Friday, June 10, 2016

7 Common Questions Regarding OSHA and HIPAA Training Requirements

What are HIPAA and OSHA?

The Health Insurance Portability and Accountability Act (HIPAA) was established to set national standards to protect individual’s medical records and other personal health information. The Occupational Health and Safety Act (OSHA) was established to ensure safe and healthful working conditions by enforcing standards and by providing training, education, and assistance.
Both acts have mandatory training requirements that can often be a source of confusion for medical and dental practices. Are we required to train annually? Who does training apply too? How long should training be? What topics should be covered? If we do not hold training will we be subject to fines? 
The answers to many of these questions can be found at or, however, some of these questions are not as clearly defined and can rely heavily on the interpretation of the law.
1) Does OSHA/HIPAA training need to be conducted annually?  
Yes, annual OSHA training for all employees is mandatory, and training for new-hire employees must be completed within ten days of hire. 
HIPAA requires organizations to provide training for all employees, new workforce members, and periodic refresher training. The definition of “periodic” is not defined and can be left open to interpretation. However, most organizations train all employees on HIPAA annually. This is considered to be a best practice. Regulations are updated yearly, so it can be difficult for practices to stay current. Failure to comply can result in fines or other consequences.
2) Who does training apply too? Should the doctor or dentist also be trained?
OSHA training is mandatory for all employees, including the doctor, nurses, receptionists and part-time employees. 
HIPAA training is mandatory for anyone who comes into contact with protected health information (PHI). This includes doctors, dentists, nurses, receptionists and part-time employees/interns. 
Employees in certain positions such as HIM, information technology network administration, or regulatory compliance staff members, may need more specialized training. 
3) How long should training be? 
HIPAA doesn’t specify a particular length for training.  What matters most is the content of the training and that the information is taught effectively.
Proper training for OSHA and HIPAA cannot be conducted in just a few minutes. However, it does not require weeks of training either.
4) What topics should be covered? 
Employers should refer to OSHA's web site ( for specific training requirements of OSHA standards. Specific, HIPAA training requirements can be found at ( 
OSHA & HIPAA requirements as of 2013 include: 
  • Annual OSHA Employee Training
  • GHS: Global Harmonization System Proof of Training
  • HIPAA Omnibus Rule Employee Training & Implement Protocols
The following topics must be given to new employees, or if there is a change in the job procedures that introduces a new hazard:
  • General Office Safety – including injury and illness prevention program (IIPP), fire safety and emergency responses, eyewash stations, and washrooms.
  • Hazard Communication 
  • Ionizing Radiation 
  • Bloodborne Pathogens – including medical waste management information.
5) Are we required to keep proof of training? If so, what documentation is required?
Yes, it is very important that the training is documented. HIPAA requires that training is documented. Although it is not specific to how training must be documented.  
OSHA also requires training be documented. Records provide evidence of the employer`s compliance with OSHA standards. Training records should include:
  • Dates of the training 
  • Content of the training 
  • Names and qualifications of trainers
  • Names and job titles of attendees
Other requirements: 
  • Employee training records must be maintained for three years.
  • Employee training records must be available to employees.
  • If the practice is sold, employee records will be transferred to the new owner. If the practice is closed, employee records will be offered to the National Institute for Occupational Safety and Health (NIOSH).
6) Can we be fined if we don't conduct training, or fail to hold it annually?
Yes, OSHA failure to train citations can be issued if just one missed employee training. OSHA penalties can range from $0-$70,000, depending upon how serious the violation.
HIPAA issues penalties up to 1.5 million depending on the provision of HIPAA violated. Some HIPAA violations can lead to civil or criminal penalties for employees. If employees weren’t provided adequate training, it could cause a greater risk of litigation in the event of such termination.  Doctors and nurses can also be charged with ethical violations and might risk sanction or loss of license.
7) What are some example citations that can be given? 
Each year the Occupational Safety and Health Administration issues citations to employers in the healthcare industry. Below is a list of 10 frequent citations issued to physicians' offices and clinics in the last six months of 2011.
10 examples of OSHA citations for physicians' offices and clinics
  1. Failure to implement and maintain an exposure control plan 
  2. Failure to train 
  3. Failure to engineer out hazards/ensure hand washing 
  4. Poor housekeeping 
  5. Failure to implement and maintain a written hazard communication program
  6. Failure to make the Hepatitis B vaccination available under the BBP standard
  7. Failure to prepare exposure determinations 
  8. Failure to use personal protective equipment 
  9. Failure to provide post-exposure Hepatitis B vaccination under the BBP standard
  10. Failure to train employees under the hazard communication standard
10 examples of HIPAA violations
  1. Failure to promptly release information to patients.
  2. Improper disposal of patient records. Shredding is mandatory before disposing of patient’s record.
  3. Missing patient signature. HIPAA forms without the patient’s signature is invalid.
  4. Releasing wrong patient's information.
  5. Discussing information to friends or relatives about patients in the hospital.
  6. Discussing private health information in public areas.
  7. Discussing private health information over the phone in public areas.
  8. Not logging off a computer system that contains private health information.
  9. Including private health information in an email sent over the Internet.
  10. Releasing information about minors without the consent of a parent or guardian.
Medical and Dental practices that recognize and value the importance of training employees on HIPAA and OSHA laws and procedures are less likely to have any reported complaints, receive a citation, or fail an audit. Both HIPAA and OSHA training are crucial to ensuring safe and healthful working conditions for employees and patients and for protecting patient’s private health information.
If your facility is seeking training or has questions regarding healthcare compliance guidelines contact the experts at MedTrainer. MedTrainer is the leading one-stop resource in providing healthcare compliance programs in the United States. Our Compliance Consultants are safety professionals who specialize in healthcare safety and have the experience needed to teach your staff the essence of good safety practices. Whether you need periodic specialized assistance to augment your in-house capabilities or turnkey management programs, MedTrainer can help minimize your risk and time, while maximizing your peace of mind. We offer a wide variety of onsite and online training courses including:
  • Corporate Compliance
  • Hazardous Communication
  • Customer Service Skills
  • Ergonomics 
  • Unlawfal Harassment for Managers
  • Bloodborne Pathogens

