Friday, July 31, 2015

Are Your Disinfecting & Sterilizing Procedures OSHA Compliant?

OSHA Standard Disinfection and Sterilization
According to OSHA standards, disinfection and sterilization procedures should be used for all reusable instruments, devices and other items that are contaminated with blood and/or other potentially infectious materials (OPIM).
Your practice should use the following definitions as guidelines for appropriate sterilization and/or disinfection procedures:
Disinfection levels and sterilization
High level disinfection:
Must be used on all semi-critical care items that could be damaged by heat sterilization. Use a product labeled “disinfectant/sterilant” and leave the items immersed for the shorter time recommended by the manufacturer. (The longer time is used for “cold sterilization”.)
Intermediate level disinfection:
Must not be used on semi-critical care items. Use it for disinfection of non-critical care items that are contaminated with blood or OPIM. A bleach solution (1 part bleach to 10 parts water) is strong enough but must be mixed fresh daily. Wipe the item to be cleaned with the bleach solution (or a commercial disinfectant) and allow it to air dry.
Low level disinfection:
Not necessary for non-critical care items that have not been contaminated with blood or OPIM. Proper cleaning is usually sufficient. To use a low-level disinfection, wipe or spray an EPA registered disinfectant on the surfaces of the cleaned items and let them air dry.
Destroys all microorganisms (including viruses) and their spores. Sterilization can be accomplished by the use of steam (steam autoclave), dry heat, chemicals under pressure (chemical autoclave) or an EPA registered product that is labeled “disinfectant/sterilant” (sometimes referred to as “cold sterilization”).
Critical Care Items
Critical care items:
All instruments and/or devices that are introduced directly into the bloodstream. They touch bone or penetrate tissue. All of these items must be sterilized.
Semi-critical care items:
Instruments that touch mucous membranes but do not touch bone or penetrate tissue. Sterilize them or, if the items are damaged by heat, use a high-level disinfection process following the manufacturer’s guidelines.
Non-critical care items:
Equipment and environmental surfaces that will come into contact with intact skin only. Floors, exam tables, crutches, and countertops are examples of non-critical care items. Use intermediate-level disinfection for non-critical care items. (Cleaning alone is sufficient unless the items are visibly contaminated with blood.)
Biological monitoring is a “spore test” and is the only way to ensure that heat sterilization is effectively killing all types of microorganisms. Check with the manufacturer of sterilizer for the proper spore test. Mail the exposed test spores to an appropriate microbiology lab for testing or check them in a special incubator designed for that purpose. 

Tuesday, July 28, 2015

Oral Communication Privacy Reminder

A HIPAA Reminder – Privacy and Oral Communications

Oral communications at your practice are extremely important but are often overlooked and forgotten.  They can be a confusing issue but need serious attention.

The Privacy Rule applies to individually identifiable health information in all forms. Coverage of oral or spoken information ensures that information retains protections when discussed. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.

Providers and health plans understand the sensitivity of oral information. For example, many hospitals already have confidentiality policies and concrete procedures for addressing privacy, such as posting signs in elevators that remind employees to protect patient confidentiality.

Reasonable safeguards for orally exchanging PHI include:
  • Keeping a distance between the public and the people you’re speaking to
  • Stepping into a room with a door
  • Lowering your voice
  • Using the handset instead of the speakerphone

The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. It is understood that overheard communications are unavoidable. These are considered to be incidental disclosures.

For example, in a busy emergency room, it might be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. The following practices are permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who might be nearby such as using lowered voices:
  • Healthcare staff may orally coordinate services at hospital nursing stations
  • Nurses and other healthcare professionals may discuss a patient’s condition over the phone with the patient or a provider
  • Staff may call out patient names in waiting areas

Healthcare professionals may discuss a patient’s condition during training rounds in an academic or training institution

Thursday, July 23, 2015

Would Your Office Pass the Top 10 OSHA Citations?

