Friday, September 30, 2016

HHS Section 1557 Discrimination Clarification

HHS Nondiscrimination Provisions, Disability Provisions, and Language Provisions will have an effect on covered entities.

From the HHS website on Section 1557:

Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on long-standing and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
  • Any health program or activity any part of which received funding from HHS
  • Any health program or activity that HHS itself administers
  • Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
The Nondiscrimination in Health Programs and Activities final rule implements Section 1557 of the Affordable Care Act, which is the first federal civil rights law to broadly prohibit discrimination on the basis of sex in federally funded health programs. Previously, civil rights laws enforced by HHS’s Office for Civil Rights (OCR) broadly barred discrimination based only on race, color, national origin, disability, or age.
“A central goal of the Affordable Care Act is to help all Americans access quality, affordable health care.  Today’s announcement is a key step toward realizing equity within our health care system and reaffirms this Administration's commitment to giving every American access to the health care they deserve," said HHS Secretary Sylvia M. Burwell.
The final rule helps consumers who are seeking to understand their rights and clarifies the responsibilities of health care providers and insurers that receive federal funds. The final rule also addresses the responsibilities of issuers that offer plans in the Health Insurance Marketplaces. Among other things, the final rule prohibits marketing practices or benefit designs that discriminate on the basis of race, color, national origin, sex, age, or disability. The final rule also prohibits discriminatory practices by health care providers, such as hospitals that accept Medicare or doctors who participate in the Medicaid program. 
The final rule prohibits sex discrimination in health care including by:
  • Requiring that women must be treated equally with men in the health care they receive.  Other provisions of the ACA bar certain types of sex discrimination in insurance, for example by prohibiting women from being charged more than men for coverage.  Under Section 1557, women are protected from discrimination not only in the health coverage they obtain but in the health services they seek from providers.
  • Prohibiting denial of health care or health coverage based on an individual’s sex, including discrimination based on pregnancy, gender identity, and sex stereotyping. 
It also includes important protections for individuals with disabilities and enhances language assistance for people with limited English proficiency including by:
  • Requiring covered entities to make electronic information and newly constructed or altered facilities accessible to individuals with disabilities and to provide appropriate auxiliary aids and services for individuals with disabilities.
  • Requiring covered entities to take reasonable steps to provide meaningful access to individuals with limited English proficiency.  Covered entities are also encouraged to develop language access plans.
While the final rule does not resolve whether discrimination on the basis of an individual’s sexual orientation status alone is a form of sex discrimination under Section 1557, the rule makes clear that OCR will evaluate complaints that allege sex discrimination related to an individual’s sexual orientation to determine if they involve the sorts of stereotyping that can be addressed under 1557. HHS supports prohibiting sexual orientation discrimination as a matter of policy and will continue to monitor legal developments on this issue.
The final rule states that where application of any requirement of the rule would violate applicable Federal statutes protecting religious freedom and conscience, that application will not be required.
For more information about Section 1557, including factsheets on key provisions and frequently asked questions, visit http://www.hhs.gov/civil-rights/for-individuals/section-1557.
*All of the information above was provided and is authored by HHS:




To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Monday, September 26, 2016

CMS Issues New Emergency Preparedness Rule

 HCSI

September is National Preparedness Month and CMS is Getting Involved  By Establishing New Emergency Preparedness Requirements for Medicare and Medicaid Health Care Providers.

The Centers for Medicare & Medicaid Services (CMS) has issued a final rule to establish consistent emergency preparedness requirements for health care providers participating in Medicare and Medicaid, stating that the regulation will increase patients’ safety during emergencies and ensure more coordinated response to natural and manmade disasters.
Are You Ready
“Over the past several years, and most recently in Louisiana, a number of natural and manmade disasters have put the health and safety of Medicare and Medicaid beneficiaries – and the public at large – at risk. These new requirements will require certain participating providers and suppliers to plan for disasters and coordinate with federal, state tribal, regional, and local emergency preparedness systems to ensure that facilities are adequately prepared to meet the needs of their patients during disasters and emergency situations,” the agency’s Sept. 8 news release stated.
“Situations like the recent flooding in Baton Rouge, Louisiana, remind us that in the event of an emergency, the first priority of health care providers and suppliers is to protect the health and safety of their patients,” said CMS Deputy Administrator and Chief Medical Officer Dr. Patrick Conway, M.D., MSc. “Preparation, planning, and one comprehensive approach for emergency preparedness is key. One life lost is one too many.”

