Friday, April 22, 2016

The $750,000 Business Associate Agreement Fine

April 20th, the Office of Civil Rights (OCR) announced a$750,000 HIPAA Privacy Rule settlement with an orthopedic practice that failed to enter a business associate agreement (BAA) with a business associate.
A breach report revealed that the orthopedic practice gave x-ray information for more than 17,000 patients to a company that transfers x-ray images to electronic media, and then harvests the silver on the x-ray films. The problem with this arrangement is that the electronic media company had access to the practice’s PHI – and yet there was not a business associate agreement in place.
While we don’t know how this particular problem happened, often these types of HIPAA violations occur when officers and managers work without talking to each other. For example, a new employee in the medical records department releases records without a proper authorization, because they didn’t think to ask the Privacy Officer what to do. Or,
IT and the Administrator decide to buy new computers, without discussing encryption and other security measures with the Security Officer. Or, a department head sends PHI out for storage or processing without asking the Privacy Officer for a BAA.

What You Can Do:
  • Remove Communication Barriers. Structure your contracting and purchasing process so that your Privacy and Security Officers have a seat at the table BEFORE decisions are made. Likewise, recognize that individuals making changes to technology or processes need to communicate changes to your HIPAA and compliance officers, so risk can be assessed and management programs can be implemented.
  • Use your compliance committee meetings wisely. Does your compliance committee meet quarterly, and listen while the compliance officer reads the meeting agenda? If there’s no discussion, you have a missed opportunity. Use these meetings to share information about emerging risks and upcoming contracts and deals. By getting committee members in the habit of including each other in big decisions, you can avoid costly communication breakdowns.
  • Implement a BAA management system. Are you confident that all business associates have an up-to-date BAA in place? There should be a spreadsheet inventory of every business associate, and the date the BAA was in place. Also use a business associate due diligence process to monitor business associates’ HIPAA practices and ensure your PHI is safe.

For more information on how to improve compliance processes contact MedTrainer at support@medtrainer.com or call us at 888.337.0288

Friday, April 1, 2016

The OIG’s Guide to Creating a Compliance Program


The creation of compliance program guidance is a major initiative of the OIG in its effort to engage the private health care community in preventing the submission of erroneous claims and in combating fraudulent conduct. In the past several years, the OIG has developed and issued compliance program guidance directed at a variety of segments in the health care industry. The development of these types of compliance program guidance is based on our belief that a health care provider can use internal controls to more efficiently monitor adherence to applicable statutes, regulations and program requirements.
Copies of this compliance program guidance can be found on the OIG website at http://www.hhs.gov/oig.

Components of an Effective Compliance Program
This compliance program guidance contains seven components that provide a solid basis upon which a organization can create a compliance program with the help of MedTrainer:
  1. Conducting internal monitoring and auditing.
MedTrainer assists you in tracking training, policies and procedures, as well as credentials for each employee to ensure that all are up to date and in compliance with federal and state regulations.

  1. Implementing compliance and practice standards.
MedTrainer works with the administration set up standards of compliance for the organization by creating training bundles that can be specific to department, position, or location.

  1. Designating a compliance officer or contact.
MedTrainer clients have access to a Compliance Specialist that will assist you in making sure that you have all the resources to ensure you are compliant.

  1. Conducting appropriate training and education.
This is MedTrainer’s core business practice, our training and education is solely focused on the medical field and their compliance needs. Each course is designed to engage and educate the employee in compliance best practices.

  1. Responding appropriately to detected offenses and developing corrective action.
MedTrainer will assist you through audits from OSHA and other regulatory bodies. You have reports to furnish to inspectors instantly to make audits as painless as possible.

  1. Developing open lines of communication.
MedTrainer sends automatic notifications to ensure that the completion date of the training is met. Administrators can also communicate to departments, specific positions, or locations about compliance topics.

  1. Enforcing disciplinary standards through well-publicized guidelines.
All policies and procedures that have been signed off by staff are always accessible on their student dashboard, just in case an employee has a question on guidelines or policies that have been set by their Administration.


These seven components provide a solid basis upon which healthcare organizations can create a compliance program. The OIG acknowledges that full implementation of all components may not be feasible for all organizations. However, as a first step, organizations begin by adopting only those components which, based on the organization’s specific history with billing problems and other compliance issues, are most likely to provide an identifiable benefit. MedTrainer can assist clients in identifying the issues that plague your office. From training to credential management, MedTrainer is here to assist you in going paperless.