Friday, April 22, 2016

The $750,000 Business Associate Agreement Fine

April 20th, the Office of Civil Rights (OCR) announced a$750,000 HIPAA Privacy Rule settlement with an orthopedic practice that failed to enter a business associate agreement (BAA) with a business associate.
A breach report revealed that the orthopedic practice gave x-ray information for more than 17,000 patients to a company that transfers x-ray images to electronic media, and then harvests the silver on the x-ray films. The problem with this arrangement is that the electronic media company had access to the practice’s PHI – and yet there was not a business associate agreement in place.
While we don’t know how this particular problem happened, often these types of HIPAA violations occur when officers and managers work without talking to each other. For example, a new employee in the medical records department releases records without a proper authorization, because they didn’t think to ask the Privacy Officer what to do. Or,
IT and the Administrator decide to buy new computers, without discussing encryption and other security measures with the Security Officer. Or, a department head sends PHI out for storage or processing without asking the Privacy Officer for a BAA.

What You Can Do:
  • Remove Communication Barriers. Structure your contracting and purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology or processes need to communicate changes to your HIPAA and compliance officers, so risk can be assessed and management programs can be implemented.
  • Use your compliance committee meetings wisely. Does your compliance committee meet quarterly, and listen while the compliance officer reads the meeting agenda? If there’s no discussion, you have a missed opportunity. Use these meetings to share information about emerging risks and upcoming contracts and deals. By getting committee members in the habit of including each other in big decisions, you can avoid costly communication breakdowns.
  • Implement a BAA management system. Are you confident that all business associates have an up-to-date BAA in place? There should be a spreadsheet inventory of every business associate, and the date the BAA was in place. Also use a business associate due diligence process to monitor business associates’ HIPAA practices and ensure your PHI is safe.

