Tips & FAQs 

As in any field or topic of discussion, you can articulate multiple words that mean similar ideas from subtle perspectives, and that is the case with these three terms.

1. Cultural competence implies that one can meet the needs of culturally diverse clients. Perhaps a person might shy away from the term's use because of a misconception: you either have or do not have the skills (i.e., that one can actually "arrive," so to speak). However, a person does not arrive at cultural competence. Instead, a individual can find instructive exposure to diverse cultures, having conversations, routinely discussing diversity, and learning new skills may help us appreciate the perspectives of culturally distinct people.
2. Cultural humility is the awareness that working with culturally diverse individuals may require experts who understand a specific culture and thought processes. An individual can remain humble by allowing these experts to help guide this process. This does not mean the practitioner knows nothing. Instead, the practitioner engages each family as unique, from a strengths perspective, and allows for mutual learning toward a common goal: inclusive care.
3. Cultural responsiveness helps people learn about culture, ethnicity, and language. The key difference is "responsiveness," which does not imply that one can be perfect and have attained all the skills and views needed to work with culturally diverse clients. It assumes one has the openness to adapt to the cultural needs of those with whom they work.

Cultural competence is an ongoing developmental process. While cultural competence trainings serve as a good means to increase provider knowledge, skills, and awareness, it is insufficient in and of itself to make your organization culturally competent. Cultural competence trainings work best when they exist within a complete framework that supports it, such as, but certainly not limited to:

• The existence of policies that ensure equitable hiring practices;
• An environment that is welcoming to those of different cultures (e.g., pictures and brochures that have people of different ethnicities or types of families);
• Connections with cultural resources in the community.

As an administrator, you can work to ensure cultural competence in a variety of ways. However, it is important that you see yourself as part of the change process. It does little good to schedule cultural competence trainings for your staff, if you and other administrators do not attend these trainings. You are a cultural being, and as such, you are also prone to bias. Increasing your knowledge, skills, and awareness will help you better scrutinize practices in your organization to ensure that bias does not exist. It also supports your role as a leader and change agent. In addition, your attendance at these workshops also shows your staff how much you care about the ideas of cultural competence. There are other means of working towards cultural competence. Your attendance at trainings alone will not do the trick. You can:

• Avail yourself of resources on cultural competence
• Regularly assess cultural competence on both the practitioner and organizational level
• Include items that assess progress towards becoming culturally competent in staff evaluations
• Include cultural competence in your strategic plan
• Enact policies that make cultural competence a priority
• Recruit staff that is representative of the population you serve
• Reward & incentivize personal and professional attempts at becoming more culturally competent • Engage your staff in regular discussions about diversity • Consider culture in treatment planning and staff meetings • Form relationships with cultural brokers/liaisons/resources in your community and seek their expertise when in doubt • Evaluate whether or not there are barriers to service provision based on cultural preference for treatment options

There are many things that can be done at the level of administration. This list is not exhaustive, but will definitely point you in the right direction.

Ethnicity and race are often spoken about interchangeably, but they are not the same. Ethnicity refers to one's ethnic culture; the vast structures of behaviors, ideas, values, habits, rituals, ceremonies, and practices common to a particular group of people that provides them with a general design for living and patterns for interpreting reality. Conversely, race is a fictitious construct. There is no biological basis for race. That being said, when we say, "Race," we typically are identifying people by skin color; black, white, Asian or Indian. Race, or skin color, is not a way to identify ethnicity or culture. One can be a black American or a white American. As well as one can be a black Trinidadian or an Indian Trinidadian; a white Puerto Rican or a black Puerto Rican. The two often intersect.

Kevin Avruch and Peter Black, who primarily work from the business relations' perspective, outline six fundamental patterns of cross-cultural differences:

1. Communication styles
2. Attitudes towards conflict
3. Approaches to completing tasks
4. Decision making styles
5. Attitudes towards disclosure
6. Approaches to knowing

A simple Google search for these authors will yield detailed, insightful information with definitions and examples of what these differences mean as well as what they look like. However, as it pertains to mental health, there will be more differences, such as; differences in the ways in which we describe these issues (some cultures have a limited vocabulary for emotion words, and the notion of "mental illness," does not exist), differences in what we think causes these issues ("God must be mad with us," "She is being punished for her early promiscuity," etc.), and differences in the ways we think we should go about solving these problems (individual therapy, medication management, prayer, reiki, chi gong, meditation, etc.).

Cultural competence is essential for a few reasons. The first major reason is because we live in a diverse society. We are diverse with respect to race/ethnicity, social class, gender, sexual orientation, ability, age and religion/spirituality. It should not be assumed that any perspective is better than the other. Each perspective is valid. Despite this truth, those who have traditionally been in positions of power have made rules and policies that are reflective of their cultural points of view, without realizing that they look at the world from a particular cultural lens. This unintentional bias has resulted in such things as the overrepresentation of African American and Hispanic groups in prison, juvenile detention, special education and foster care. In addition, these and other ethnic minority groups have been underrepresented in less punitive, treatment-oriented systems such as mental health and inpatient facilities.