“As people with medical needs are cared for in increasingly diverse settings, disaster preparedness is not only a responsibility of hospitals, but of many other providers and suppliers of health care services. Whether it’s trauma care or long-term nursing care or a home health service, patients’ needs for health care don’t stop when disasters strike; in fact, their needs often increase in the immediate aftermath of a disaster,” added Dr. Nicole Lurie, HHS’ assistant secretary for preparedness and response. “All parts of the health care system must be able to keep providing care through a disaster, both to save lives and to ensure that people can continue to function in their usual setting. Disasters tend to stress the entire health care system, and that’s not good for anyone.”
CMS reports that it reviewed current Medicare emergency preparedness regulations for providers and suppliers and concluded the regulatory requirements were not comprehensive enough to address the complexities of emergency preparedness; they did not address the need for communication to coordinate with other systems of care within cities or states; contingency planning; or training of personnel. So the final rule requires Medicare and Medicaid participating providers and suppliers to meet these four industry best practices:
1.Emergency plan: Based on a risk assessment, develop an emergency plan using an all-hazards approach focusing on capacities and capabilities that are critical to preparedness for a full spectrum of emergencies or disasters specific to the location of a provider or supplier.
2.Policies and procedures: Develop and implement policies and procedures based on the plan and risk assessment.
3.Communication plan: Develop and maintain a communication plan that complies with both federal and state laws.
4.Training and testing program: Develop and maintain training and testing programs, including initial and annual training, and conduct drills and exercises or participate in an actual incident that tests the plan.
CMS said these standards are adjusted to reflect the characteristics of each type of provider and supplier. For example, outpatient providers and suppliers such as ambulatory surgical centers and end-stage renal disease facilities won’t be required to have policies and procedures for provision of subsistence needs; hospitals, critical access hospitals, and long-term care facilities will be required to install and maintain emergency and standby power systems based on their emergency plan.
In response to comments, CMS removed the requirement for additional hours of generator testing, added flexibility to choose the type of exercise a facility conducts for its second annual testing requirement, and decided to allow a separately certified facility within a health care system to take part in that system’s unified emergency preparedness program.
The regulations will take effect on November 15, 2016.  Healthcare providers and suppliers affected by the rule must comply and implement all regulations one year after the effective date. More specific information about the Emergency Preparedness Rule can be found here.
Providers/Suppliers Facilities Impacted by the Emergency Preparedness Rule:
1. Hospitals
2. Religious Nonmedical Health Care Institutions (RNHCIs)
3. Ambulatory Surgical Centers (ASCs)
4. Hospices
5. Psychiatric Residential Treatment Facilities (PRTFs)
6. All-Inclusive Care for the Elderly (PACE)
7. Transplant Centers
8. Long-Term Care (LTC) Facilities
9. Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID)
10. Home Health Agencies (HHAs)
11. Comprehensive Outpatient Rehabilitation Facilities (CORFs)
12. Critical Access Hospitals (CAHs)
13. Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services
14. Community Mental Health Centers (CMHCs)
15. Organ Procurement Organizations (OPOs)
16. Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs)

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Thursday, September 15, 2016

Preparing Your Practice For Emergencies and Disasters: The Risk Assesment

 HCSI
A crucial step in preparedness for your practice in the even of a emergency or disaster is a Risk Assessment. 
A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.
As an employer, make sure your workplace has a building evacuation plan that is regularly practiced. The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the program up-to-date.
Implementation
Write a preparedness plan addressing:
  • Resource management
  • Emergency response
  • Crisis communications
  • Business continuity
  • Information technology
  • Records Managment
  • Employee assistance
  • Incident management
  • Training
Find more information on Implementation here.
Testing And Exercises
  • Test and evaluate your plan
  • Define different types of exercises
  • Learn how to conduct exercises
  • Use exercise results to evaluate the effectiveness of the plan
Find more information on Testing and Exercises here.
Program Improvement
  • Identify when the preparedness program needs to be reviewed
  • Discover methods to evaluate the preparedness program
  • Utilize the review to make necessary changes and plan improvements
Find more information on Program Improvement here.
Visit the Deparment of Homeland Securities Business site for more information.
  • Take a critical look at your heating, ventilation and air conditioning system to determine if it is secure or if it could feasibly be upgraded to better filter potential contaminants, and be sure you know how to turn it off if you need to.
  • Think about what to do if your employees can't go home.
  • Make sure you have appropriate supplies on hand.
  • Read more at Build a Kit and Staying Put.
There are numerous hazards to consider. For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard. Consider hurricanes for an example:
A Hurricane forecast to make landfall near your business could change direction and go out to sea. The storm could intensify into a major hurricane and make landfall.



