Healthcare compliance management covers a broad range of topics including HIPAA, OSHA, enforcement of regulations related to fraud, waste and abuse and employment laws. It’s likely that you encounter at least some of these common areas of confusion if you are a healthcare executive. Please take a few minutes to test your knowledge with our pop quiz and provide your feedback and further questions. Our team looks forward to hearing from you!
Can physicians offer cash discounts?
Concierge practices that accept only cash and typically require a retainer may be exempt from limitations. However, offering discounts for cash payments may violate any contract between a payer and provider since it impacts the payer’s negotiated rates. Therefore, physicians should determine if there are any contractual limits to offering such discounts. State laws may also place restrictions on providing discounts. In any event, if a physician provides any type of discounts, they should have a written policy in place that is followed uniformly.
How should our organization handle an employee who refuses to sign a code of conduct or complete assigned compliance training?
Compliance should be a condition of employment. The organization’s Code of Conduct should require employees to complete compliance training. Employers may wish to enforce their training requirements through discipline and a progressive disciplinary policy is recommended. Discipline may include a verbal warning, written warning, suspension, up to and including termination. Of course, if your organization has a progressive discipline policy, it must be followed when disciplining employees. It is also important to be consistent in meting out discipline so as not to run afoul of discrimination laws.
How should our organization handle an error in spelling of a patient’s name on the medical record?
This common issue involves maintaining integrity of the medical record and patient safety. Ideally, your EHR will provide the ability to amend and track the correction of the individual's identity without losing other important notes. The date, time, reason for the change and the person making the change should be recorded/stamped within the record.
Is it okay to send X-rays to specialists when referring patients if our email is not encrypted?
Certainly, this increases the risk of breach and encryption is strongly recommended as the best practice. If the individual is requesting PHI in the form of X-rays be sent to the third party and the individual is notified prior to sending via unencrypted email and the individual agrees to sending via unencrypted email, this is permitted under HIPAA . HHS provides clear guidance on sending PHI in an e-mail . Please remember that state laws may apply as well.
Should our organization have an electronically accessible SDS for any item in the office that contains chemicals?
Safety Data Sheets (SDS) are required for any and every hazardous chemical in the office that is not a commercial household product. SDSs are obtained from the chemical manufacturer. It’s fine to have them in an electronic form, but you must still make them available to employees if your system goes offline. In the event of a power outage or system failure, the electronically accessible SDS will not serve its intended purpose.
Are new employees required by law to have their compliance training within 90 days of hire?
The OIG states “it is advisable that new employees be trained on the compliance program as soon as possible after their start date” and CMS requires general compliance training and fraud, waste and abuse training within 90 days of hire.
What is a hybrid entity?
A hybrid entity is an entity that has a mix of both healthcare and other business services. Examples of hybrid entities include: ● A large corporation that has a self-insured health plan for its employees. ● Grocery store that has a pharmacy. ● A correctional facility with a health care clinic that transmits one or more HIPAA‐covered transactions electronically. ● A data processing center that conducts health care clearinghouse activities as well as non‐health care data entry. ● A university, which has a medical center.
Should our organization have a Business Associate Agreement with all vendors?
The first step is to determine if any vendor is a business associate. A “Business Associate” (BA) is a person or entity (third party vendor), who is not an employee of the covered entity, who performs functions, activities, or services on behalf of the covered entity, and where the person or entity has access to protected health information (PHI). A “business associate” can also be a subcontractor of another business associate if that subcontractor creates, receives, maintains, or transmits protected health information on behalf of another business associate.
Should our organization hire a firm to perform our security risk analysis?
The Security Rule requires that a risk analysis is documented but does not require a specific format. The rule also states that the risk analysis should be ongoing. Please view the security risk assessment tool to determine the right approach for your organization.
Can our organization leave a voicemail for a patient to confirm an appointment?
The HIPAA Privacy rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
Share your Results: