Frequently Asked Questions

The Basics of Compliance and How It Affects You


Why is HIPAA Compliance relevant to my healthcare organization?

Healthcare organizations have an obligation to protect their patients’ electronic protected health information (ePHI) and physical protected health information (PHI) from internal and external threats. As custodians of ePHI/PHI, healthcare providers must deploy stringent ongoing administrative, technical, and physical safeguards to protect PHI/ePHI from possible data breaches.

What is required for HIPAA Compliance?

To satisfy the base requirements, your HIPAA Compliance training program should incorporate annual training on privacy, security and breach notification.  A Security Risk Assessment (SRA) should also be performed that provides both a risk mitigation plan as well as an operationally specific HIPAA Compliance manual.

Other aspects to HIPAA Compliance include the distribution of Notice of Privacy Practices, to have Business Associate Agreements with certain vendors and, to establish the roles of the Privacy Officer and Security Officer. These policies and procedures will be part of the HIPAA Compliance manual.

Who does HIPAA apply to?

HIPAA regulations apply to two types of groups: covered entities & business associates.

Covered entities are health plans, healthcare providers and healthcare clearinghouses. A business associate is defined by HHS as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Common examples of business associates include: IT contractors or Managed Service Providers, billing companies, collection companies, shredding companies, EMR companies, phone reminder companies, email services providers and consultants.

Does HIPAA Compliance require a Security Risk Assessment (SRA)?

A Security Risk Assessment is required by HIPAA regulations.  It is the first step in evaluating and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.

Could my healthcare organization be fined for lack of HIPAA Compliance?

The Federal government does not institute regulations without enforcement and in the case of HIPAA Compliance, there is a specific penalty structure for HIPAA violations. The Office of Civil Rights (OCR) is responsible for enforcing the HIPAA regulations.

The OCR would prefer to resolve HIPAA violations in a non-punitive matter, but will enforce necessary penalties for those healthcare organizations who aren’t being diligent in their efforts to comply with the HIPAA regulations.

Penalty structure for HIPAA violations »


What does “Standard Precautions” refer to, and why is it important to wear personal protective equipment (PPE) in a clinical environment?

“Standard precautions” describes a comprehensive approach to infection control that treats all human blood and certain human body fluids as if they were known to be infectious for HIV, HBV and other bloodborne pathogens.

Personal protective equipment (PPE) creates a barrier between the skin and these potentially infectious materials. PPE also protects healthcare workers from the chemicals that are used to sterilize and clean surfaces and equipment. Typical PPE might comprise a face shield, a face mask, eye protection, ear protection, medical gloves, and a medical gown.

It’s also important to note that there can be significant health and safety hazards associated with the products being used for disinfection. Be sure to READ THE LABEL and utilize PPE recommended by the manufacturer. Also be sure to READ THE LABEL of the sterilization product to be aware of the contact time required to effectively kill pathogens.

Are Safety Data Sheets required in a healthcare environment for OSHA Compliance?

The Hazard Communication Standard requires that chemical manufacturers, distributors or importers provide Safety Data Sheets (SDSs) for each hazardous chemical to communicate the appropriate information to the user.

The SDS includes information such as the properties of each chemical; the physical, health, and environmental health hazards; protective measures; and safety precautions for handling, storing, and transporting the chemical.

For any gels, sprays, foams and liquids that contain a mixture of chemicals, a SDS is required to be maintained in an organized fashion with an appropriate Table of Contents (TOC) and that SDS manual needs to be available for all workforce members. The SDS manual should be reviewed annually for accuracy.

What are the requirements for OSHA Compliance related to eyewash stations, first-aid kits and spill kits?

OSHA requires that all businesses, regardless of industry, provide a first aid kit to its workforce members. It must be in a sealed container and properly labeled with an adequate amount of contents to provide basic triage for minor injuries. Additionally, if there is reasonable chance of an eye injury or if chemicals are kept on site, the business is required to have an eyewash station and spill kit available. Eyewash stations require a weekly inspection that should be documented. First aid kits and spills kits should be inspected monthly to ensure that their contents are adequately intact.

What are the OSHA requirements for keeping workforce members safe from needlesticks?

OSHA established the Needlestick Safety & Prevention Act to minimize the occupational exposure to bloodborne pathogens from accidental sharps injuries in healthcare.

This modified OSHA’s Bloodborne Pathogens standard requires employers to identify, evaluate and implement safer medical devices such as needleless systems and sharps with engineered sharps protections.

This standard applies to all employers with workforce members who have occupational exposure to blood or other potentially infectious materials (OPIM), no matter how many workforce members. It also requires annual consideration and implementation of suitable and safer medical devices designed to eliminate or minimize occupational exposure.

Does OSHA have standards for workplace violence?

OSHA does not have a detailed standard for workplace violence, but to re-emphasize a portion of the General Duty Clause from above, regarding “hazards that are causing or are likely to cause death or serious physical harm to his employees,” OSHA recommends that employers develop a comprehensive workplace violence program.

