Tips & FAQs 

You have questions. We have answers. 

January 2023

Q What are the differences between personal and professional use on social media platforms?
A

Personal use of social media is often referred to as social media use on an account registered to an individual who is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider.

Q Can organizations respond directly to patients who post comments or questions on social media?
A

When posting a response to a question, use limited information and suggest another communication method. If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.

When posting on your personal social media account, if it is something you don't want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in "private" groups.

Q What are the risks involved with making social media posts?
A

Whether you are posting on your own or a professional account, it is important to understand the potential risks.

Some risks include:

  • Anything that is posted has a risk of receiving negative feedback from the public that could hurt the success of the business and its reputation.
  • The accidental sharing of PHI, proprietary information, or other content that could be used by those with malicious intent from the post.
  • Having a difficult time managing and/or responding to posts and comments from users. Organizations need to train employees on how to respond to negative or inaccurate statements made on their posts.

Q If your organization has a social media account for professional use, what should be included in a social media policy for employees?
A

You may have language in place in a social media policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional help of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be published, etc. We have a Social Media template available for customization for your organization. Ask your support team for access.

Q Can healthcare organizations post pictures?
A

Never post any photos involving patients without authorization! Even then, be extremely cautious and always have written authorization. When pictures or patient information are used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.

Frequently Asked Questions 

Q Q: How often do compliance regulations change?
A
As you may well know, it seems that the government is ever changing, updating, and creating new laws on a regular basis. Because of this, HCP keeps its clients notified on a weekly basis regarding any new regulations, guidance, or other important information that comes from the federal government or any of its agencies. Where mandated, this information is also automatically incorporated into clients’ programs immediately.
Q Q: Why do I need a compliance program?
A
Pursuant to government regulations, healthcare organizations and their business associates, must have a custom compliance program with HIPAA, OSHA, and Corporate policies and procedures written specifically for their group and then train their employees on these policies.
Q Q: Does your program include support?
A
Yes. When you sign up for our core compliance program, you are assigned a specialist who is available via phone and email year round. Our support includes both technical and compliance support.
Q Q: Is your system complicated and difficult?
A
No. Our patented software is easy-to-use, straight forward, and only continues to improve. From the moment you sign up with our services, you are assigned a specialist who guides you through the process. You may also reach out to your specialist with any technical or compliance questions at any time.
Q Q: Do you offer a preview of your services?
A
Yes. We offer a free consultation and review of your current circumstances and show how our program can help fill in the gaps or create a complete compliance program. Request a free consultation by emailing [email protected]
Q Q: We are a small group; can we afford a custom compliance program?
A
While it is true that we have large institutions utilizing our services, our pricing is scaled based on the number of users added to your account. This allows small groups to have access to the same program and level of support as large health care organizations.
Q Q: How do you sign up for your services?
A
Prior to signing up, you work with and are assigned an account manager who is responsible for your billing and will activate your account with either a credit card or checking information.
Q Q: Do you require long-term contracts?
A
No. We pride ourselves on our product and service, and do not require any contracts with our clients. Our services are subscription-based and service may be discontinued with 30 days written (email) notice.
Q Q: How long does your program take to get setup?
A
The setup process is not that time consuming. Based upon the size of your practice, we can have your program developed and training reminders going out to your staff in less than a week. When you sign up, your HCP specialist works around your calendar and needs to ensure a successful launch of your compliance program.
Q Q: Do you include a security risk analysis (SRA)?
A
Yes. We provide a comprehensive SRA based on the NIST (National Institute of Standards and Technology) guide. We also offer an annual review, action plan, and SRA support to help assist clients with addressing any gaps in their program.
Q Q: Do you provide Global Harmonization transitioning and training?
A
Yes. With the adoption of the Globally Harmonized System, we now offer services for clients that helps train their staff on the new changes and assists them in transitioning their Material Safety Data Sheets (MSDS’) over to the new mandated Safety Data sheets (SDS’).
Q Q: Do my employees have to be trained each year?
A
Yes. Within the healthcare industry, there are statutes that support the need for annual training on HIPAA, OSHA, and Corporate Fraud, Waste & Abuse regulations.
Q Q: Do you provide Meaningful Use support?
A
Yes. We assist clients who are participating in the Medicare and Medicaid EHR Incentive Programs. You can include Meaningful Use services to your program.
Q Q: What if I get audited?
A
Whether a client is going through a Meaningful User audit, RAC audit, OSHA Inspection, or other healthcare audit, HCP provides audit support services and can help clients through audits.
Q Q: Do you come onsite?
A
To keep the costs down, we generally like to work with our clients remotely through phone, email, and online conferencing, but we are available to come onsite to perform setups or mock audits if needed.