For more information on how to improve compliance processes contact MedTrainer at or call us at 888.337.0288

Friday, April 1, 2016

The OIG’s Guide to Creating a Compliance Program

The creation of compliance program guidance is a major initiative of the OIG in its effort to engage the private health care community in preventing the submission of erroneous claims and in combating fraudulent conduct. In the past several years, the OIG has developed and issued compliance program guidance directed at a variety of segments in the health care industry. The development of these types of compliance program guidance is based on our belief that a health care provider can use internal controls to more efficiently monitor adherence to applicable statutes, regulations and program requirements.
Copies of this compliance program guidance can be found on the OIG website at

Components of an Effective Compliance Program
This compliance program guidance contains seven components that provide a solid basis upon which a organization can create a compliance program with the help of MedTrainer:
  1. Conducting internal monitoring and auditing.
MedTrainer assists you in tracking training, policies and procedures, as well as credentials for each employee to ensure that all are up to date and in compliance with federal and state regulations.

  1. Implementing compliance and practice standards.
MedTrainer works with the administration set up standards of compliance for the organization by creating training bundles that can be specific to department, position, or location.

  1. Designating a compliance officer or contact.
MedTrainer clients have access to a Compliance Specialist that will assist you in making sure that you have all the resources to ensure you are compliant.

  1. Conducting appropriate training and education.
This is MedTrainer’s core business practice, our training and education is solely focused on the medical field and their compliance needs. Each course is designed to engage and educate the employee in compliance best practices.

  1. Responding appropriately to detected offenses and developing corrective action.
MedTrainer will assist you through audits from OSHA and other regulatory bodies. You have reports to furnish to inspectors instantly to make audits as painless as possible.

  1. Developing open lines of communication.
MedTrainer sends automatic notifications to ensure that the completion date of the training is met. Administrators can also communicate to departments, specific positions, or locations about compliance topics.

  1. Enforcing disciplinary standards through well-publicized guidelines.
All policies and procedures that have been signed off by staff are always accessible on their student dashboard, just in case an employee has a question on guidelines or policies that have been set by their Administration.

These seven components provide a solid basis upon which healthcare organizations can create a compliance program. The OIG acknowledges that full implementation of all components may not be feasible for all organizations. However, as a first step, organizations begin by adopting only those components which, based on the organization’s specific history with billing problems and other compliance issues, are most likely to provide an identifiable benefit. MedTrainer can assist clients in identifying the issues that plague your office. From training to credential management, MedTrainer is here to assist you in going paperless.

Thursday, March 31, 2016

CMS sets a universal format for Physician Quality Measures

There is no doubt that physician quality measures are necessary to meet the growing need for data to support progress being made in patient outcomes and “quantified healthcare”. Physicians have been inundated with various types and formats of quality measurement metrics that are different for similar procedures and treatments.
This course is intended for use by individuals involved in the design and/or conducts human subject research and prepares investigators involved in the design and/or conduct of research involving human subjects to understand their obligations to protect the rights and welfare of subjects in research. The course material presents basic concepts, principles, and issues related to the protection of research participants. Private and public payers are using clinical data to determine contract and reimbursement rates. In fact, Medicare intends on using up to 90% of quality indicators as a basis for determining fee-for-service payment by the year 2018. This has created a serious need to come to a consensus on which quality indicators will be used to measure patient care.

The Centers for Medicare and Medicaid Services (CMS) and almost all major health insurance plans, in combination with various medical organizations, employer and consumer group
s have just announced the first set of “core measures” that will be used for value based payments.