Top 10 OSHA Citations in Medical Offices

OSHA recently fined a New York medical practice almost $45,000 for inadequate worker safeguards against blood-borne pathogen hazards. The citations included the lack of a written exposure control program outlining the protective measures used to eliminate or minimize workers’ exposure to blood and other potentially infectious materials, failing to provide employees properly fitted protective wear and training in its use, failing to offer the Hepatitis B vaccine to at-risk employees, allowing sharps containers to overfill and allowing employees to recap non-engineered contaminated needles.

Listed below are the most common violations for medical practices, many of which the New York practice was cited for, as indicated by asterisks.

1.      Failure to implement and maintain an exposure control under the Blood-borne Pathogen Standard (BBP);**
2.      Failure to train under the BBP Standard;**
3.      Failure to engineer out hazards/ensure hand washing under the BBP Standard;**
4.      Poor housekeeping under the BBP Standard;**
5.      Failure to implement and maintain a written a Hazard Communication Program;
6.      Failure to make the Hepatitis B vaccination available under the BBP Standard;**
7.      Failure to prepare exposure determinations under the BBP Standard;
8.      Failure use personal protective equipment under the BBP Standard;**
9.      Failure to provide post exposure Hepatitis B vaccinations under the BBP Standard; and
10.  Failure to train employees under the Hazard Communications Standard.**
To avoid potential areas of non-compliance, you should regularly audit your practice for safety and health hazards.  Employee training and periodic refresher training is also essential, especially regarding the Blood-borne Pathogen and Hazard Communication Standards.

(FHC website)

Tuesday, July 21, 2015

Accessing PHI in an Emergency

Emergency Access Procedures

Your practice must establish procedures so your employees know how to obtain electronic protected health information (ePHI) during an emergency.

Access controls will still be necessary under emergency conditions, although they may be very different from those used in normal operational circumstances. For example, in a situation when normal environmental systems, including electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster, procedures should be established beforehand to provide guidance on possible ways to gain access to needed electronic protected health information. 

Follow these tips on how your practice can meet emergency access requirements:
·         Review your contingency plan to determine what processes you have in place to provide rapid access to ePHI in an emergency or disaster
·         Have backup copies of any ePHI that you deem critical
·         Have plans to restore the system and data inside your facility and at an alternative site

·         Document the names and roles of individuals with administrative privileges who can grant access in a crisis.

Monday, July 20, 2015

Background Check Best Practices

Best Practices for Background Checks                                         

When you are hiring employees, background checks can help make sure you have the right people, and having the right people can impact your organization’s success and the safety of your communities. Ultimately, background checks help you screen out dangerous individuals, and assist you in retaining the best possible candidates.
Conducting background checks for employment purposes is an extremely important tool for many employers. The following are some best practices:
        Review Job Descriptions
Employers should review the requirements of each position and determine whether a background check is necessary for that position. Employers should also review and consider narrowing the positions for which they are running credit reports and make sure that the information requested from each candidate is relevant to the specific position for which the candidate applies.
        Review Policies And Procedures
Employers should review their background screening policies and procedures and develop processes to ensure that all the necessary notice and disclosures are being provided to candidates in compliance with Title VII and the Fair Credit Reporting Act (FCRA).
        Comply With The EEOC Guidance
Employers should also remember the EEOC guidance and when they are reviewing a candidate’s criminal history information, also consider:
·         The nature and gravity of the offense;
·         The time that has passed since the conviction and/or completion of the sentence;
·         The nature of the job held or sought; and
·         Apply the EEOC’s individualized assessment factors.
        Consider The Timing of Background Checks
Employers should determine when to inquire about an individual’s criminal history and when to conduct a background check (i.e., after making conditional offers of employment, or after an interview).
Even then, employers should not automatically rescind an offer if they find something concerning in the background check, but should consider asking that person about the negative information. There may be a legitimate explanation, such as identity theft, for the negative information. There could also be an error on the report.
        Disclosure Statements And Authorizations
Employers should also carefully review their disclosure and authorization forms for compliance on a regular basis. They should consider eliminating any extraneous information from the disclosure form, including a release of liability from the candidate, and consider separating the disclosure form from the authorization form.
        Comply With Pre-Adverse And Adverse Action Notice Requirements
Employers must also review their procedures for ensuring that pre-adverse action and post-adverse action notices are provided in accordance with the FCRA. The key is that employers must also make sure that they always provide candidates with a copy of their consumer report and give them a reasonable opportunity to dispute the accuracy of the report, before the adverse action is taken.
        Comply With State Requirements
Employers should be aware of the laws in the states in which they operate. This includes state laws requiring “job relatedness” for criminal and credit background checks, ban-the-box laws, and laws concerning the timing of background checks, and laws concerning state and local-specific notices/disclosures to be provided to candidates.