December 2022

Q What if we are a non-medical facility? Does HCP offer a compliance program that suits us?
A

Yes! HCP offers a program tailored for Non-Medical Facilities. We help you maintain compliance with the following areas: OSHA, Human Resources, and Learning Management System. Working with HCP means you no longer have to wonder if you comply with your industry requirements.

Q We are Business Associates. How can HCP help support us in our compliance journey?
A

HCP offers a Healthcare Business Associate Package. That package helps you maintain compliance as it applies to HIPAA, Corporate, Human Resources, and Learning Management Systems, with an optional Compliance Risk Analyzer.

Q With so many compliance programs out there, what sets HCP apart from its competitors?
A

With HCP, you get a custom program tailored to meet your needs and have access to a dedicated support team that is there to work with you every step of the way. With our support team, you have a personally dedicated group to your facility. They are consistently monitoring your program and reaching out to you with quarterly updates to keep you informed on how you are doing and assist you with any areas that need improvement. You also have the ability to meet with your support team and discuss any questions or concerns that may arise. You will have their direct phone numbers and email addresses. So please, reach out to them and you will truly see the value of HCPs Compliance Services, and why our Support Team is one of our best features!

Q How is our Employee Handbook incorporated into HCP online training?
A

Healthcare Compliance Pros provides your organization with HIPAA Privacy, HIPAA Security, Corporate Compliance, OSHA, and Human Resources policies and procedures. While these policies and procedures are a blanket set, meaning these policies and procedures ensure your organization follows Federal requirements; taking some time to add language specific to your organization is an important step. (The first step of our program is completing the Organization Questionnaire - we take your answers and incorporated them into the compliance training.)

Q How does HCP help us stay compliant?
A

Being Compliant is a process that does not need to be completed all at once and doesn't need to be complicated. Rather, it is an ongoing process that we will be working with you to complete. For example, when you submit a Security Risk Analysis (SRA), a big part of that process is discussing HIPAA Security Policies and Procedures - addressable and required. Most of the policies that are discussed in your SRA, in addition to HIPAA Privacy policies and procedures, are included in our training modules.

Q How often Does HCP update their training information?
A

Whether HIPAA, OSHA, Corporate Compliance, and/or Human Resources, the policies and procedures are always reviewed and updated, as necessary. These policies and procedures are always available wherever you have internet access, can be printed out as necessary, and provide a good way for your employees to complete their training.

Q What are the seven elements from The Office of Inspector General (OIG) for an effective compliance program, and how can Healthcare Compliance Pros (HCP) help me?
A

  1. Implementing written policies, procedures, and standards of conduct: HCP has customized training modules, policies, and procedures for your organization. We also have a huge library of sample policies, procedures, and forms.
  2. Designating a compliance officer and compliance committee: Once you have designated a compliance committee, HCP can help store your compliance committee meeting minutes.
  3. Conducting effective training and education. - HCP has many training modules from Compliance, Code of Conduct, HIPAA, OSHA, HR, and many more, all of which are customizable for your organization.
  4. Developing effective lines of communication. - HCP can also help your organization establish an anonymous hotline.
  5. Conducting internal monitoring and auditing. - HCP is here to help check your employees and vendors monthly against the OIG Exclusion List and the SAMs List. We can even help run background checks. We also have a HIPAA incident reporting log that can help you determine if it is reportable or not reportable and provide steps in the mitigation process. We also offer a billing and coding audit service through our Compliance Risk Analyzer (CRA).
  6. Enforcing standards through well-publicized disciplinary guidelines. - HCP can help you develop a disciplinary policy, for we offer many sample templates of policies and procedures.
  7. Responding promptly to detected offenses and undertaking corrective action. - HCP has several ways to help you track and log compliance and HIPAA issues, along with forms to help you through the process of logging and responding and putting a corrective action plan in place. Plus, we also offer an anonymous hotline for your employees to report compliance issues.

November 2022

Q What are the seven elements of an effective compliance program?
A

1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards

Q How do you know what is expected of you?
A

Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.

Q Is Corporate Compliance Training only required if the organization is contracted with Medicare?
A

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Q Are there compliance policies and procedures that should be in place if an employee is allowed to work remotely from home?
A

Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.

October 2022

Q Are there penalties for not training employees on Fraud, Waste, and Abuse (FWA) laws?
A

Yes. Laws and regulations exist that prohibit FWA. CMS and the OIG have stated that organizations must create and implement effective training and education on these laws and have policies and procedures in place to maintain compliance. Penalties for violating these laws may include but are not limited to civil monetary penalties, civil prosecution, criminal conviction, fines, exclusion from all federal healthcare program participation, imprisonment, and loss of professional license.

