Concierge practices that accept only cash and typically require a retainer may be exempt from limitations. However, offering discounts for cash payments may violate any contract between a payer and provider since it impacts the payer’s negotiated rates. Therefore, physicians should determine if there are any contractual limits to offering such discounts. State laws may also place restrictions on providing discounts. In any event, if a physician provides any type of discounts, they should have a written policy in place that is followed uniformly.

Compliance should be a condition of employment. The organization’s Code of Conduct should require employees to complete compliance training. Employers may wish to enforce their training requirements through discipline and a progressive disciplinary policy is recommended. Discipline may include a verbal warning, written warning, suspension, up to and including termination. Of course, if your organization has a progressive discipline policy, it must be followed when disciplining employees. It is also important to be consistent in meting out discipline so as not to run afoul of discrimination laws.

This common issue involves maintaining integrity of the medical record and patient safety. Ideally, your EHR will provide the ability to amend and track the correction of the individual's identity without losing other important notes. The date, time, reason for the change and the person making the change should be recorded/stamped within the record.

Certainly, this increases the risk of breach and encryption is strongly recommended as the best practice. If the individual is requesting PHI in the form of X-rays be sent to the third party and the individual is notified prior to sending via unencrypted email and the individual agrees to sending via unencrypted email, this is permitted under HIPAA . HHS provides clear guidance on sending PHI in an e-mail . Please remember that state laws may apply as well.

Safety Data Sheets (SDS) are required for any and every hazardous chemical in the office that is not a commercial household product. SDSs are obtained from the chemical manufacturer. It’s fine to have them in an electronic form, but you must still make them available to employees if your system goes offline. In the event of a power outage or system failure, the electronically accessible SDS will not serve its intended purpose.

The OIG states “it is advisable that new employees be trained on the compliance program as soon as possible after their start date” and CMS requires general compliance training and fraud, waste and abuse training within 90 days of hire.

A hybrid entity is an entity that has a mix of both healthcare and other business services. Examples of hybrid entities include: ● A large corporation that has a self-insured health plan for its employees. ● Grocery store that has a pharmacy. ● A correctional facility with a health care clinic that transmits one or more HIPAA‐covered transactions electronically. ● A data processing center that conducts health care clearinghouse activities as well as non‐health care data entry. ● A university, which has a medical center.

The first step is to determine if any vendor is a business associate. A “Business Associate” (BA) is a person or entity (third party vendor), who is not an employee of the covered entity, who performs functions, activities, or services on behalf of the covered entity, and where the person or entity has access to protected health information (PHI). A “business associate” can also be a subcontractor of another business associate if that subcontractor creates, receives, maintains, or transmits protected health information on behalf of another business associate.

The Security Rule requires that a risk analysis is documented but does not require a specific format. The rule also states that the risk analysis should be ongoing. Please view the security risk assessment tool to determine the right approach for your organization.

The HIPAA Privacy rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.