There are many “assets” at risk from hazards. First and foremost, injuries to people should be the first consideration of the risk assessment. Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place. Many other physical assets may be at risk. These include buildings, information technology, utility systems, machinery, raw materials and patient records. The potential for environmental impact should also be considered. Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders. Consider situations that would cause patients to lose confidence in your organization and its services or protection of vital records.
As you conduct the risk assessment, look for vulnerabilities—weaknesses—that would make an asset more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.
The impacts from hazards can be reduced by investing in mitigation. If there is a potential for significant impacts, then creating a mitigation strategy should be a high priority.
Risk Assesment process diagram
Use the FEMA Risk Assessment Tool to complete your risk assessment. Instructions are provided on the form.
Please also request the supplementary and supportive HCSI HIPPA Security Risk Analysis health checkup checklist to coincide with your office risk assessment or by clicking here HCSI Support - Risk Anlysis or entering your email address in the top right side of the blog.

Source(s): http://www.hcsiinc.com, https://www.ready.gov/, http://www.fema.gov/

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, September 7, 2016

Do You Know Who Your Employees Are?

 HCSI
This new monthly cyber awareness alert from the Department of Health and Human Services’ Office for Civil Rights (OCR) prods organizations to closely evaluate the risks their employees pose.


Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI. According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years.

US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria:
  • has or had authorized access to an organization’s network, system, or data;
  • has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information; or information systems.

According to a survey conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and Deloitte, the most common e-crimes committed by insiders are:
  • unauthorized access to or use of organization information;
  • exposure of private or sensitive data;
  • installation of viruses, worms, or other malicious code;
  • theft of intellectual property.

Covered Entities and Business Associates should consider:
  • Developing policies and procedures to mitigate the possibility of theft of ePHI, sabotage of systems or devices containing ePHI, and fraud involving ePHI. These policies and procedures should enforce separation of duties and least privileges, while also applying rules that control and manage access, configuration changes, and authentication to information systems and applications that create, receive, maintain, or transmit ePHI.
  • Conducting screening processes on potential employees to determine if they are trustworthy and appropriate for the role for which they are being considered. Effective screening processes can be applied to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee. Examples of potential screening processes could include checks of the HHS OIG LEIE (List of Excluded Individuals and Entities) to check for health care fraud and related issues and criminal history checks to verify past criminal acts. When implementing a screening process, please be sure to review and comply with any applicable federal, state or local laws regarding the use of screening processes as part of the hiring process.
  • Following US CERT steps to protect ePHI from insider threats: 
1. Consider threats from insiders and business associates in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Incorporate insider threat awareness into periodic security training for all employees.
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets.
7. Implement strict password and account management policies and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring policies on privileged users.
11. Institutionalize system change controls.
12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
13. Monitor and control remote access from all end points, including mobile devices.
14. Develop a comprehensive employee termination procedure.
15. Implement secure backup and recovery processes.
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network device behavior.
18. Be especially vigilant regarding social media.
19. Close the doors to unauthorized data exfiltration.

Source(s): US-CERThttp://www.hhs.gov/ocr/, HCSI 


To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, August 31, 2016

How a Search Committee Could Benefit Your Organization

Understanding when to use a search committee enables it to become a valuable part of your recruiting efforts.