Q False Claims. What are the consequences of violating the False Claims Act? 
A

Knowingly submitting false or fraudulent claims to Medicare and Medicaid is illegal. You may receive fines of up to 3x the program's loss plus $11,000.00 per claim filed for filing false or misleading claims.

Q What penalties can you face for violating any of the laws or regulations of fraud, waste, and abuse?
A

Penalties for violating these laws may include but are not limited to Civil Monetary Penalties, Civil prosecution, Criminal conviction/fines, Exclusion from participation in ALL Federal Healthcare programs, Imprisonment, and even Loss of provider license.

Q What sets Fraud apart from Waste and Abuse? And what are the consequences of Fraud? 
A

Fraud requires the person to have the intent to obtain payment and know that their actions are wrong. Waste and Abuse may involve obtaining an improper payment but do not require the same intent and knowledge. Fraud, being the more severe of the 3, has a devastating impact on not only the practice but the victims. Criminal penalties for submitting fraudulent claims include imprisonment and criminal fines. No one is safe from these repercussions. Even physicians have gone to prison for submitting false claims.

Q How serious is information blocking? 
A

What are the penalties for blocking information? The 21st Century Cures Act empowers the HHS Office of Inspector General (OIG) to issue civil monetary penalties of up to $1 Million against software developers, networks, or exchanges that interfere with the proper exchange of ePHI. To put it simply, blocking health information is illegal.

Q How has the pandemic made fraud prevention more difficult? 
A

Due to the increase in Remote working, this new work environment has made it more difficult to prevent fraud within organizations. With the new hurdles, a rise in security and fraud risk has become the new challenge. What is the main reason for this rise in fraud? More than a third of organizations are claiming to not have suitable fraud prevention and response plans established and in place.

Q What are the most common types of fraud the governments are seeing this year? 
A

Kickback Schemes, Medically Unnecessary Services, Failure to properly charge Medicare/Medicaid patients for prescriptions, Allowing Nurses and Staff to Perform Examinations (essentially any staff members performing outside of their job duties/knowledge/training), and Upcoding.

Q What is the importance of completing compliance training? 
A

When considering the requirement of providing a security awareness and training program, there are many real-life examples from which to learn. For example, recently, an Office for Civil Rights (OCR) investigation of an entity found long-standing non-compliance with HIPAA Rules, including failures to conduct a security risk analysis, provide a training program on security awareness, and implement HIPAA Security Rule policies and procedures. As a result of this investigation, the entity agreed to pay the Office for Civil Rights (OCR) $65,000 and adopt a corrective action plan to settle these violations of the HIPAA Security Rule.

Q Why is it essential to run my physicians, employees, and vendors through the OIG and SAM Exclusion List? 
A

The Office of Inspector General was established to identify and eliminate fraud, waste, and Abuse in the U.S. Department of Health and Human Services. The Secretary gave authority to the OIG to exclude from participation in Medicare, Medicaid, and other Federal healthcare programs individuals that have engaged in fraud or Abuse, in which they may impose civil money penalties (CMPs) for misconduct related to Federal healthcare programs. Here is a recent example of CMPs set on an eye care provider. This provider had to pay civil monetary penalties of $17,562.24 for employing an individual excluded from participation in the Federal health care programs.

September 2022

Q With COVID-19 transmission predicted to go up this fall, what can employers do to be prepared to operate during high-transmission time periods?
A

Healthcare organizations should follow the CDC's and OSHA's recommendations to prepare for pandemic outbreaks of varying severity levels. Additionally, the CDC recommends encouraging everyday preventative actions for employees such as staying home when you are sick, covering your coughs and sneezes with tissues, washing your hands with soap and water for at least 20 seconds as often as you can, using at least 60% alcohol-based sanitizer if soap and water are not available, and cleaning frequently touched surfaces and objects.

Beyond that, nonpharmaceutical interventions (NPIs) have been recommended by public health officials to prevent the spread of communicable diseases. These additional actions include allowing staff members to telework, flexibility in allowing staff to stay home if they or someone in their house is sick, increasing space between staff at work as much as possible, but at least 3 feet, decreasing the frequency of contact among staff members, thinking about postponing or canceling work events and canceling or postponing non-essential work travel.

Finally, because this is an evolving situation and the CDC is providing new guidance on a regular basis, we recommend keeping up with the news of the COVID-19 outbreak, following the instructions of public health officials, updating any policies to keep in line with new recommendations as they may be announced, and providing accurate and consistent information to employees reflecting the guidelines of OSHA, the CDC, and other governmental agencies that may be providing them.

Q What are the PPE requirements for administrative and clinical employees concerning COVID-19 exposure, including those clinical employees who perform aerosol-generating procedures (AGP)?
A

OSHA's guidance refers to the CDC's infection control guidance. Additionally, a healthcare facility must conduct a risk assessment and determine which employees are at risk, what the risk is, and what PPE would be appropriate to provide. Regardless of the risk, standard precautions should be followed. Transmission-based precautions should be implemented when in contact with a suspected COVID-19 patient.