• Any work-related fatality.
• Any work-related injury or illness that results in loss of consciousness, days away from work, restricted work, or transfer to another job.
• Any work-related injury or illness requiring medical treatment beyond first aid.
• Any work-related diagnosed case of cancer, chronic irreversible diseases, fractured or cracked bones or teeth, and punctured eardrums.
• There are also special recording criteria for work-related cases involving: needlesticks and sharps injuries; medical removal; hearing loss; and tuberculosis.

• Using a non-prescription medication at nonprescription strength (for medications available in both prescription and non-prescription form, a recommendation by a physician or other licensed health care professional to use a non-prescription medication at prescription strength is considered medical treatment for recordkeeping purposes);
• Administering tetanus immunizations (other immunizations, such as Hepatitis B vaccine or rabies vaccine, are considered medical treatment);
• Cleaning, flushing or soaking wounds on the surface of the skin Using wound coverings such as bandages, Band-Aids™, gauze pads, etc.; or using butterfly bandages or Steri-Strips™ (other wound closing devices such as sutures, staples, etc., are considered medical treatment);
• Using hot or cold therapy;
• Using any non-rigid means of support, such as elastic bandages, wraps, non-rigid back belts, etc. (devices with rigid stays or other systems designed to immobilize parts of the body are considered medical treatment for recordkeeping purposes);
• Using temporary immobilization devices while transporting an accident victim (e.g., splints, slings, neck collars, back boards, etc.). Drilling of a fingernail or toenail to relieve pressure, or draining fluid from a blister;
• Using eye patches;
• Removing foreign bodies from the eye using only irrigation or a cotton swab;
• Removing splinters or foreign material from areas other than the eye by irrigation, tweezers, cotton swabs or other simple means;
• Using finger guards;
• Using massages (physical therapy or chiropractic treatment are considered medical treatment for recordkeeping purposes); or
• Drinking fluids for relief of heat stress.

The Breach Notification Rule says that covered entities and business associates must tell affected patients, HHS, and the media when there is a breach of PHI. You must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. Submit notifications of smaller breaches affecting fewer than 500 patients to HHS annually.

Most of the time, a HIPAA breach is an unauthorized use, transmission, or disclosure of PHI that compromises its security or privacy. If PHI is used or shared without permission, this is a breach, unless a risk assessment shows that there is a low chance that the PHI has been compromised. The severity of a breach incident are determined by factors including, but are not limited to:

• The nature and extent of the PHI involved (i.e., the types of identification or the chances of re-identification)
• The unauthorized person who used the PHI or got the disclosed PHI
• Whether an individual acquired or viewed the PHI
• The extent to which you reduced the PHI risk

HIPAA requirements detail how a covered entity and business associate can handle protected health information (PHI). When a covered entity discovers a breach of unsecured PHI, the Department of Health and Human Services (HHS.gov) sets different recordkeeping and notification requirements depending on the severity of the incident.

Learn more specific information about "Submitting Notice of a Breach to the Secretary" here: (https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html)

The HIPAA Breach Notification Rule outlines the requirements for breach incidents affecting 500 or more individuals. A covered business must notify the Secretary within 60 days of discovering a breach of unsecured protected health information (PHI) affecting 500 or more individuals. The covered entity must submit the breach notification form electronically and fill out all essential fields of the breach notification form.

View a list of breaches affecting 500 or more individuals on OCR Portal here: (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

For breaches that affect fewer than 500 individuals, a covered business shall notify the Secretary within 60 days of the end of the calendar year in which a breach of unsecured protected health information (PHI) affects fewer than 500 people. A covered entity can report breaches impacting fewer than 500 people at the moment they are detected. The covered company may notify all breaches impacting fewer than 500 people on one date, but each breach incidence must be reported separately. The covered entity must fill out the breach notification form to submit the notice electronically.

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is a primary enforcement agency for rules set within the Health Insurance Portability and Accountability Act (HIPAA). The aim is for safeguards that ensure the privacy and security of protected health information (PHI).

Covered entities and business associates must follow HIPAA rules. The goal is to protect the privacy and security of protected health information (PHI) and ensure a patients' right of access. Examples of a Covered Entity may include, but are not limited to:

A Healthcare Provider

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies

A Health Plan:

• Health insurance companies
• Health Maintenance Organizations (HMO)
• Company health plans
• Government programs that pay for health care including Medicare, Medicaid, Military, and Veteren's health care programs

A Health Care Clearinghouse:

• Including establishments that process nonstandard health information received from another entity into a standard (i.e., data content or standard electron formats, or vice versa).

If you don't meet the definition of a covered entity or business associate, you don't have to comply with the HIPAA rules. For definitions of covered entities and business associates, see 45 CFR 150.103 (https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103)

Biohazard specimen transport bags should not be reused. Best practice and OSHA's recommendation is to dispose of each bag after use. Looking for visible contamination is not infallible because certain body fluids are colorless, meaning that although you may not see a spill, there is still the possibility of contamination. While the idea of reusing them to reduce waste is a valid one, the need for infection control precautions outweighs financial or excess trash considerations.