Several health insurers including members of America's Health Insurance Plans (AHIP), as well as United Health Group and Aetna have just released a joint collaborative listing seven key core measure sets including metrics for the following specialties:

  • Accountable care organizations
  • Cardiology
  • Gastroenterology
  • HIV and hepatitis C
  • Medical oncology
  • Obstetrics and gynecology
  • Orthopedics
  • Patient-centered medical homes (PCMHs)
  • Primary care

With time, this collaborative will continue to add and update the measurement metrics over time. CMS has already stated that it has already started to use these measures from each of the core sets. After ensuring the appropriate rules, CMS will put into practice new core measures across applicable Medicare quality programs. It hopes to eliminate all unnecessary and outdated measures that are not part of the core sets.  In addition, CMS will also oversee the Office of Personnel Management, Department of Defense, and the Department of Veterans Affairs to ensure that their quality measures align with these core sets.

Commercial health plans will start to apply these measure sets when hospital or healthcare contracts come up for renewal. So far it is not known if all AHIP member plans will implement the new core measures. CMS Acting Administrator Andy Slavitt reminded everyone that "In the U.S. healthcare system, where we are moving to measure and pay for quality, patients and care providers deserve a uniform approach to measure quality. This agreement today will reduce unnecessary burden for physicians and accelerate the country's movement to better quality."

The news release stated that the collaborative work "is informing CMS's implementation of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA)."
MACRA will establish at a later date on how physicians will be paid by Medicare starting in 2019. Meanwhile, quality data presently being reported to the Physician Quality Reporting System is being used as the basis for CMS' value-based modifier, which will affect all physicians' Medicare income, starting 2017.

Physicians have long been concerned about the high degree of complexity and burden of reporting on quality measures. There have been numerous complaints in the past from healthcare providers that this endeavor has been taking time and resource away from direct patient care. Hopefully, this new agreement on a set of core measures for primary care and PCMH will be a big step forward in standardizing performance measures, while simultaneously contributing to improving the quality of care.

Thursday, March 10, 2016

Malignant Hyperthermia

      Malignant Hyperthermia (MH) or malignant hyperpyrexia is a rare life-threatening condition that is usually triggered by exposure to certain drugs used for general anesthesia — specifically the volatile anesthetic agents and succinylcholine a neuromuscular blocking agent.  Susceptible individuals can be induced by these drugs into a drastic and completely uncontrollable increase in oxidative metabolism within the skeletal muscle.  This means that there would be a sharp spike in cellular respiration in which cells convert biochemical energy from nutrients, into Adenosine Triphosphate (ATP).  If not immediately treated, MH can overwhelm the body's capacity to supply oxygen, remove carbon dioxide, and regulate body temperature.  This can ultimately result in respiratory collapse tragically leading to death.
ryanodine receptor 1
      Susceptibility to MH is an inherited disorder, more specifically an autosomal dominant disorder. MH susceptibility is phenotypically and genetically related to central core disease (CCD), an autosomal dominant disorder characterized both by MH signs and myopathy. MH is usually revealed upon or shortly after exposure to certain general anesthetic agents. There is no simple, straightforward test to diagnose the condition. Treatment with dantrolene and other drugs is usually initiated when MH is strongly suspected. Dantrolene and the avoidance of triggering agents in susceptible people have markedly reduced the mortality from this condition. 
       The key to reducing the MH mortality rate, is how to identify if the patient is showing symptoms.  The top symptoms consist all signs of a hypercatabolic state (abnormal increase in metabolic rate)  this includes extremely high fever, increased heart rate, rapid breathing, increased carbon dioxide production, increased oxygen consumption, a sharp increase in the acidity of the patient's blood, Rhabdomyolysis, and rigid muscles.  These signs can be developed at any point during the administration of anesthesia.  The rate at which the susceptible body reacts to MH is alarmingly fast, but just as fast as the situation can grow, it can end.  The average case of a reaction is over after 7 minutes of the discontinuation of the triggering agent, however a great deal off damage can be dealt to the body due to the immense reaction that occurs.

       In the medical field, the use of anesthesia is immensely common and integrated.  With Malignant Hyperthermia being a potential threat looming over any and all first time anesthesia patients, it is imperative that staff of a medical facility are trained and informed about the dangers of MH.  If the proper precautions and measures are not taken, then the life of the patient is potentially at risk.  Ensure the safety, security, and livelihood of your patients, as well as your medical facility, and enforce the training of all staff on the proper response to the occurrence of an MH reaction.  Allow MedTrainer to assist you in your efforts to keep the medical field safe, and schedule a demo today!