The CDC states that healthcare providers should implement universal use of personal protective equipment for healthcare providers. In areas of substantial or high transmission, all employees should be provided additional PPE based on their job responsibilities.

Q What portions of the OSHA COVID-19 Healthcare ETS are still in effect?
A
The non-record-keeping portions of the COVID-19 Healthcare ETS have been withdrawn by OSHA and are not in effect anymore. However, OSHA states that employers must continue to protect employees from COVID-19 and that they will "vigorously enforce the general duty clause" and other standards such as the PPE and Respiratory Protection Standards to "help protect healthcare employees from the hazard of COVID-19." OSHA also states that continued adherence to the ETS is the simplest way for employers to ensure the continued protection of their employees in healthcare settings and comply with OSHA obligations.
Q Should an employer include an employee's name on a sharps injury log?
A

A sharps injury log is intended to track injuries and the departments, devices, or procedures that are causing them. It's not meant to track injured employees. As such, the sharps injury log does not need to include the employee's name. In fact, OSHA states that including the employee's name jeopardizes their confidentiality. If an employer chooses to keep employee names on their log, they have to remove them if asked to share the report with anyone to keep the employee information on the log confidential. However, the bloodborne exposure incident report completed after an exposure incident should include the employee's information, the situation leading to the incident, etc., and be kept in their employee medical records.

Q What should clients consider when designating an infection control safety coordinator?
A

The infection control safety coordinator should be someone who is able to understand and identify infectious disease hazards in the workplace and must be knowledgeable in infection control principles and practices as they apply to the workplace and employee job operations. Additionally, the safety coordinator must have the authority to ensure compliance with all aspects of the organization's infectious disease plan so that they can take prompt corrective measures when hazards are identified.

Employers' designated safety coordinators should implement and monitor the infectious disease plan, but the exact responsibilities of a safety coordinator may vary based on the employer and workplace.

Q Do OSHA regulations and standards apply to the home office?
A


The Department of Labor's Occupational Safety and Health Administration (OSHA) does not have any regulations regarding telework in home offices. The agency issued a directive in February 2000 stating that the agency will not conduct inspections of employees' home offices, will not hold employers liable for employees' home offices, and does not expect employers to inspect the home offices of their employees. If OSHA receives a complaint about a home office, the complainant will be advised of OSHA's policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions but will not follow up with the employer or employee.

Employers who are required to keep records of work-related injuries and illnesses will continue to be responsible for keeping such records for injuries and illnesses occurring in a home office.

Q Are employers required to have all employees vaccinated against Hepatitis B?
A

No, employers are required to offer the Hepatitis B vaccine when the employee starts work to comply with OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030. Employees can decline the Hepatitis B vaccine and would need to sign a declination form. HCP has a form called "Certification of Hepatitis B Vaccination and Declination Form" that can be used for documentation.

Q When must employers offer employees the Hepatitis B vaccine?
A

OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the Hepatitis B vaccine must be offered after training and within ten days of the employee being assigned a job where there is occupational exposure unless the worker has already received the vaccine series previously.

August 2022

Q Do you have cyber liability insurance?
A

With the rising rate of cybercrime in the healthcare industry, we recommend that organizations take extra steps to help protect themselves from the high cost of a cyber-attack. One way to do this is to have cyber liability insurance, which is a type of insurance designed to cover costs associated with expenses related to cyber-attacks. These expenses may include costs associated with notifying patients, business interruption expenses, fees associated with bringing systems back online, and potential fines or penalties associated with the incident.

Q Is penetration testing required for an SRA?
A

While penetration testing is not a named requirement for HIPAA compliance, it is a best practice. The healthcare industry has become a high target for hackers because of the amount of sensitive data that covered entities and their business associates maintain. As such, covered entities and their business associates need to have policies and processes in place in order to safeguard this data. In order to develop policies and processes that will protect PHI appropriately, a CE needs to know where their vulnerabilities are. Penetration testing is one way to achieve this. In fact, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-66, where they recommend implementing penetration testing as part of HIPAA Security to determine potential vulnerabilities and validate that the proper safeguards are in place.

Q What does an ePHI asset inventory need to include?
A

According to the OCR, an asset inventory includes hardware, software, and data assets. Hardware assets are "Physical elements of the organization's networks and systems, including electronic devices and media." Software assets are "Programs or applications that run on the hardware assets, including databases, email and financial record systems, backup solutions, and anti-malware tools." Data assets are "ePHI that is created, received, maintained, or transmitted on the network or with the hardware assets."