Healthcare workers are the most susceptible occupation to workplace violence and your workforce members need to be prepared to protect themselves.  Employers who do not take reasonable steps to prevent or abate a recognized violence hazard in the workplace can be cited.


How is CMS – OIG Compliance different from HIPAA Compliance?

Simply put, CMS – OIG Compliance is your organization’s written program to achieve overall regulatory compliance and ethical business practices for all of your organization’s business activities.

HIPAA Compliance represents your organization’s Privacy and Security Compliance, and thus serves as a specific component of your broader CMS – OIG Compliance Program.

What is the OIG looking for from my organization to maintain CMS – OIG Compliance?

Your organization needs to implement and maintain an effective compliance program and establish a culture of compliance. At a minimum, you need established Policies & Procedures, a designated Compliance Officer, a strong annual training program, and new hire training, open lines of communication, and pre-designed methods to handle complaints or potential problems.

What is the best way to communicate with my workforce about CMS – OIG Compliance?

Leadership should begin by establishing open lines of communication.

Whether it is via email or phone call, your workforce should understand that they have options to file a complaint or grievance. There should also be an option for them to communicate anonymously. This can be accomplished by establishing a third-party hotline. This is maintained by an outside entity, so that your workforce members have complete reporting anonymity. Workforce members should receive annual training about CMS – OIG Compliance that highlight any changes in company policies.

What are Exclusion Checks and are they necessary for CMS – OIG Compliance?

The OIG has the authority to exclude individuals and entities from Federally funded health care programs for a variety of reasons, including a conviction for Medicare or Medicaid fraud.

A list of all excluded individuals and entities called the List of Excluded Individuals/Entities (LEIE) is maintained by the OIG. Any Covered Entity or Business Associate that hires an individual or an entity on the LEIE could be subject to civil monetary penalties.  To avoid penalties, your organization should periodically check the LEIE.

The OIG updates the LEIE on a monthly basis, so your organization should also review it on a monthly basis. This includes checks on both your contractors and your vendors.

Every state also has a database of Medicaid Excluded Individuals which participating providers are obligated to check on a monthly basis.

What is a Risk Mitigation Plan and how do I develop one?

Whenever any audit is completed, whether it is a comprehensive compliance audit, a coding audit, or a Security Risk Assessment, there will be issues that need to be remediated.

The Risk Mitigation Plan is the schedule that you will develop to remediate these open issues. Think of it as your corrective action plan. Performing an assessment or audit can uncover potential gaps or areas of risk. However, even if you may not be able to adequately address all of those issues, your organization must be making reasonable measures to correct these gaps or risks.

An audit or assessment is just part of the compliance picture. Remediating open issues, training your workforce, maintaining open lines of communication, keeping up-to-date policies & procedures and taking corrective action for non-compliance all contribute to a strong culture of compliance.

Coding Compliance FAQs

What are the core elements of an effective coding compliance program?

The basic elements of coding compliance are auditing and education.  A well-structured program includes a robust process of chart reviews that are followed by result-based education. This auditing process should be a continuous one, with emphasis on those providers demonstrating continued non-compliance and/or poor audit scores.

Education should also be delivered to new providers entering the group, as well as all staff who are involved in the claim submission process. It’s also important to provide annual updates to review coding changes, plus periodic updates to review any relevant legislative/policy changes which may impact the group.

What are the main triggers for a payer audit?

The main catalyst for an audit are aberrant billing patterns, as compared to providers of the same specialty in the same geographic area. These aberrations could include significant E/M coding level variances, overuse of modifiers, and “impossible days” (i.e. cumulative typical times associated with billed codes that exceed reasonable thresholds).

Does a complex patient encounter reduce or eliminate the need to meet other documentation requirements, such as review of systems, family history, or physical exams?

No. All documentation requirements associated with the billed code must be met. The only exception is when visits are predominantly focused on counseling. However, medical decision-making must still be inherent to the encounter.

Is it okay if we intentionally undercode?

The rules of coding state that the provider must code to the highest specificity and accuracy supported by documentation. In the event of a payer audit, the financial repercussions of such errors do not rise to the same level as overcoding.

However, an inflated error rate can be used to perpetuate additional auditing and higher scrutiny. Prepayment audits (which occur when a payer requires your notes before paying the claim) are particularly impacted by error rates, as the provider must usually achieve and maintain an acceptable level of accuracy for a predetermined length of time.

How often does an audit reveal underbilling or uncaptured revenue?

Chart reviews, either conducted internally, outsourced, or both are a very effective way of identifying specific services and/or providers who may not be billing for work performed or are undercoding office visits.

An ongoing process of auditing and monitoring typically reveals some degree of revenue opportunities, while at the same time identifying those providers in need of education or reinforcement of key concepts/guidelines associated with complete and accurate documentation to support billing.