Steve has been very busy in his efforts to hire somebody for a high profile position within his organization. After spending endless hours sifting through resumes, conducting initial phone interviews, doing on-site interviews, and making the final hiring decision, Steve has finally hired a qualified candidate named Jeff. There was no argument that Jeff was qualified for the position, but Steve was only one opinion and only one view point. Within a few weeks of hiring Jeff, it was apparent to everyone around that Steve had missed something. Although qualified, Jeff was not a cultural fit for the organization. In fact, Jeff was pushing all the wrong buttons and going in all the wrong directions. Jeff was not a fit for the organization and Steve had to let him go. It was now time for Steve to begin the time consuming and costly hiring process all over again.

Could the above situation have been avoided? Maybe not entirely, but the likelihood of it happening could have been greatly reduced if Steve had utilized a search committee in his recruiting efforts.

What is a search committee?
A search committee is a group of individuals gathered together for the purpose of assisting an administrator or hiring manager in recruiting and screening candidates for a vacant position.

Why would I use a search committee?
By forming a search committee, the hiring manager is able to harness the large amount of work that comes with reviewing resumes, conducting initial interviews, and doing on-site interviews. In addition, a search committee provides consistency in reviewing each candidate and the entire hiring process benefits from having multiple perspectives.

When should I use a search committee?
It is best to utilize a search committee when hiring for senior level administrative positions and positions that will have a high public relations impact on your organization.

Who should be a part of a search committee?
Search committee's should be formed with the idea of having a diversity of ideas, opinions, and perceptions. Members of a search committee should include:
  1. People who have valued knowledge about the vacant position
  2. People who are respected
  3. Representatives from areas that the new hire will impact
  4. Representative from both genders
  5. People of different races and cultural backgrounds
How many members should be on the search committee?
The size of the search committee should reflect the importance of the vacant position. With that being said, a search committee should not exceed 11 members nor have no fewer than three members. Keep in mind that the larger the search committee is, the more time it takes to complete the hiring process.

What are the duties of the search committee?
Search committee's should be active in:
  • Determining a timeline for the hiring process
  • Identifying where to advertise for the vacant position
  • Conduct initial interviews
  • Participate in on-site interviews
  • Help determine which candidates will advance to each stage of the hiring process
  • Help determine the final candidate selected to fill the vacant position
When utilizing a search committee to become part of the hiring process for a vacant position, you are opening a door to new ideas and perspectives. These different and sometimes new thoughts should be encouraged and discussed. It is the objective of the search committee to find and hire the candidate who no only can do the job, but would be the best fit for the organization and the culture within.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Wednesday, August 24, 2016

Discussion Point: Patients Making Recordings In Healthcare Settings

Policies Restricting Patient Recordings In Medical Settings

 HCSI

What are your opinions on a medical office or practice creating a policy to prevent/limit patients from making audio/video recordings in exam rooms or other common areas where HIPAA or patient privacy could be violated by improper use of these recordings?


Does the office or practice have free reign to create such a policy?  What if any limitations might apply?

What about the patient?  Do they have any "rights" providing them the freedom to be able to record a procedure or practitioner giving treatment instructions for example? 

What about recordings in a maternity ward/nursery or during child birth?  What about the potential for cell phones to disrupt sensitive medical equipment?  What about patient's using apps like Pokemon Go and inadvertently or covertly overhearing and recording sensitive patient information?
What HIPAA regulations or legal ramifications might be evoked by such a situation?  How does an office notify patients of and enforce such a policy?  Should the office require patients to sign an acknowledgement of said policy or is a posted sign or notice adequate?

I would love to hear all your thoughts on this topic and any addition related issues that might come up that I have not already listed in the situations above. 

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, August 19, 2016

Compliance Essentials: Training

Training is one of the essential cornerstones of any effective compliance program.

Training is an investment for any organization. That investment pays great dividends in the form of liability protection when it comes to compliance. However, with that being said, some organizations are still hesitant to train their employees or outright refuse to make this very important investment.

When it comes to Federal and State compliance, the decision to train employees has been taken out of the hands of the organizations. For example, with HIPAA compliance, the Office for Civil Rights (OCR), states:


"§164.530(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity."

In the event of a HIPAA audit, the auditor will ask him or herself a discovery question:


"Does the covered entity train its work force and have a policies and procedures to ensure all members of the workforce receive necessary and appropriate training in a timely manner as provided for by the established performance criterion?"