The OCR found that providers frequently do not know where all of their ePHI is located, which creates problems for compliance with risk analysis requirements under the HIPAA Security Rule. Understanding where your organization stores ePHI is essential to conducting an accurate and thorough risk analysis as required by HIPAA. This is why the OCR specifically recommends that health care providers and business associates create information technology (IT) Asset Inventories in order to track where electronic health information ePHI is located within their organization.

July 2022

Q What is workplace violence
A

Workplace violence is considered any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that happens in the workplace. It may include threats, verbal abuse, physical assaults, and even homicide. It can affect and involve employees, clients, patients, and visitors.

Q What is workplace harassment?
A

Workplace harassment involves unwelcome and offensive conduct that is based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), religion, disability, age (age 40 or older), or genetic information. Examples of harassment include offensive or derogatory jokes, racial or ethnic slurs, pressure for dates or sexual favors, unwelcome comments about a person's religion or religious garments, or offensive graffiti, cartoons, or pictures. Sexual harassment or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex.

Q When is harassment considered illegal?
A

No, not all workplace harassment is illegal. For workplace harassment to be illegal, the conduct must either be severe or pervasive (frequently occurred). It doesn't have to be both. The laws enforced by EEOC do not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious.

Q How can organizations make their workplace safer for their employees?
A

Employers are required to always maintain a safe work environment for all employees. This includes preventing and addressing unsafe work environments, harassment (including sexual harassment), and workplace violence when it arises. Organizations must have policies and procedures, including information on how to prevent and report incidents, that will support their employees' safety from violence and harassment in the workplace.

June 2022

Q What does the 21st Century Cures Act provide?
A

The purpose of the Cures Act is to provide patients access to their information in a more transparent way. It prohibits information blocking and defines practices considered reasonable activities that wouldn't be considered information blocking.

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

Q What changes take place in October 2022?
A

Beginning October 6, 2022, the technical exception for practices regarding their EMRs ends, and all identified electronic PHI will be considered electronic health information (EHI). Patients will have the same rights under the HIPAA Privacy Rule to request a copy of PHI, now known as EHI. ONC also encourages that "Information Blocking Actors respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors."

Q How do organizations make sure they are following the rules of the 21st Century Cures Act?
A

Organizations can comply with the Cures Act requirements by making patient data requests easy and inexpensive. The Cures Act requires practices to allow patients to access their health information from EHRs using an app of their choice, implement policies that prohibit information blocking, and define how the information blocking exceptions might apply to the practice. It states that if a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking, as stated in the 21st Century Cures Act.

If an EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, health care providers could be subject to these disincentives, including not being able to attest to MIPS.

Q What is "Information Blocking"?
A

Information blocking is defined by the ONC as "a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks, or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI." Any claims or reports of alleged information blocking would be evaluated on the specific circumstances of each situation.

Q What is the Preventing Harm Exception?
A

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information to prevent harm will not be considered information when the "reasonable belief" and "practice breadth" conditions are met, and it will not be considered information blocking. For more information on this exception, continue here.

May 2022

Q How long do HIPAA-related medical records need to be retained?
A

HIPAA regulations require that all HIPAA-related records and documents be retained for six (6) years. This applies to authorizations, audit records, business associate agreements, and contracts, etc. They may then be destroyed in a manner that does not allow for the disclosure of any PHI (e.g., burning, shredding, etc.).

Q What should be included in a well-documented medical record?
A

A properly documented medical record should:

  • Be complete and legible
  • Include the reason for the encounter, any relevant history, physical examination findings, prior diagnostic test results, assessment, clinical impressions or diagnosis, plan for care, the date and identity of the observer
  • Include the rationale for ordering diagnostic and other ancillary services
  • Support the CPT and ICD-10-CM codes used for claims submission
  • Identify appropriate health risk factors
  • Document the patient's progress, response to or changes in treatment, or any revision in diagnosis
Q Where should the signed release of information and assignment of benefits forms be kept?
A

All patients must sign a release of information and assignment of benefits form before they receive services. These forms should be placed in the patient's chart or record after the patient and/or the responsible party signs them. There are strict rules regarding the assignment and reassignment of billing rights in both Medicare and Medicaid programs.

Q How long do the Centers for Medicare & Medicaid Services (CMS) require healthcare providers and organizations to retain patient records for?
A

CMS requires healthcare providers and organizations to retain patient records for Medicare beneficiaries for at least five (5) years. CMS requires Medicare managed care program providers to retain records for ten (10) years.

