and titles of the individuals who authorized and managed implementation of control.

If an employer identifies a COVID-19-related exposure hazard during the hazard assessment, then the employer must implement controls to eliminate or mitigate the hazard, such as physical distancing, physical barriers where appropriate, and when distancing is infeasible, PPE, and cleaning and disinfection protocols. These hazard controls must be consistent with the relevant requirements in this ETS. The employer must develop a reasonable plan to abate identified COVID-19 hazards.


June 2021 FAQ

Q Can you make it mandatory for your employees to have the COVID vaccination as part of the requirement for employment?
A

Federal EEO laws do not prevent an employer from requiring all employees physically entering a workplace to be vaccinated. However, Title VII and ADA laws required employers to provide reasonable accommodations for employees who, because of disability or sincerely held religious belief, practice, or observance, do not get vaccinated against COVID-19 unless providing the accommodation would pose an undue hardship.

Examples of accommodations include the use of a face mask, physical locations changes, or distancing from coworkers, working a modified shift, period testing for COVID-19 and telehealth opportunities.


Q What is the purpose of a compliance committee? Does this requirement apply to smaller healthcare organizations?
A

Based on the guidance provided by the OIG, it is our recommendation that a corporate compliance committee meets quarterly to review the results of coding audits, the lists of excluded individuals and entities, as well as the complaints that have been submitted, the results of investigations, and corrective action taken. This is also a good time to discuss any changes in compliance policies and procedures that may be needed.

When an organization is small, such as yours, a compliance committee can be comprised of the compliance officer, doctor/owner, and/or HR officer. If all the organization has is a compliance officer, then the compliance officer should meet with the doctor/owner to discuss compliance at least quarterly. If that's not possible, the compliance officer or department manager can go through a compliance meeting checklist themselves every quarter and write down what is going on and what needs to be improved on. However, regardless of the size of your organization, you still need to be reviewing your compliance program regularly and making changes or updates as needed.


Q Is an employer permitted to ask employees about their COVID-19 vaccination status?  
A

An employer is permitted to ask if an employee obtained a COVID-19 vaccination. Employers may also request documentation that shows the employee obtained the vaccine. If an employer requires employees to provide documentation that they have received a COVID-19 vaccination, the employer may want to warn the employee not to provide any medical information as part of the proof to avoid implicating the ADA. Also, any documentation or other confirmation that an employee provides as proof of their vaccination status must be protected just like any other employee medical information and kept confidential. It may not be released to anyone else without the employee's consent.


Q What will happen if a covered entity uses an EMR that is not certified after April 5, 2021?
A

If a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking as stated in the 21st Century Cures Act. If your EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, you could be subject to these disincentives, including not being able to attest to MIPS.

However, there is a content and manner exception that currently exists for requests made before October 2022. If your EMR does not have the technical ability to fulfill patient access requests as stated in the Act, you can negotiate with the patient to provide the information in another manner. When providing this information, you would be required to provide the same data as the adopted USCDI standard using technology certified to the same standard. If that is not possible, you can provide the data in an alternative machine-readable format that includes the appropriate software in order to interpret the information.

If your EMR provider has stated they are actively working to make the necessary changes, you should be able to meet the interoperability requirements once April rolls around. However, we recommend being prepared to provide an alternate format for the patients who make these requests so you can meet the content and manner exception if needed until your EMR provider publishes the necessary updates.


May 2021 FAQ

Q If fraudulent behavior is reported through the compliance hotline, does it need to be reported to a government agency? 
A

The purpose of a compliance hotline is to provide an anonymous way for individuals to report "suspected" fraudulent behavior. When the report comes in, it is just a report. It must be investigated by the organization. If found to be true, then the organization should determine next steps for dealing with the fraudulent behavior. It could include self-reporting and potentially paying back claims. This decision is typically made by the organization with the guidance of legal counsel.

Q Is Corporate Compliance training only required if the organization is contracted with Medicare?
A

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors are contractual obligated to ensure that all of their FDRs maintain a corporate compliance program. Healthcare providers would be considered an FDR and therefore would be required by their contracts with payors to have a compliance program which includes training.

It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Q Does the Corporate assessment need to be filled out for each physical location, if there are different tax IDs, or just for the main office?
A

It is not necessary for each physical location to complete the assessment. However, if each location is billing under a different Tax ID number, then each organization would need to have their own compliance program. Completing our assessment would be a part of that process. Because these situations are so unique, clients should reach out to their support team for additional guidance.

Q Is the hotline only for FW&A or can clients use it as they choose? 
A

It is not used exclusively for FW&A reports. It can be used to report harassment, discrimination, HIPAA violations, etc. Clients can utilize the hotline however they choose.

Q Does a compliance committee meeting need to include a certain number of people and do they need to be the same assigned people each time? 
A

We recommend that the members of the compliance committee include anyone who has oversight over compliance issues; HIPAA, OSHA, contracting, billing/coding, etc. This will include compliance officers and can include other managers/administrators. If not met already through the inclusion of managers, it should also have representatives from the various departments of the organization to make sure that the various needs and perspectives of those departments are being represented. Additional members can be added temporarily as the focus of the compliance activities change; i.e. an audit or other special project, but the core members will always be the same.