(HireRight website)

Thursday, July 16, 2015

Create a Culture of Safety and Avoid OSHA Fines

Boosting Employee Safety and Avoiding OSHA Citations

Although it’s impossible for employers to mitigate against every conceivable hazard in the workplace, there are five critical steps that every employer should take to improve safety in the workplace—and avoid costly OSHA citations.

        Conduct an Internal Safety and Health Audit
One of the most effective ways for an employer to identify and eliminate safety hazards in the workplace is to conduct a safety and health audit. Employers should closely examine every aspect of their workplace to ensure they’re in full compliance with OSHA standards and best practices.
Employers must take care, though, in the way they conduct and document such audits.
In an inspection, OSHA may demand to see audit reports and use them to identify potential hazards in the workplace, essentially using the employer’s proactive audit against it and issuing citations based on hazards identified but not yet remedied.
Employers can protect their internal audit reports from disclosure to OSHA by working with counsel in conducting their audits. The audit report is then protected from disclosure to OSHA by the attorney-client communication privilege.
        Create a Strong Safety Culture
A robust and authentic safety culture is critical for ensuring employee health and safety. Management at all levels should be involved in creating this culture, actively communicating with employees and being physically present where employees do their jobs. Such actions demonstrate to employees that employers are serious about safety, increasing employees’ commitment to safety and their overall job satisfaction. By doing this, employers have the opportunity to observe potential hazards with their own eyes and discover other potential hazards through conversations with employees.
Employers should assure employees that safety is a priority and that suggestions for improving safety in the workplace are not only welcome, but encouraged. By providing open lines of communication with employees, employers again encourage a commitment to safety at all levels of the organization and significantly improve the odds they will learn of a potential problem.
Employees are often the first to identify a potential hazard, and having regularly worked in a particular area, they have insightful suggestions about how problems can best be resolved. When an employee identifies a potential hazard, the employer should assess the situation promptly and respond to the issue in a timely manner.
        Ensure That Safety and Health Documentation Is Current and Well Communicated
All employers must provide to their employees essential safety information, such as how to evacuate in an emergency. OSHA also requires employers to provide a range of written guidance to employees regarding the essentials of safely performing their work.
Every employer should regularly review its OSHA documentation requirements, which may change from time to time. Recently, for example, OSHA updated the Hazard Communication Standard to align with the GHS. Having determined the extent of their documentation requirements, employers should review their documents and ensure that they are thorough and up to date. Finally, employers should make sure that employees fully comprehend the documentation, know how and when to use it, and understand the reason for maintaining it. This helps to ensure employee safety and gives employees another opportunity to provide suggestions and point out information that’s missing from the documents.
        Train Employees in Safety and Health, Regularly and Comprehensively
OSHA standards include a number of training requirements. OSHA often cites employers for failure to train employees on relevant safety and health information and failure to ensure that employees understand the training. This is avoidable.
Employers must provide comprehensive training to employees in a way that employees can fully comprehend. A simple way to ensure compliance with this requirement is to administer a quiz at the conclusion of the training, requiring employees to demonstrate their comprehension of the information that was relayed to them. Many employers require employees to achieve a high score on such quizzes (e.g., 90 to 100 percent). If employees are unable to reach the required score on the first try, they should be given the opportunity to be retrained and take the quiz again. Employers should keep records of all safety and health training provided to employees and should keep quizzes and other related materials on file. Simply being able to provide these documents to OSHA in the event of an inspection will go a long way toward proving that the employer has complied with OSHA’s training requirements.
        Protect Contractors and Temporary Workers, Too
Employers should make every effort to ensure that all employees working in their facilities are safe – contractors and temporary workers included. Many tragic incidents can be avoided by ensuring that everyone is on the same page when it comes to safety. Although this task may sound daunting, it is another essential element of creating a truly safe working environment.
OSHA has instructed its compliance officers to expand the scope of inspections to include temporary workers who may have been exposed to a hazard identified by OSHA. This instruction led to a 322 percent increase in inspections involving temporary employees in 2014. In only 15 percent of those inspections, citations were issued to the temporary agencies—but countless citations were issued to host employers, often for failing to train temporary workers properly or to provide them with the safety gear provided to permanent employees, leaving temporary workers at an increased risk of harm.