Q What are the stages of a record?
A

The lifecycle of a record includes four basic steps:

  • Creation - Once a document is completed, it becomes a record. At this point, it enters the records management cycle.
  • Active use - When in active use, records are stored in file folders if they are paper-based, electronically in files on a computer system if they are electronic, or filed on microfilm or other recording media for regular use. As most records age, they are referred to less often. When records reach the time that they are referred to less often than once every six months, they should be moved to less costly storage.
  • Inactive use - When records become inactive, they are normally boxed if in paper form or achieved electronically to a CD or magnetic tape. Inactive storage is considerably less expensive than active storage and frees up space for active storage of more active records.
  • Disposition - The final step in the life cycle of a record is its final disposition. This can mean simple destruction by throwing it in a waste can or have the record shredded or incinerated. Some records should not be destroyed, and they need to have a way to be identified and stored for very long time periods.

April 2022

Q What types of security issues affect the healthcare industry?
A

Cyber threats are constantly changing, and the threat to healthcare offices and organizations is real! The most common way for bad actors to infiltrate an organization is through the workforce with tactics such as email phishing. Other cyber threats include spam, distributed denial of services (DDoS) attacks, malware or ransomware, data breaches, third-party risks, and medical device security vulnerabilities.

Q How do you address cybersecurity threats in healthcare?
A

Healthcare organizations need to address cyber security threats by having the following:

  • Train employees to identify a cyberattack and what to do when it occurs.
  • Have your software protected and up to date with antivirus and antimalware protection.
  • Have policies and procedures in place for system control, password protection, device policies, etc.
  • Conduct a Security Risk Assessment (SRA) regularly for your organization.
  • Install structural security measures such as alarms, security cameras, guards, etc.
  • Have a detailed data recovery plan that includes backing up on your organization's daily basis and have the backup on a remote
Q Do healthcare organizations need to have cyber liability insurance?
A

Cyber liability insurance is designed for organizations as an insurance policy with protective coverage against events like data breaches or other cyber security issues. Cyber liability insurance policies require immediate notification as soon as an organization becomes aware or detects a possible breach following a cyber-attack, such as ransomware.

If your organization does not have cyber insurance coverage yet, HCP highly recommends discussing a policy with your insurance agent. Cyber insurance is a critical part of a secure IT environment within the healthcare industry due to the imminent threat of cyber-attacks from bad actors.

Q What makes a password strong and safe?
A

A strong password should have at least ten characters or more long and includes uppercase and lowercase letters, numbers, and special characters such as, !%#$&*. Recent research suggests users could also consider using "passphrases," which are sentences that may be easier to remember than a very complex password. Passwords should be updated every six months, when an employee leaves or is terminated, or however often as required under the organization's password policy.

March 2022

Q What is the No Surprises Act?
A

Starting January 1, 2022, it will be illegal for providers to bill patients for more than the in-network cost-sharing price if the patient did not choose or know that the service would come from an out-of-network provider. For more information about the No Surprises Act, check out the recommended article "The No Surprises Act — What Your Organization Needs to Know" here: https://www.healthcarecompliancepros.com/blog/no-surprises-act-what-your-organization-needs-to-know

Q What is the purpose of the No Surprises Act?
A

  • To protect those covered under group and individual health plans from receiving surprise medical bills when they receive:
    o Emergency Services from out-of-network providers
    o Non-emergency services from out-of-network providers at in-network facilities
    o Services from out-of-network air ambulance providers
  • To protect the uninsured and self-pay patients from unexpected costs.
  • Mandate transparency regarding healthcare costs.
  • Does not apply to government-reimbursed care (Medicare and Medicaid, etc.) because these payers already prohibit balance billing.

Q Does the No Surprises Act supersede state laws?
A

Federal regulations are the default when states provide no similar laws. In states that do have laws, federal law takes priority when the state law provides less protection to the patient.

Q Can you define convening provider, co-provider, and co-facility?
A

  • Convening Provider - the provider that is treating the patient and determining their care.
  • Co-Provider - Is needed by the convening provider to care for the patient (anesthesiologist, lab, on-call provider, etc.)
  • Co-facility - Location that may involve in the patient's care. For example, hospital, surgical care, etc.

Q What additional responsibilities does the provider have?
A

  • If a provider ends a contractual relationship with an insurance plan, they must ensure continuity of care. They must accept payment from the plan for up to 90 days after the date on which the patient was notified of the change in network status. They must also continue to adhere to all contract policies imposed by the plan during that period.
  • The provider must maintain health plan directories with which they have a contractual relationship. At a minimum, they must submit provider directory information
    o At the beginning of the network agreement o At the termination of the network agreement
    o Any time there are material changes to the content of the provider directory information
    o Upon the request of the plan o Any other time deemed appropriate by the provider, facility or HHS.
  • The provider must reimburse the patient who relied on incorrect provider directory information and paid the provider more than the in-network cost-sharing amount.