In addition, the auditor will take the following action:

"Obtain and review such policies and procedures. Areas to review include training each new member of the workforce within a reasonable period of time and each member whose functions are affected by a material change in policies or procedures. From the population of new hires within the audit period, obtain and review a sample of documentation of necessary and appropriate training on the HIPAA Privacy Rule that has been provided and completed."

And finally, the auditor will:

"Obtain and review documentation that workforce members have been trained on material changes to policies and procedures required by the HITECH Act."

What is the above patter of the auditor?

  1. As a mater of policy, require that all employees are being fully trained
  2. Ensure that each organization has established policies and procedures
  3. Verify that training is being done by obtaining documentation on training and policies/procedures
This similar pattern is followed by other government organizations. Documented compliance training is required in the areas of OSHA, Medicare, and other various areas where compliance is required.

When organizations give their employees the resources and information they need to be compliant with these various regulations, they begin to establish a culture of compliance within the organization. 

Compliance training is not a request or addressable, it is REQUIRED!!!!!

Employee training is an investment worth making. However, compliance training is not just a good investment, it is liability protection that any organization cannot be without.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Friday, August 5, 2016

Compliance Essentials: Documentation

Documentation is one of the essential cornerstones of any effective compliance program.

Henry was understandably nervous on the day his office was being audited by the Office for Civil Rights (OCR). While still feeling some butterflies, he was confident that his compliance efforts will pass the HIPAA audit. Henry was then asked a series of questions:

Auditor - Does your office have establish policies and procedures?
Henry - Yes we do!
Auditor - Show them to me.
Henry - Here is a copy of our employee handbook.
Auditor - This does not contain the necessary written information.
Henry - I thought it was enough . . .

Auditor - Does your office train your employees continuously?
Henry - Yes we do!
Auditor - Show me the training documentation.
Henry - Our employees are trained on compliance every year at our annual "compliance and pizza" meeting.
Auditor - That is not what I asked for.
Henry - I thought it was enough . . .

Auditor - Show me your breach disclosure log.
Henry - Our breach disclosure log . . .
Auditor - Do you not have one?
Henry - I'm not even sure what that log is.

At this point in the audit, Henry's confidence has vanished and he is now thinking about the possibility of having to look for another job.

OCR has stated that it views compliance as an "ongoing journey". When you are on a journey, your attention is focused on what lies ahead. However, if you stop for a moment and look behind you, you will see past evidence of your journey in the form of footprints. If you turn around, you will be able to retrace your journey by following those footprints. If it was not for your footprints, you would not be able to retrace your journey back to where you started.

This same idea of retracing your footprints and being able to follow the history of your journey, applies to your "ongoing journey of compliance". However, rather then leaving footprints behind you, you leave a paper trail called, documentation. By keeping your documentation up-to-date, you have a history of your compliance activity and evidence of where you currently stand (policies and procedures).

There are numerous benefits to good documentation:
  1. Paper Trail - This will be useful in demonstrating your compliance activity for an audit or possible protection against liability.
  2. Compliance Story - It is not only about what you did and the final outcome, but rather what factors were a part of your decision making process and what lead you to make the final decision.
  3. Hand-Me-Down - When an office changes Administrators or Compliance Officers, the newly appointed employee will be able to review previous documentation and have a better understanding of the organizations compliance history.
  4. Employee "Misunderstandings" - Documentation of policies and procedures go a long way to eliminating the employee "misunderstandings" that tend to crop-up. If an employee says that they did not know the policy, you can refer to the written policy and their acknowledgement of it that they signed during their training.
During an audit by OCR, they are wanting to look at your "ongoing journey of compliance". If your documentation is done well and is up-to-date, then you won't have to shy away from their questions. Simply take their hand and guide them through the history of your "ongoing journey of compliance" by following your own footprints.



To subscribe to this blog, enter your email address:


Delivered by FeedBurner


Tuesday, August 2, 2016

OSHA's New Reporting Rule Impacts the Health Care Industry

New OSHA Injury Reporting Rules
 HCSI
The U.S. Occupational Safety and Health Administration (OSHA) recently issued a final rule that becomes effective January 1, 2017 requiring healthcare industry employers to electronically submit to OSHA injury and illness data from their OSHA logs. This information will then become publicly available on the OSHA website.