We recommend following the CDC's guidelines as a best practice and retaining them for at least 3 years or as long as your state law requires if it is a longer timeframe. Healthcare providers may want to check with their local health department as well to see if there are local retention requirements.

Yes, we recommend maintaining a log of when the hazardous waste is collected and removed from a healthcare provider's facility in addition to when they received the manifest that it was destroyed. Additionally, federal regulations require providers to keep the manifest, along with the biohazardous waste log and any other pertinent documents related to the packaging, storage, transport, or disposal of the medical waste for at least 3 years. HCP has a sample log available for clients to use when tracking the removal of biohazard waste, along with the transporter and date the certification of destruction is received.

OSHA's Bloodborne Pathogens Standard uses the term, "regulated waste," to refer to the following categories of waste:

• liquid or semi-liquid blood or other potentially infectious materials (OPIM)
• items contaminated with blood or OPIM and which would release these substances in a liquid or semi-liquid state if compressed
• items that are caked with dried blood or OPIM and are capable of releasing these materials during handling
• contaminated sharps
• pathological and microbiological wastes containing blood or OPIM.

Personal use of social media is often referred to as social media use on an account registered to an individual who is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider.

When posting a response to a question, use limited information and suggest another communication method. If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.

When posting on your personal social media account, if it is something you don't want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in "private" groups.

Whether you are posting on your own or a professional account, it is important to understand the potential risks.

Some risks include:

• Anything that is posted has a risk of receiving negative feedback from the public that could hurt the success of the business and its reputation.
• The accidental sharing of PHI, proprietary information, or other content that could be used by those with malicious intent from the post.
• Having a difficult time managing and/or responding to posts and comments from users. Organizations need to train employees on how to respond to negative or inaccurate statements made on their posts.

You may have language in place in a social media policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional help of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be published, etc. We have a Social Media template available for customization for your organization. Ask your support team for access.

Never post any photos involving patients without authorization! Even then, be extremely cautious and always have written authorization. When pictures or patient information are used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.

Yes! HCP offers a program tailored for Non-Medical Facilities. We help you maintain compliance with the following areas: OSHA, Human Resources, and Learning Management System. Working with HCP means you no longer have to wonder if you comply with your industry requirements.

HCP offers a Healthcare Business Associate Package. That package helps you maintain compliance as it applies to HIPAA, Corporate, Human Resources, and Learning Management Systems, with an optional Compliance Risk Analyzer.

With HCP, you get a custom program tailored to meet your needs and have access to a dedicated support team that is there to work with you every step of the way. With our support team, you have a personally dedicated group to your facility. They are consistently monitoring your program and reaching out to you with quarterly updates to keep you informed on how you are doing and assist you with any areas that need improvement. You also have the ability to meet with your support team and discuss any questions or concerns that may arise. You will have their direct phone numbers and email addresses. So please, reach out to them and you will truly see the value of HCPs Compliance Services, and why our Support Team is one of our best features!

Healthcare Compliance Pros provides your organization with HIPAA Privacy, HIPAA Security, Corporate Compliance, OSHA, and Human Resources policies and procedures. While these policies and procedures are a blanket set, meaning these policies and procedures ensure your organization follows Federal requirements; taking some time to add language specific to your organization is an important step. (The first step of our program is completing the Organization Questionnaire - we take your answers and incorporated them into the compliance training.)

Being Compliant is a process that does not need to be completed all at once and doesn't need to be complicated. Rather, it is an ongoing process that we will be working with you to complete. For example, when you submit a Security Risk Analysis (SRA), a big part of that process is discussing HIPAA Security Policies and Procedures - addressable and required. Most of the policies that are discussed in your SRA, in addition to HIPAA Privacy policies and procedures, are included in our training modules.

Whether HIPAA, OSHA, Corporate Compliance, and/or Human Resources, the policies and procedures are always reviewed and updated, as necessary. These policies and procedures are always available wherever you have internet access, can be printed out as necessary, and provide a good way for your employees to complete their training.

1. Implementing written policies, procedures, and standards of conduct: HCP has customized training modules, policies, and procedures for your organization. We also have a huge library of sample policies, procedures, and forms.
2. Designating a compliance officer and compliance committee: Once you have designated a compliance committee, HCP can help store your compliance committee meeting minutes.
3. Conducting effective training and education. - HCP has many training modules from Compliance, Code of Conduct, HIPAA, OSHA, HR, and many more, all of which are customizable for your organization.
4. Developing effective lines of communication. - HCP can also help your organization establish an anonymous hotline.
5. Conducting internal monitoring and auditing. - HCP is here to help check your employees and vendors monthly against the OIG Exclusion List and the SAMs List. We can even help run background checks. We also have a HIPAA incident reporting log that can help you determine if it is reportable or not reportable and provide steps in the mitigation process. We also offer a billing and coding audit service through our Compliance Risk Analyzer (CRA).
6. Enforcing standards through well-publicized disciplinary guidelines. - HCP can help you develop a disciplinary policy, for we offer many sample templates of policies and procedures.
7. Responding promptly to detected offenses and undertaking corrective action. - HCP has several ways to help you track and log compliance and HIPAA issues, along with forms to help you through the process of logging and responding and putting a corrective action plan in place. Plus, we also offer an anonymous hotline for your employees to report compliance issues.