Q Are there sample forms or resources available to help navigate the NSA?
A

Q Where does information about the No Surprises Act need to be posted for our patients?
A

Providers must post this information prominently at their physical location(s), post it on their website, and provide it to the patient

Q What is required to be included in the Notice and Consent form?
A

  • That the provider does not participate in the patient's health plan.
  • The good faith estimated amount the provider may charge the patient for all services that would reasonably be included.
  • Notice that the service might need to be authorized by the plan.
  • Clearly state that signing the notice is optional, and the patient does not have to consent.
  • Clearly state the patient may get service from an available in-network provider.

Q What is the timeframe for providing a Notice and Consent to the patient?
A

A Notice and Consent must be provided at least 72 hours (3 days) before a service is provided. If the service is scheduled within 3 days, the notice must be given at least 3 hours ahead of time.

Q What types of providers are required to provide a Good Faith Estimate?
A

All providers, including all types of doctors, dental offices, hospitals, optometry, ASC, diagnostic and imaging centers, laboratories, etc., must provide a good faith estimate of expected changes to any self-pay or uninsured patient.

Q What is required to be included in the Good Faith Estimate?
A

  • Patient name and date of birth
  • Description of the primary item or service in clear and understandable language (and if possible, the date the service is scheduled)
  • Items and services reasonably expected to be furnished for the period of care
  • CPT codes
  • ICD-10 codes
  • Expected charges
  • Names of providers and facilities
  • Tax ID number
  • National Provider Identifier (NPI)
  • Disclaimer that states:
    o The Good Faith Estimate is an estimate and subject to change
    o There may be additional items or services not contained in the estimate
    o Their right to initiate a patient-provider dispute resolution process
    o The estimate is not a contract

Q How long do you have to provide a Good Faith Estimate?
A

  • The estimate must be provided no more than 3 business days after the service is scheduled, or
  • No later than 1 business day if the services is scheduled in less than 10 days.

Q What form does the Good Faith Estimate need to be in?
A

  • The estimate must be in written form and can be either paper or electronic. Electronic formats must be in a form that allows the patient to save and print. The language must be clear and understandable and in a manner that the average individual can easily understand.
  • If the patient requests the estimate orally over the phone or in person, you may provide it orally but must follow up with a written copy to meet regulatory requirements.

February 2022

Q What if there is more than one provider involved in the patient's procedure?
A

  • If more than one provider is furnishing care, the "convening provider" must provide the Good Faith Estimate to the patient. This estimate should include all the items and services expected to be provided by the convening facility and other services expected to be provided by co-providers and co-facilities.
  • The convening provider is the provider scheduling the services. Other facilities providing services are considered co-providers.
  • No later than one day after scheduling the services, the convening provider must contact all co-providers and request good faith estimate information for expected charges associated with the co-provider.

Q What if the patient is new and the complexity of their condition is unknown?
A

Good Faith Estimates are required to list any service that is reasonably expected to be furnished. It does not require estimates to include unanticipated services that are not reasonably expected due to unforeseen circumstances. Providers should estimate anticipated services based on the information available as provided by the patient, previous medical records, and information from referring providers.

Q How can a Good Faith Estimate with a diagnosis be given before seeing the patient?
A

When scheduling a patient, it is required that they receive a GFE. The patient's initial visit should be covered in their first GFE. After examining the patient for their next appointment or treatment (procedure, surgery, lab, etc.), a new GFE must be provided.

Q Can patients go to our website and view prices? Does the Good Faith Estimate need to be signed?
A

Yes, prices can be published on the website. However, a GFE is not required to be signed, but must be kept for seven years as documentation.

Q Regarding the Good Faith Estimate, when a biopsy is performed on a patient in a dermatology office, do we need to provide how much lab charges when we send it out?
A

The convening provider is required to obtain the estimate from the lab. There is enforcement discretion in place as providers get policies and procedures in place. However, the treating provider or facility must still obtain the information for the Good Faith Estimate for the patient.

Q Can we update the GFE after we learn more about the patient's needs?
A

Yes, after providing a GFE after an initial interaction. After this initial visit and subsequent visits, a GFE should be given according to any care they will need to receive. For example, a patient with stomach pain can be referred to the nutritionist, and the convening provider would need to contact the nutritionist for a GFE. For continued care, the nutritionist would provide GFE. Or, after the initial visit, it is determined that surgery is required, a GFE would be provided to reflect the updated information.

Q If a self-pay uninsured patient does not ask for an estimate, is it the facility's requirement to give them one?
A

Yes, the provider or facility for any self-insured or uninsured patient must provide one. Regardless of if it is requested or not.

Q Do we have to provide an interpreter or translator service for Good Faith Estimates under Section 1557?
A

Yes, just like other types of forms and services, the GFE must be translated to the top 15 languages as requested.