As a corollary, and “to ensure the completeness and accuracy of injury and illness data,” the final rule also:
  • Creates an explicit requirement that employees must be informed of their right to report work-related injuries and illnesses free from retaliation;
  • Specifically requires that an employer's procedure for reporting work-related injuries and illnesses must be reasonable and not deter or discourage employees from reporting; and
  • Explicitly prohibits retaliation against employees for reporting work-related injuries or illnesses.
The requirement to report data applies to: (1) work locations with 250 or more employees, and (2) work locations with 20 to 249 employees in specific “high-risk industries” identified in the rule. The rule includes several types of healthcare industries in its definition of high-risk industries. Specific healthcare industries that must comply with this rule if they have 20 or more employees at a particular work location are:
  • Ambulatory healthcare services;
  • General medical and surgical hospitals;
  • Psychiatric and substance abuse hospitals;
  • Specialty (except psychiatric and substance abuse) hospitals;
  • Nursing care facilities;
  • Residential mental retardation, mental health, and substance abuse facilities;
  • Community care facilities for the elderly; and
  • Other residential care facilities.
Businesses with 250 or more employees at a work location in industries covered by the new recordkeeping regulation must submit information from their 2016 Form 300A by July 1, 2017. These employers will also be required to submit information from all 2017 forms (300A, 300, and 301) by July 1, 2018. Starting in 2019, the information must be submitted by March 2 each year. Businesses with 20-249 employees in high-risk industries, including those healthcare industries mentioned above, must submit information from their 2016 Form 300A by July 1, 2017, and their 2017 Form 300A by July 1, 2018. Starting in 2019, the information must be submitted by March 2 each year.

OSHA will make the injury and illness data public. After removing any Personally Identifiable Information that could be used to identify individual employees, OSHA will post the data on its website, and anyone will be able to download it. Employers in the above-referenced high-risk industries (and those with 250 or more employees) should begin planning now to ensure compliance with the January 1, 2017 reporting deadlines.

The new rule also emphasizes that employees who report workplace related injuries and illnesses may not be discriminated against or retaliated against because they have reported such injuries or illnesses. It provides OSHA with the authority to cite an employer for retaliation even in the absence of any employee complaint. The commentary to the rule says:
  • Employers must have a reasonable procedure for employees to report work-related injuries and illnesses.
  • Employers’ reporting procedures cannot deter or discourage reasonable employees from accurately reporting a workplace injury or illness.
  • Blanket or automatic post-accident testing policies are prohibited and will be viewed as taking an adverse action against, retaliating against, or discouraging employees from reporting accidents.
  • Employers need not specifically suspect drug use before testing, but there should be a reasonable possibility that drug use by a reporting employee was a contributing factor to the reported injury or illness in order for an employer to require testing, and, even then, the testing should be limited to only the employee who caused the accident rather than everyone involved.
Although the new rule does not prohibit all post-accident/post-injury drug testing policies, OSHA’s position is that the circumstances of some accidents make it unlikely that drug use was a contributing factor, and therefore testing employees in these situations would be viewed as retaliation. OSHA provides these examples of circumstances where required drug testing would be suspect:
  • After an employee reports a bee sting;
  • When an employee has a repetitive strain injury;
  • After an injury caused by a lack of machine guarding; or
  • When a machine or tool malfunctions.
The rule acknowledges many employers implement post-accident/post-injury drug testing policies because they are located in states that offer workers’ compensation premium reductions for enacting Drug Free Workplace Policies. Compliance with these workers’ compensation programs or other state or federal laws or regulations requiring post-accident/post-injury or reasonable suspicion testing are still permitted.

Employers must also specifically inform employees: (i) they have the right to report work-related injuries and illnesses; and (ii) the employer is prohibited from retaliating against employees for reporting work-related injuries or illnesses. Employers also must establish a reporting procedure that does not deter or discourage an employee from reporting work-related injuries and illnesses. These posting and reporting requirements are effective as of November 1, 2016.

In light of OSHA’s new rule, employers in the health care industry should review drug testing policies as well as accident/injury reporting policies to ensure they do not violate OSHA's new rules.

Also See: Provisions call for employers to electronically submit injury and illness data that they already record.


To subscribe to this blog, enter your email address:


Delivered by FeedBurner