1) Written Policies and Procedures
2) Designation of a Compliance Officer and a Compliance Committee
3) Training and education
4) Auditing and monitoring
5) Open lines of communication
6) Response to detected problems and correction
7) Enforcement of disciplinary standards

Standards of Conduct (or Code of Conduct) state the organization's compliance expectations and their operational principles and values.

No. As part of participation in any federal payment program, like Tricare or Medicaid, a provider is required to have an effective corporate compliance program. Part of an effective program includes corporate compliance training. Additionally, many payors contract with CMS in some way or another and as a part of that, require all contracted providers to maintain a corporate compliance program as part of their contract, regardless of if the provider contracts with a federal payment program or not. It's a good idea for our clients who think they don't have to have a corporate compliance program in place to check their payor contracts to see exactly what is required of them and if a corporate compliance program with training is a requirement of their payors. The only time that a corporate compliance program is certain to not be required is if the provider only accepts cash-paying patients.

Healthcare providers are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI and ePHI. They may allow employees to work from home as long as they have conducted a risk analysis and implemented appropriate safeguards to ensure the privacy and security of ePHI that will be accessed and transmitted remotely. Employees who work from home must comply with the same security protocols as employees who work onsite within the facility. They also still need to complete training on the organization's HIPAA Privacy and HIPAA Security policies and procedures.

Yes. Laws and regulations exist that prohibit FWA. CMS and the OIG have stated that organizations must create and implement effective training and education on these laws and have policies and procedures in place to maintain compliance. Penalties for violating these laws may include but are not limited to civil monetary penalties, civil prosecution, criminal conviction, fines, exclusion from all federal healthcare program participation, imprisonment, and loss of professional license.

Knowingly submitting false or fraudulent claims to Medicare and Medicaid is illegal. You may receive fines of up to 3x the program's loss plus $11,000.00 per claim filed for filing false or misleading claims.

Penalties for violating these laws may include but are not limited to Civil Monetary Penalties, Civil prosecution, Criminal conviction/fines, Exclusion from participation in ALL Federal Healthcare programs, Imprisonment, and even Loss of provider license.

Fraud requires the person to have the intent to obtain payment and know that their actions are wrong. Waste and Abuse may involve obtaining an improper payment but do not require the same intent and knowledge. Fraud, being the more severe of the 3, has a devastating impact on not only the practice but the victims. Criminal penalties for submitting fraudulent claims include imprisonment and criminal fines. No one is safe from these repercussions. Even physicians have gone to prison for submitting false claims.

What are the penalties for blocking information? The 21st Century Cures Act empowers the HHS Office of Inspector General (OIG) to issue civil monetary penalties of up to $1 Million against software developers, networks, or exchanges that interfere with the proper exchange of ePHI. To put it simply, blocking health information is illegal.

Due to the increase in Remote working, this new work environment has made it more difficult to prevent fraud within organizations. With the new hurdles, a rise in security and fraud risk has become the new challenge. What is the main reason for this rise in fraud? More than a third of organizations are claiming to not have suitable fraud prevention and response plans established and in place.

Kickback Schemes, Medically Unnecessary Services, Failure to properly charge Medicare/Medicaid patients for prescriptions, Allowing Nurses and Staff to Perform Examinations (essentially any staff members performing outside of their job duties/knowledge/training), and Upcoding.

When considering the requirement of providing a security awareness and training program, there are many real-life examples from which to learn. For example, recently, an Office for Civil Rights (OCR) investigation of an entity found long-standing non-compliance with HIPAA Rules, including failures to conduct a security risk analysis, provide a training program on security awareness, and implement HIPAA Security Rule policies and procedures. As a result of this investigation, the entity agreed to pay the Office for Civil Rights (OCR) $65,000 and adopt a corrective action plan to settle these violations of the HIPAA Security Rule.

The Office of Inspector General was established to identify and eliminate fraud, waste, and Abuse in the U.S. Department of Health and Human Services. The Secretary gave authority to the OIG to exclude from participation in Medicare, Medicaid, and other Federal healthcare programs individuals that have engaged in fraud or Abuse, in which they may impose civil money penalties (CMPs) for misconduct related to Federal healthcare programs. Here is a recent example of CMPs set on an eye care provider. This provider had to pay civil monetary penalties of $17,562.24 for employing an individual excluded from participation in the Federal health care programs.

Healthcare organizations should follow the CDC's and OSHA's recommendations to prepare for pandemic outbreaks of varying severity levels. Additionally, the CDC recommends encouraging everyday preventative actions for employees such as staying home when you are sick, covering your coughs and sneezes with tissues, washing your hands with soap and water for at least 20 seconds as often as you can, using at least 60% alcohol-based sanitizer if soap and water are not available, and cleaning frequently touched surfaces and objects.