Q What is the GFE dispute process for out-of-network patients?
A

  • When unable to reach a price agreement for services in which balance billing was prohibited, an out-of-network provider and insurer may utilize the Independent Dispute Resolution (IDR) process.
  • Prior to initiating the IDR, the provider and insurer must engage in a 30-day open negotiation period. If the provider and insurer do not agree, either can initiate the IDR process within four days after the open negotiation period ends. The IDR entity chosen to review the claim will issue a binding decision after reviewing documentation submitted by both parties.
  • Important deadlines exist for parties involved in the IDR process and a chart of those dates can be found here - https://www.cms.gov/newsroom/fact-sheets/requirements-related-surprise-billing-part-ii-interim-final-rule-comment-period

Q What is the dispute process for uninsured and self-pay patients?
A

  • In situations where the uninsured patient receives an estimate but is billed a substantially greater amount, HHS has established a Select Dispute Resolution (SDR) process.
  • The patient has 120 days after they receive their bill to initiate this process. Substantial has been defined as the billed charges being at least $400 more than the Good Faith Estimate. The patient is only eligible for an SDR if they received a good faith estimate and submit a copy with their dispute claim.
  • Healthcare providers must submit supporting documentation within 10 days of the receipt of the SDR notice. They must cease all collection efforts and pause the accumulation of fees. The SRA entity chosen to review the claim will issue a binding determination within 30 days after receiving the necessary documentation. Only charges the provider could not have reasonably anticipated will be considered.

Q Are there exceptions to no balance billing for out-of-network providers? For the No Surprises Act Billing and Coding
A

  • A provider cannot balance bill for services furnished because of urgent medical needs regardless of the provider satisfying the notice and consent criteria.
  • Emergency services providers can only bill if all the following conditions have been met.
    o The patient can travel using non-emergency transportation to a participating facility within a reasonable travel distance. The patient also needs to be in a condition to receive a notice and provide informed consent.
    o The non-participating provider provides the patient with written notice and obtains consent within the specified period and format outlined in regulations. o The provider satisfies all other state law requirements.
  • Non-participating providers at a participating facility
    o Cannot bill patients for amounts greater than the in-network cost-sharing requirement for such services unless notice and consent requirements are met.
    o Healthcare facilities include hospitals, hospital outpatient departments, critical access hospitals, and ambulatory surgical centers.
  • Notice and consent requirements do not apply to the following ancillary services, for which balance billing remains prohibited:
    o Services and items related to emergency care, anesthesia, pathology, radiology, and neonatology.
    o Services provided by assistant surgeons, hospitalists, and intensivists.
    o Diagnostic services like radiology and laboratory services.
    o Services and items provided by a non-participating provider if there was no participating provider that could provide the service at the facility.

Q For OON balance billing portion, does the No Surprises Act apply?
A

Different areas of the No Surprises Act apply to different facilities. Generally, all providers for uninsured or self-pay individuals, or when a Good Faith Estimate (GFE) is requested from a co-provider, must be provided a Good Faith Estimate. A GFE must be provided to any uninsured or self-pay patient or when one is asked for regardless of facility or provider type.

January 2022

Q Can biohazard specimen bags be reused if not visibly soiled?
A

Biohazard specimen transport bags should not be reused. Best practice and OSHA's recommendation is to dispose of each bag after use. Looking for visible contamination is not infallible because certain body fluids are colorless, meaning that although you may not see a spill, there is still the possibility of contamination. While the idea of reusing them to reduce waste is a valid one, the need for infection control precautions outweighs financial or excess trash considerations.

Q How long should autoclave results logs be kept?
A

We recommend following the CDC's guidelines as a best practice and retaining them for at least 3 years or as long as your state law requires if it is a longer timeframe. Healthcare providers may want to check with their local health department as well to see if there are local retention requirements.

Q Should a healthcare provider keep a log of biohazardous waste that is collected from them for disposal?
A

Yes, we recommend maintaining a log of when the hazardous waste is collected and removed from a healthcare provider's facility in addition to when they received the manifest that it was destroyed. Additionally, federal regulations require providers to keep the manifest, along with the biohazardous waste log and any other pertinent documents related to the packaging, storage, transport, or disposal of the medical waste for at least 3 years. HCP has a sample log available for clients to use when tracking the removal of biohazard waste, along with the transporter and date the certification of destruction is received.

Q What is considered “regulated waste”?
A

OSHA's Bloodborne Pathogens Standard uses the term, "regulated waste," to refer to the following categories of waste:

  • liquid or semi-liquid blood or other potentially infectious materials (OPIM)
  • items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed
  • items that are caked with dried blood or OPIM and are capable of releasing these materials during handling
  • contaminated sharps
  • pathological and microbiological wastes containing blood or OPIM.