Compliance in healthcare is comprised of complex laws and regulations.  This complexity often leads to confusion.  It’s not surprising that a few common myths exist.  If you’re responsible for compliance and would like to separate fact from fiction, keep reading.


Myth #1:  We’re a small organization and there’s no way we can be expected to do all of this.  

Unfortunately, organizations of all sizes are held accountable when it comes to compliance regulations. Federal fraud, waste and abuse, HIPAA and OSHA apply equally. Enforcement occurs regardless of size.

Federal fraud and abuse is an increasingly important issue for all providers. Using predictive analytics Medicare is able to take a proactive approach to enforcement.

If your organization accepts Medicare or Medicaid, you should have a robust compliance plan in place.  In fact, employees should receive training within the first 90 days of hire and again annually to meet CMS recommendations.  An effective compliance program with training, documented audits, and corrective action may be your best line of defense in any situation that requires proof that an error is unintentional. Take a look at recent enforcement actions on the OIG site.

Several recent examples of HIPAA enforcement include small practices.  Regardless of the type or size of your organization, you should consider taking important steps to prevent HIPAA violations.

OSHA‘s mission includes protecting the safety of America’s workers and that includes employees in medical and dental offices.  Therefore, the same standards apply whether there are 2 or 200 employees.  

The same #OSHA standards apply whether there are 2 or 200 employees. Click To Tweet


Myth #2:  Our Electronic Health Records (EHR) takes care of it.

While some EHRs provide great functionality, there isn’t one system that serves as a substitute compliance officer or covers all of the areas of risk.

Providers should be wary of relying too heavily on the EHR for compliance purposes. Documentation created through EHR should be carefully considered. Cloning, cutting and pasting, and templates are reason for caution. EHR- generated notes may become too lengthy and not contain pertinent information relative to the date of service.

As previously covered in this BC Advantage magazine article, certain risks occur due to inadvertent errors associated with EHR.


Myth #3:  The policies and procedures drafted by our attorney are all we need.

In the past, many organizations maintained a binder of policies that became outdated before training or implementation could occur.  Compliance is now part of the day –to- day operations and woven into the culture of any organization striving to follow best practices.

Counsel serves an extremely important role for any healthcare entity.  However, drafting policies and procedures is no substitute for ongoing implementation of an effective compliance program.   Policies and procedures require staff training with regular updates to serve their intended purpose.  

In the PreCheck blog regarding organizational compliance, Senior Director of Regulatory Compliance, Sheba Vine asks some crucial questions. “Is the compliance program tailored to the provider’s business risks, size and operation? Is proper remedial action taken when noncompliance is detected?” If your program simply consists of a written policy that is neither communicated nor enforced, you’re at risk for sanctions, she says.  


Myth #4:  We enter into a Business Associate Agreement with everyone, so we’re covered.

Business Associate Agreements are an important part of managing relationships with business associates.  Dr. Jill Brooks, Senior Director of Education, emphasizes that “covered entities should be very concerned about the possibility of a major breach originating from a business associate.”

However, certain steps may be just as important and more appropriate with vendors that don’t fit the definition of a business associate.  For example, a cleaning service has access to PHI but is only contracted with the healthcare organization to clean.  This doesn’t qualify as a business associate relationship, but calls for reasonable safeguards instead, to satisfy HIPAA.