Tuesday, February 16, 2016

Zika Virus and Its impacts in Healthcare

              The Zika Virus is spread mostly by the bite of an infected Aedes species mosquito found mostly in tropical locations but has now been spread to the Aedes albopictus found in Mexico.  As of April 27, 2016, the CDC reports 426 travel-associated Zika Virus cases reported and 9 acquired cases in the US territories of Puerto Rico and the US Virgin Islands. There have not been any cases of infected mosquitoes in the US at this time. The first few cases of Zika virus were reported last year in Brazil and neighboring countries. Within a short time the virus is suspected to have infected millions of people in south and Central America; however, not all those who are infected become ill.  It is estimated that 80% of infections will not be diagnosed. 

The initial reports from Brazil revealed that Zika virus could cause birth defects when acquired by a pregnant female, but reports are inconclusive. The CDC reports that the Zika Virus although rare, can spread from a mother to her fetus during pregnancy and it may be linked to birth defects.  Other reports have indicated that the Zika virus could also cause a Guillain Barre like syndrome and partial paralysis. This has created a Level One Health Concern issued by the US Center for Disease Control (CDC) and the World Health Organization (WHO).  The CDC has not yet made a direct link between Guillain Barre and Zika. The CDC is working with Brazil to study the possibility of a link between Zika and GBS.

While it has always been believed that the Zika virus is transmitted by mosquitoes, the first case of Zika virus transmitted by sexual intercourse was recently reported.  The CDC recommends the use of condoms in areas of concerns and has issued travel advisories for pregnant women who are considering travel to areas that are affected in Mexico, Central and South America. Even though 3 people have been confirmed to have died in Chile due to a Zika virus, there is no report of prior medical conditions of these patients so the exact cause of death remains a mystery.  Additionally, there are no reports of infants getting Zika virus through breastfeeding.  Because of the benefits of breastfeeding, mothers are encouraged to breastfeed even in areas where Zika virus is found.

               The Zika virus is causing panic, so it is important to be clear about the facts.  The first thing to understand is that is not a contagious virus similar to the Ebola virus or the common cold.  The majority of people infected with Zika never develops symptoms. The Zika virus is not transmitted via aerosol droplets, so there is currently no need for personalized protection equipment or isolation rooms. The few patients who develop symptoms may present with fatigue, headache, joint pain, malaise and a cough. The only way to confirm the diagnosis in the US is for testing to be completed by the CDC through your healthcare provider.

               The media has caused such an uproar that healthcare professionals may believe that they need to started to investing in testing for the Zika virus and develop protocols on how to treat and manage infected patients.  We need to be prepared, but have to be careful not to overreact.  According to the CDC, “approximately 1 in 5 people infected with Zika virus become symptomatic. Characteristic clinical findings are acute onset of fever with maculopapular rash, arthralgia, or conjunctivitis. Other commonly reported symptoms include myalgia and headache. Clinical illness is usually mild with symptoms lasting for several days to a week. Severe disease requiring hospitalization is uncommon and case fatality is low”. 

There are no known cures or vaccines for Zika virus.  The CDC recommended treatment is getting plenty of rest, fluids, and use of analgesics and antipyretics. Because of similar geographic distribution and symptoms, patients with suspected Zika virus infections also should be evaluated and managed for possible dengue or chikungunya virus infection. Aspirin and other non-steroidal anti-inflammatory drugs (NSAIDs) should be avoided until dengue can be ruled out to reduce the risk of hemorrhage. People infected with Zika, chikungunya, or dengue virus should be protected from further mosquito exposure during the first few days of illness to prevent other mosquitoes from becoming infected and reduce the risk of local transmission. 