Beyond that, nonpharmaceutical interventions (NPIs) have been recommended by public health officials to prevent the spread of communicable diseases. These additional actions include allowing staff members to telework, flexibility in allowing staff to stay home if they or someone in their house is sick, increasing space between staff at work as much as possible, but at least 3 feet, decreasing the frequency of contact among staff members, thinking about postponing or canceling work events and canceling or postponing non-essential work travel.

Finally, because this is an evolving situation and the CDC is providing new guidance on a regular basis, we recommend keeping up with the news of the COVID-19 outbreak, following the instructions of public health officials, updating any policies to keep in line with new recommendations as they may be announced, and providing accurate and consistent information to employees reflecting the guidelines of OSHA, the CDC, and other governmental agencies that may be providing them.

OSHA's guidance refers to the CDC's infection control guidance. Additionally, a healthcare facility must conduct a risk assessment and determine which employees are at risk, what the risk is, and what PPE would be appropriate to provide. Regardless of the risk, standard precautions should be followed. Transmission-based precautions should be implemented when in contact with a suspected COVID-19 patient.

The CDC states that healthcare providers should implement universal use of personal protective equipment for healthcare providers. In areas of substantial or high transmission, all employees should be provided additional PPE based on their job responsibilities.

A sharps injury log is intended to track injuries and the departments, devices, or procedures that are causing them. It's not meant to track injured employees. As such, the sharps injury log does not need to include the employee's name. In fact, OSHA states that including the employee's name jeopardizes their confidentiality. If an employer chooses to keep employee names on their log, they have to remove them if asked to share the report with anyone to keep the employee information on the log confidential. However, the bloodborne exposure incident report completed after an exposure incident should include the employee's information, the situation leading to the incident, etc., and be kept in their employee medical records.

The infection control safety coordinator should be someone who is able to understand and identify infectious disease hazards in the workplace and must be knowledgeable in infection control principles and practices as they apply to the workplace and employee job operations. Additionally, the safety coordinator must have the authority to ensure compliance with all aspects of the organization's infectious disease plan so that they can take prompt corrective measures when hazards are identified.

Employers' designated safety coordinators should implement and monitor the infectious disease plan, but the exact responsibilities of a safety coordinator may vary based on the employer and workplace.

The Department of Labor's Occupational Safety and Health Administration (OSHA) does not have any regulations regarding telework in home offices. The agency issued a directive in February 2000 stating that the agency will not conduct inspections of employees' home offices, will not hold employers liable for employees' home offices, and does not expect employers to inspect the home offices of their employees. If OSHA receives a complaint about a home office, the complainant will be advised of OSHA's policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions but will not follow up with the employer or employee.

Employers who are required to keep records of work-related injuries and illnesses will continue to be responsible for keeping such records for injuries and illnesses occurring in a home office.

No, employers are required to offer the Hepatitis B vaccine when the employee starts work to comply with OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030. Employees can decline the Hepatitis B vaccine and would need to sign a declination form. HCP has a form called "Certification of Hepatitis B Vaccination and Declination Form" that can be used for documentation.

OSHA's Bloodborne Pathogens Standard 29 CFR 1910.1030 states the Hepatitis B vaccine must be offered after training and within ten days of the employee being assigned a job where there is occupational exposure unless the worker has already received the vaccine series previously.

With the rising rate of cybercrime in the healthcare industry, we recommend that organizations take extra steps to help protect themselves from the high cost of a cyber-attack. One way to do this is to have cyber liability insurance, which is a type of insurance designed to cover costs associated with expenses related to cyber-attacks. These expenses may include costs associated with notifying patients, business interruption expenses, fees associated with bringing systems back online, and potential fines or penalties associated with the incident.

While penetration testing is not a named requirement for HIPAA compliance, it is a best practice. The healthcare industry has become a high target for hackers because of the amount of sensitive data that covered entities and their business associates maintain. As such, covered entities and their business associates need to have policies and processes in place in order to safeguard this data. In order to develop policies and processes that will protect PHI appropriately, a CE needs to know where their vulnerabilities are. Penetration testing is one way to achieve this. In fact, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-66, where they recommend implementing penetration testing as part of HIPAA Security to determine potential vulnerabilities and validate that the proper safeguards are in place.

According to the OCR, an asset inventory includes hardware, software, and data assets. Hardware assets are "Physical elements of the organization's networks and systems, including electronic devices and media." Software assets are "Programs or applications that run on the hardware assets, including databases, email and financial record systems, backup solutions, and anti-malware tools." Data assets are "ePHI that is created, received, maintained, or transmitted on the network or with the hardware assets."

Workplace violence is considered any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that happens in the workplace. It may include threats, verbal abuse, physical assaults, and even homicide. It can affect and involve employees, clients, patients, and visitors.