(EBGL website)

Tuesday, July 14, 2015

Protective Services Investigating Patient Records

Access to Patient Records for Investigation

Q: When is Adult Protective Services (APS) entitled to copies of a patient’s medical record without a signed authorization?

An adult patient was transferred from a hospital to our skilled nursing facility for long-term care. Prior to transfer, the hospital social worker called APS with a concern that family members were neglecting the patient and using the patient’s money for their own benefit. APS then came to our facility asking to review the patient’s medical record.

A: APS and Child Protective Services have authority under state law to obtain the information they need to investigate cases under their jurisdiction.

Because APS has an open investigation in this case, the caseworker has legal authority to review the patient’s medical record or obtain copies without authorization from the patient or the patient’s legal representative.

Monday, July 13, 2015

Top Hazards in OSHA Healthcare Inspections

OSHA Announces Key Hazards for Healthcare Inspections

Targeting some of the most common causes of workplace injury and illness in the healthcare industry, OSHA announced it is expanding its use of enforcement resources in hospitals and nursing homes to focus on: musculoskeletal disorders related to patient or resident handling; blood-borne pathogens; workplace violence; tuberculosis and slips, trips and falls.
U.S. hospitals recorded nearly 58,000 work-related injuries and illnesses in 2013, amounting to 6.4 work-related injuries and illnesses for every 100 full-time employees: almost twice as high as the overall rate for private industry.
“Workers who take care of us when we are sick or hurt should not be at such high risk for injuries — that simply is not right. Workers in hospitals, nursing homes and long-term care facilities have work injury and illness rates that are among the highest in the country, and virtually all of these injuries and illnesses are preventable,” said Dr. David Michaels, assistant secretary of labor for occupational safety and health. “OSHA has provided employers with education, training and resource materials, and it’s time for hospitals and the healthcare industry to make the changes necessary to protect their workers.”
OSHA has advised its staff through a memorandum that all inspections of hospitals and nursing home facilities, including those prompted by complaints, referrals or severe injury reports, should include the review of potential hazards involving musculoskeletal disorders related to patient handling; blood-borne pathogens; workplace violence; tuberculosis; and slips, trips and falls.
“The most recent statistics tell us that almost half of all reported injuries in the healthcare industry were attributed to overexertion and related tasks. Nurses and nursing assistants each accounted for a substantial share of this total,” added Dr. Michaels. “There are feasible solutions for preventing these hazards and now is the time for employers to implement them.”

(DOL website)

Friday, July 10, 2015

New OT Regulations Proposed by The Department of Labor

DOL Proposes New Overtime Regulations
The Department of Labor (DOL) announced June 30, 2015, a highly anticipated proposed rule under the Fair Labor Standards Act (FLSA) that would extend overtime protections to nearly 5 million white-collar workers.
Workers who earn as much as $970 a week—$50,440 a year—would have to be paid overtime even if they’re classified as a manager or professional, according to the announcement.
Under current regulations, the salary threshold remains at $23,660 ($455 per week), which is below the poverty threshold for a family of four, and only 8 percent of full-time salaried workers fall below it, according to a fact sheet issued by the Obama administration.
Here are some highlights from the DOL’s proposed changes:
        Significant Impact.
Employees and employers across every industry and sector will be impacted. Most employers covered by the FLSA will need to analyze employee classifications and make other changes, by a likely 2016 effective date that will be established in the final rule. According to DOL, 11 million employees will be impacted.