EPA approved mosquito repellent can be used to help prevent mosquito bites as well as keeping infants covered when outdoors.  Lastly, to prevent any type of mosquitoes from calling your space their home, make sure to remove standing water where mosquitoes like to breed, as well as making sure that screens are in good repair and doors are kept closed.

Monday, February 8, 2016

Medicare Fraud, Waste, and Abuse

      Every year, millions of dollars are improperly spent because of fraud waste, and abuse.  This can be halted and prevented if the process of detect, correct, and prevent, is followed.  This process is required by The Social Security Act, as well as CMS regulations.  It is stated that those whom of which supply medicare and medicaid services, are required to have an effective compliance program of which includes measures to prevent, detect, and correct Medicare non-compliance.  There must also be implemented measures to prevent, detect, and correct fraud, waste, and abuse.  These steps and measures must be provided via effective training for employees, managers, and directors, as well as their first tier, downstream, and related entities.  (42 C.F.R. 422.503 and 42 C.F.R  423.504)
      An effective compliance program can be implemented via in-class settings, online courses, and "one on one" training.  If created correctly, an effective program would consist of steps as to how to detect, correct, and prevent.  It must also contain the 7 core compliance program requirements.
      The first step in stopping fraud waste and abuse, is prevention.  Being the most crucial step in halting fraud, is to go to the most vulnerable portion of information and ensure it's safety.  The most common types of fraud an abuse in the medicaid program include medical identity and theft, unnecessary billing, upcoding, unbundling, and beneficiary fraud.
      Medical identity theft, being the most common, involves the misuse of a person’s medical identity to wrongfully obtain health care goods, services, or funds. More specifically, medical identity theft has been defined as “the appropriation or misuse of a patient’s or [provider’s] unique medical identifying information to obtain or bill public or private payers for fraudulent medical goods or services.” Unique medical identifying information for physicians includes the National Provider Identifier, Tax Identification Number, U.S. Drug Enforcement Administration number, and State medical license number. Physician medical identifiers are used for such things as identifying the physician of record on claims and for tracking purposes. Stolen physician identifiers may be used to fill fraudulent prescriptions, refer patients for unnecessary additional services or supplies, or bill for services that were never provided.
      An excellent example of Medical Identity was seen when the ringleader of a criminal group in the Bronx stole prescription pads from doctors and hospitals in the New York City area. Between 2009 and 2011 she used the pads to forge more than 250 prescriptions for painkillers. By using stolen Medicaid cards, she was able to bill the prescriptions to the Medicaid program for a total of more than $200,000. She received two consecutive 4 to 8 year sentences in prison.  Thus, one tip for prevention is that health care professionals should keep their prescription pads in a secure location.
      The second most abused form of fraud is the billing for products or services that are not covered or medically needed.  The Federal Medicaid statute authorizes payment for items and services that are included in each State’s approved plan.  The included items and services vary from State to State. Only those items and services included in the relevant State’s plan are authorized. Even if an item or service is authorized, it is still not covered under Medicaid unless it is also medically necessary.  This can be easily prevented by constant review and analysis of your Medicaid approved plan, this will stop you and your organization from purchase of non-covered goods and or services.  If excessive purchases are made using medicaid that are not covered by the approved plan, the purchasing party can receive an extreme amount of jail time, as well as fines.  This was exemplified when an ambulance service owner in Texas was sentenced to 15 years for billing Medicare and Medicaid for transporting patients by ambulance to dialysis appointments even though the medical condition of the patients did not qualify for that level of transportation.
      Although it may sound like a complex network of underlying danger, Medicare fraud, waste, and abuse can be easily avoided as well as prevented.  If the measures for safety are taken, then it may be brought to a complete and utter stop.  All of the information presented here can be found in a more in-depth toolkit presented by Centers for medicare and medicaid services otherwise known as CMS.  MedTrainer offers extensive and captivating courses on the precautionary steps to take as to how to stop Medicare, Fraud, Waste, and Abuse.  Join us today in creating a more beneficial and productive medical field, free of theft and fraud.  Visit to learn more, as well as schedule your free demo.