Workplace harassment involves unwelcome and offensive conduct that is based on race, color, national origin, sex (including pregnancy, gender identity, and sexual orientation), religion, disability, age (age 40 or older), or genetic information. Examples of harassment include offensive or derogatory jokes, racial or ethnic slurs, pressure for dates or sexual favors, unwelcome comments about a person's religion or religious garments, or offensive graffiti, cartoons, or pictures. Sexual harassment or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature. Harassment does not have to be of a sexual nature, however, and can include offensive remarks about a person's sex.

No, not all workplace harassment is illegal. For workplace harassment to be illegal, the conduct must either be severe or pervasive (frequently occurred). It doesn't have to be both. The laws enforced by EEOC do not prohibit simple teasing, offhand comments, or isolated incidents that are not very serious.

Employers are required to always maintain a safe work environment for all employees. This includes preventing and addressing unsafe work environments, harassment (including sexual harassment), and workplace violence when it arises. Organizations must have policies and procedures, including information on how to prevent and report incidents, that will support their employees' safety from violence and harassment in the workplace.

The purpose of the Cures Act is to provide patients access to their information in a more transparent way. It prohibits information blocking and defines practices considered reasonable activities that wouldn't be considered information blocking.

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

Beginning October 6, 2022, the technical exception for practices regarding their EMRs ends, and all identified electronic PHI will be considered electronic health information (EHI). Patients will have the same rights under the HIPAA Privacy Rule to request a copy of PHI, now known as EHI. ONC also encourages that "Information Blocking Actors respond to requests for access, exchange, or use of EHI with as much EHI as possible in order to promote interoperability and to practice applying the exceptions. In comparison to the far narrower set of data elements, this definition of EHI, inclusive of all electronic PHI in a designated record set, is much more extensive from a coverage standpoint for Information Blocking Actors."

Organizations can comply with the Cures Act requirements by making patient data requests easy and inexpensive. The Cures Act requires practices to allow patients to access their health information from EHRs using an app of their choice, implement policies that prohibit information blocking, and define how the information blocking exceptions might apply to the practice. It states that if a provider does not provide access to a patient's data when requested, they will be given appropriate disincentives as a penalty for information blocking, as stated in the 21st Century Cures Act.

If an EMR does not allow for the appropriate electronic health information (EHI) to be shared with a patient when they have requested it, health care providers could be subject to these disincentives, including not being able to attest to MIPS.

Information blocking is defined by the ONC as "a practice that is likely to interfere with access, exchange, or use of EHI, unless the practice is covered by an exception or is otherwise required by law. The standard for information blocking for developers, networks, or exchanges is if they know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI. For health care providers to engage in practices considered information blocking, the provider would need to know that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI." Any claims or reports of alleged information blocking would be evaluated on the specific circumstances of each situation.

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information to prevent harm will not be considered information when the "reasonable belief" and "practice breadth" conditions are met, and it will not be considered information blocking. For more information on this exception, continue here.

HIPAA regulations require that all HIPAA-related records and documents be retained for six (6) years. This applies to authorizations, audit records, business associate agreements, and contracts, etc. They may then be destroyed in a manner that does not allow for the disclosure of any PHI (e.g., burning, shredding, etc.).

A properly documented medical record should:

• Be complete and legible
• Include the reason for the encounter, any relevant history, physical examination findings, prior diagnostic test results, assessment, clinical impressions or diagnosis, plan for care, the date and identity of the observer
• Include the rationale for ordering diagnostic and other ancillary services
• Support the CPT and ICD-10-CM codes used for claims submission
• Identify appropriate health risk factors
• Document the patient's progress, response to or changes in treatment, or any revision in diagnosis

All patients must sign a release of information and assignment of benefits form before they receive services. These forms should be placed in the patient's chart or record after the patient and/or the responsible party signs them. There are strict rules regarding the assignment and reassignment of billing rights in both Medicare and Medicaid programs.

CMS requires healthcare providers and organizations to retain patient records for Medicare beneficiaries for at least five (5) years. CMS requires Medicare managed care program providers to retain records for ten (10) years.

The lifecycle of a record includes four basic steps:

• Creation - Once a document is completed, it becomes a record. At this point, it enters the records management cycle.
• Active use - When in active use, records are stored in file folders if they are paper-based, electronically in files on a computer system if they are electronic, or filed on microfilm or other recording media for regular use. As most records age, they are referred to less often. When records reach the time that they are referred to less often than once every six months, they should be moved to less costly storage.
• Inactive use - When records become inactive, they are normally boxed if in paper form or achieved electronically to a CD or magnetic tape. Inactive storage is considerably less expensive than active storage and frees up space for active storage of more active records.
• Disposition - The final step in the life cycle of a record is its final disposition. This can mean simple destruction by throwing it in a waste can or have the record shredded or incinerated. Some records should not be destroyed, and they need to have a way to be identified and stored for very long time periods.

Cyber threats are constantly changing, and the threat to healthcare offices and organizations is real! The most common way for bad actors to infiltrate an organization is through the workforce with tactics such as email phishing. Other cyber threats include spam, distributed denial of services (DDoS) attacks, malware or ransomware, data breaches, third-party risks, and medical device security vulnerabilities.

Healthcare organizations need to address cyber security threats by having the following:

• Train employees to identify a cyberattack and what to do when it occurs.
  
