Frequently Asked Questions

To satisfy the base requirements, your HIPAA Compliance training program should incorporate annual training on privacy, security and breach notification.  A Security Risk Assessment (SRA) should also be performed that provides both a risk mitigation plan as well as an operationally specific HIPAA Compliance manual.

Other aspects to HIPAA Compliance include the distribution of Notice of Privacy Practices, to have Business Associate Agreements with certain vendors and, to establish the roles of the Privacy Officer and Security Officer. These policies and procedures will be part of the HIPAA Compliance manual.

HIPAA regulations apply to two types of groups: covered entities & business associates.

Covered entities are health plans, healthcare providers and healthcare clearinghouses. A business associate is defined by HHS as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Common examples of business associates include: IT contractors or Managed Service Providers, billing companies, collection companies, shredding companies, EMR companies, phone reminder companies, email services providers and consultants.

A Security Risk Assessment is required by HIPAA regulations.  It is the first step in evaluating and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

The Federal government does not institute regulations without enforcement and in the case of HIPAA Compliance, there is a specific penalty structure for HIPAA violations. The Office of Civil Rights (OCR) is responsible for enforcing the HIPAA regulations.

The OCR would prefer to resolve HIPAA violations in a non-punitive matter, but will enforce necessary penalties for those healthcare organizations who aren’t being diligent in their efforts to comply with the HIPAA regulations.

Penalty structure for HIPAA violations »

The Hazard Communication Standard requires that chemical manufacturers, distributors or importers provide Safety Data Sheets (SDSs) for each hazardous chemical to communicate the appropriate information to the user.

The SDS includes information such as the properties of each chemical; the physical, health, and environmental health hazards; protective measures; and safety precautions for handling, storing, and transporting the chemical.

For any gels, sprays, foams and liquids that contain a mixture of chemicals, a SDS is required to be maintained in an organized fashion with an appropriate Table of Contents (TOC) and that SDS manual needs to be available for all workforce members. The SDS manual should be reviewed annually for accuracy.

OSHA requires that all businesses, regardless of industry, provide a first aid kit to its workforce members. It must be in a sealed container and properly labeled with an adequate amount of contents to provide basic triage for minor injuries. Additionally, if there is reasonable chance of an eye injury or if chemicals are kept on site, the business is required to have an eyewash station and spill kit available. Eyewash stations require a weekly inspection that should be documented. First aid kits and spills kits should be inspected monthly to ensure that their contents are adequately intact.

OSHA established the Needlestick Safety & Prevention Act to minimize the occupational exposure to bloodborne pathogens from accidental sharps injuries in healthcare.

This modified OSHA’s Bloodborne Pathogens standard requires employers to identify, evaluate and implement safer medical devices such as needleless systems and sharps with engineered sharps protections.

This standard applies to all employers with workforce members who have occupational exposure to blood or other potentially infectious materials (OPIM), no matter how many workforce members. It also requires annual consideration and implementation of suitable and safer medical devices designed to eliminate or minimize occupational exposure.

OSHA does not have a detailed standard for workplace violence, but to re-emphasize a portion of the General Duty Clause from above, regarding “hazards that are causing or are likely to cause death or serious physical harm to his employees,” OSHA recommends that employers develop a comprehensive workplace violence program.

Healthcare workers are the most susceptible occupation to workplace violence and your workforce members need to be prepared to protect themselves.  Employers who do not take reasonable steps to prevent or abate a recognized violence hazard in the workplace can be cited.

Your organization needs to implement and maintain an effective compliance program and establish a culture of compliance. At a minimum, you need established Policies & Procedures, a designated Compliance Officer, a strong annual training program, and new hire training, open lines of communication, and pre-designed methods to handle complaints or potential problems.

Leadership should begin by establishing open lines of communication.

Whether it is via email or phone call, your workforce should understand that they have options to file a complaint or grievance. There should also be an option for them to communicate anonymously. This can be accomplished by establishing a third-party hotline. This is maintained by an outside entity, so that your workforce members have complete reporting anonymity. Workforce members should receive annual training about CMS – OIG Compliance that highlight any changes in company policies.

The OIG has the authority to exclude individuals and entities from Federally funded health care programs for a variety of reasons, including a conviction for Medicare or Medicaid fraud.

A list of all excluded individuals and entities called the List of Excluded Individuals/Entities (LEIE) is maintained by the OIG. Any Covered Entity or Business Associate that hires an individual or an entity on the LEIE could be subject to civil monetary penalties.  To avoid penalties, your organization should periodically check the LEIE.

The OIG updates the LEIE on a monthly basis, so your organization should also review it on a monthly basis. This includes checks on both your contractors and your vendors.

Every state also has a database of Medicaid Excluded Individuals which participating providers are obligated to check on a monthly basis.

Whenever any audit is completed, whether it is a comprehensive compliance audit, a coding audit, or a Security Risk Assessment, there will be issues that need to be remediated.

The Risk Mitigation Plan is the schedule that you will develop to remediate these open issues. Think of it as your corrective action plan. Performing an assessment or audit can uncover potential gaps or areas of risk. However, even if you may not be able to adequately address all of those issues, your organization must be making reasonable measures to correct these gaps or risks.

An audit or assessment is just part of the compliance picture. Remediating open issues, training your workforce, maintaining open lines of communication, keeping up-to-date policies & procedures and taking corrective action for non-compliance all contribute to a strong culture of compliance.

The main catalyst for an audit are aberrant billing patterns, as compared to providers of the same specialty in the same geographic area. These aberrations could include significant E/M coding level variances, overuse of modifiers, and “impossible days” (i.e. cumulative typical times associated with billed codes that exceed reasonable thresholds).

No. All documentation requirements associated with the billed code must be met. The only exception is when visits are predominantly focused on counseling. However, medical decision-making must still be inherent to the encounter.

The rules of coding state that the provider must code to the highest specificity and accuracy supported by documentation. In the event of a payer audit, the financial repercussions of such errors do not rise to the same level as overcoding.

However, an inflated error rate can be used to perpetuate additional auditing and higher scrutiny. Prepayment audits (which occur when a payer requires your notes before paying the claim) are particularly impacted by error rates, as the provider must usually achieve and maintain an acceptable level of accuracy for a predetermined length of time.

Chart reviews, either conducted internally, outsourced, or both are a very effective way of identifying specific services and/or providers who may not be billing for work performed or are undercoding office visits.

An ongoing process of auditing and monitoring typically reveals some degree of revenue opportunities, while at the same time identifying those providers in need of education or reinforcement of key concepts/guidelines associated with complete and accurate documentation to support billing.