• Have your software protected and up to date with antivirus and antimalware protection.
• Have policies and procedures in place for system control, password protection, device policies, etc.
• Conduct a Security Risk Assessment (SRA) regularly for your organization.
• Install structural security measures such as alarms, security cameras, guards, etc.
• Have a detailed data recovery plan that includes backing up on your organization's daily basis and have the backup on a remote

Cyber liability insurance is designed for organizations as an insurance policy with protective coverage against events like data breaches or other cyber security issues. Cyber liability insurance policies require immediate notification as soon as an organization becomes aware or detects a possible breach following a cyber-attack, such as ransomware.

If your organization does not have cyber insurance coverage yet, HCP highly recommends discussing a policy with your insurance agent. Cyber insurance is a critical part of a secure IT environment within the healthcare industry due to the imminent threat of cyber-attacks from bad actors.

A strong password should have at least ten characters or more long and includes uppercase and lowercase letters, numbers, and special characters such as, !%#$&*. Recent research suggests users could also consider using "passphrases," which are sentences that may be easier to remember than a very complex password. Passwords should be updated every six months, when an employee leaves or is terminated, or however often as required under the organization's password policy.

Starting January 1, 2022, it will be illegal for providers to bill patients for more than the in-network cost-sharing price if the patient did not choose or know that the service would come from an out-of-network provider. For more information about the No Surprises Act, check out the recommended article "The No Surprises Act — What Your Organization Needs to Know" here: https://www.healthcarecompliancepros.com/blog/no-surprises-act-what-your-organization-needs-to-know

• To protect those covered under group and individual health plans from receiving surprise medical bills when they receive:
  o Emergency Services from out-of-network providers
  o Non-emergency services from out-of-network providers at in-network facilities
  o Services from out-of-network air ambulance providers
• To protect the uninsured and self-pay patients from unexpected costs.
• Mandate transparency regarding healthcare costs.
• Does not apply to government-reimbursed care (Medicare and Medicaid, etc.) because these payers already prohibit balance billing.

Federal regulations are the default when states provide no similar laws. In states that do have laws, federal law takes priority when the state law provides less protection to the patient.

• Convening Provider - the provider that is treating the patient and determining their care.
• Co-Provider - Is needed by the convening provider to care for the patient (anesthesiologist, lab, on-call provider, etc.)
• Co-facility - Location that may involve in the patient's care. For example, hospital, surgical care, etc.

• If a provider ends a contractual relationship with an insurance plan, they must ensure continuity of care. They must accept payment from the plan for up to 90 days after the date on which the patient was notified of the change in network status. They must also continue to adhere to all contract policies imposed by the plan during that period.
• The provider must maintain health plan directories with which they have a contractual relationship. At a minimum, they must submit provider directory information
  o At the beginning of the network agreement o At the termination of the network agreement
  o Any time there are material changes to the content of the provider directory information
  o Upon the request of the plan o Any other time deemed appropriate by the provider, facility or HHS.
• The provider must reimburse the patient who relied on incorrect provider directory information and paid the provider more than the in-network cost-sharing amount.

• Standard notice & consent forms for non-participating providers & emergency facilities regarding consumer consent on balance billing protections: Download the Surprise Billing Protection Form
• Good Faith Estimate for Health Care Items and Services: Download Good Faith Estimate example
• Model disclosure notice on patient protections against surprise billing for providers, facilities, health plans, and insurers: Download Patient Rights & Protections Against Surprise Medical Bills
• Paperwork Reduction Act (PRA) model notices and information collection requirements for the Federal Independent Dispute Resolution Process: Download Model Notices and Information Requirements
• Paperwork Reduction Act (PRA) model notices and information collection requirements for the good-faith estimate and patient-provider payment dispute resolution: Download Model Notices and Information Requirements

Providers must post this information prominently at their physical location(s), post it on their website, and provide it to the patient

• That the provider does not participate in the patient's health plan.
• The good faith estimated amount the provider may charge the patient for all services that would reasonably be included.
• Notice that the service might need to be authorized by the plan.
• Clearly state that signing the notice is optional, and the patient does not have to consent.
• Clearly state the patient may get service from an available in-network provider.

A Notice and Consent must be provided at least 72 hours (3 days) before a service is provided. If the service is scheduled within 3 days, the notice must be given at least 3 hours ahead of time.

All providers, including all types of doctors, dental offices, hospitals, optometry, ASC, diagnostic and imaging centers, laboratories, etc., must provide a good faith estimate of expected changes to any self-pay or uninsured patient.

• Patient name and date of birth
• Description of the primary item or service in clear and understandable language (and if possible, the date the service is scheduled)
• Items and services reasonably expected to be furnished for the period of care
• CPT codes
• ICD-10 codes
• Expected charges
• Names of providers and facilities
• Tax ID number
• National Provider Identifier (NPI)
• Disclaimer that states:
  o The Good Faith Estimate is an estimate and subject to change
  o There may be additional items or services not contained in the estimate
  o Their right to initiate a patient-provider dispute resolution process
  o The estimate is not a contract

• The estimate must be provided no more than 3 business days after the service is scheduled, or
• No later than 1 business day if the services is scheduled in less than 10 days.

• The estimate must be in written form and can be either paper or electronic. Electronic formats must be in a form that allows the patient to save and print. The language must be clear and understandable and in a manner that the average individual can easily understand.
• If the patient requests the estimate orally over the phone or in person, you may provide it orally but must follow up with a written copy to meet regulatory requirements.

• If more than one provider is furnishing care, the "convening provider" must provide the Good Faith Estimate to the patient. This estimate should include all the items and services expected to be provided by the convening facility and other services expected to be provided by co-providers and co-facilities.
• The convening provider is the provider scheduling the services. Other facilities providing services are considered co-providers.
• No later than one day after scheduling the services, the convening provider must contact all co-providers and request good faith estimate information for expected charges associated with the co-provider.

Good Faith Estimates are required to list any service that is reasonably expected to be furnished. It does not require estimates to include unanticipated services that are not reasonably expected due to unforeseen circumstances. Providers should estimate anticipated services based on the information available as provided by the patient, previous medical records, and information from referring providers.

When scheduling a patient, it is required that they receive a GFE. The patient's initial visit should be covered in their first GFE. After examining the patient for their next appointment or treatment (procedure, surgery, lab, etc.), a new GFE must be provided.

Yes, prices can be published on the website. However, a GFE is not required to be signed, but must be kept for seven years as documentation.

The convening provider is required to obtain the estimate from the lab. There is enforcement discretion in place as providers get policies and procedures in place. However, the treating provider or facility must still obtain the information for the Good Faith Estimate for the patient.

Yes, after providing a GFE after an initial interaction. After this initial visit and subsequent visits, a GFE should be given according to any care they will need to receive. For example, a patient with stomach pain can be referred to the nutritionist, and the convening provider would need to contact the nutritionist for a GFE. For continued care, the nutritionist would provide GFE. Or, after the initial visit, it is determined that surgery is required, a GFE would be provided to reflect the updated information.

Yes, the provider or facility for any self-insured or uninsured patient must provide one. Regardless of if it is requested or not.

Yes, just like other types of forms and services, the GFE must be translated to the top 15 languages as requested.

• When unable to reach a price agreement for services in which balance billing was prohibited, an out-of-network provider and insurer may utilize the Independent Dispute Resolution (IDR) process.
• Prior to initiating the IDR, the provider and insurer must engage in a 30-day open negotiation period. If the provider and insurer do not agree, either can initiate the IDR process within four days after the open negotiation period ends. The IDR entity chosen to review the claim will issue a binding decision after reviewing documentation submitted by both parties.
• Important deadlines exist for parties involved in the IDR process and a chart of those dates can be found here - https://www.cms.gov/newsroom/fact-sheets/requirements-related-surprise-billing-part-ii-interim-final-rule-comment-period

• In situations where the uninsured patient receives an estimate but is billed a substantially greater amount, HHS has established a Select Dispute Resolution (SDR) process.
• The patient has 120 days after they receive their bill to initiate this process. Substantial has been defined as the billed charges being at least $400 more than the Good Faith Estimate. The patient is only eligible for an SDR if they received a good faith estimate and submit a copy with their dispute claim.
• Healthcare providers must submit supporting documentation within 10 days of the receipt of the SDR notice. They must cease all collection efforts and pause the accumulation of fees. The SRA entity chosen to review the claim will issue a binding determination within 30 days after receiving the necessary documentation. Only charges the provider could not have reasonably anticipated will be considered.

• A provider cannot balance bill for services furnished because of urgent medical needs regardless of the provider satisfying the notice and consent criteria.
• Emergency services providers can only bill if all the following conditions have been met.
  o The patient can travel using non-emergency transportation to a participating facility within a reasonable travel distance. The patient also needs to be in a condition to receive a notice and provide informed consent.
  o The non-participating provider provides the patient with written notice and obtains consent within the specified period and format outlined in regulations. o The provider satisfies all other state law requirements.
• Non-participating providers at a participating facility
  o Cannot bill patients for amounts greater than the in-network cost-sharing requirement for such services unless notice and consent requirements are met.
  o Healthcare facilities include hospitals, hospital outpatient departments, critical access hospitals, and ambulatory surgical centers.
• Notice and consent requirements do not apply to the following ancillary services, for which balance billing remains prohibited:
  o Services and items related to emergency care, anesthesia, pathology, radiology, and neonatology.
  o Services provided by assistant surgeons, hospitalists, and intensivists.
  o Diagnostic services like radiology and laboratory services.
  o Services and items provided by a non-participating provider if there was no participating provider that could provide the service at the facility.

Different areas of the No Surprises Act apply to different facilities. Generally, all providers for uninsured or self-pay individuals, or when a Good Faith Estimate (GFE) is requested from a co-provider, must be provided a Good Faith Estimate. A GFE must be provided to any uninsured or self-pay patient or when one is asked for regardless of facility or provider type.