        Salary Level Will Increase.
To be exempt currently, workers must make more than $455/week ($23,660 annually). The proposed rule sets the standard salary level at the 40th percentile of weekly earnings for full-time salaried workers, which for 2013 was $921 per week, or $47,892 annually. If the 40th percentile approach is adopted, the 2016 level is projected to be $970 a week, or $50,440 annually. This will impact all sectors, but it may disproportionately affect the non-profit and service sector industries as well as certain geographic areas of the country.

        Changes to Highly Compensated Employees (HCEs).
The department is proposing to set the HCE annual compensation level equal to the 90th percentile of earnings for full-time salaried workers ($122,148 annually), or based on changes in inflation. Currently, in order to fall under this exemption an employee must earn at least $100,000.

        For the First Time, DOL Proposes to Automatically Raise the Salary Level.
The Department is proposing to automatically update the salary level (including for highly compensated employees) on an annual basis, either based on percentiles of earnings for full-time salaried workers or based on changes in inflation.

        Feedback Sought on Duties Test and Nondiscretionary Bonuses.
While no changes have been proposed yet, the regulation acknowledges challenges associated with the duties test and seeks additional examples regarding specific occupations. Similarly, the department wants to hear from employers about the possibility of including nondiscretionary bonuses to satisfy a portion of the standard salary requirement.

The Notice of Proposed Rulemaking (NPRM) was published on July 6, 2015 in the Federal Register.  Interested parties are invited to submit written comments on the proposed rule at on or before September 4, 2015. The DOL will review all comments, then draft a final rule and submit it for interagency review.  This process can take nine to twelve months.  Additional information concerning this NPRM can be found on the DOL website.

(DOL website, SHRM website)

Wednesday, July 8, 2015

10 Business Associate Agreement Requirements

10 HIPAA Requirements for Business Associate Agreements

HIPAA requires that covered entities (CEs) enter into contracts with their business associates (BAs) to ensure that BAs will appropriately safeguard protected health information (PHI).  The business associate contract also serves to clarify and limit the permissible uses and disclosures of PHI based on the relationship between the parties and the services being performed.

The Department of Health and Human Services (HHS) Office for Civil Rights in 2013 issued extensive guidance on handling BA agreements under the HIPAA privacy and security rules. This guidance has been condensed down to the following 10 requirements. Some requirements are commonly included in a business associate agreement, but others may not be.

1.      Determine when and how the business associate is allowed to use or disclose PHI.
2.      Require that the BA will not use or disclose PHI other than what has been permitted by the contract or required by law.
3.      Establish what safeguards will be put in place to prevent unauthorized PHI disclosure. This includes implementing HIPAA requirements surrounding electronic PHI.
4.      Require the BA to report to the CE any use or disclosure of PHI not covered by the contract, including incidents or breaches of unsecured PHI.
5.      Ensure the BA will disclose PHI as specified in the contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI. PHI should be available for amendments as well.
6.      To the extent the BA is to carry out a CE’s obligation under HIPAA, require that the BA comply with the requirement relevant to the obligation.
7.      Ensure internal practices, books and records relating to the use and disclosure of PHI by the BA will be made available to HHS to determine the CE’s HIPAA compliance.
8.      Require that the BA return or destroy all PHI received from, or created or received by the BA on the CE’s behalf, upon termination of the contract.
9.      Require that BAs enter into agreements with their subcontractors that may have access to PHI.
10.  Allow the CE to terminate the contract if the BA violates a material term of the contract.

Other helpful tips include:

        Keep all agreements in a centralized location that can be accessed anytime;
        Know when agreements expire;
        Continually monitor BA compliance by issuing assessments; and
        Include BAs in your risk analyses.

(SourceMedia website)

Monday, July 6, 2015

Online Complaint Forms for OSHA Whistle-blowers

OSHA Whistle-blowers Can File Complaints Online

Whistle-blowers covered by one of 22 statutes administered by the U.S. Department of Labor's Occupational Safety and Health Administration are able to file complaints online. The online form provides workers who have been retaliated against an additional way to reach out for OSHA assistance online.

"The ability of workers to speak out and exercise their rights without fear of retaliation provides the backbone for some of American workers' most essential protections," said Assistant Secretary of Labor for Occupational Safety and Health Dr. David Michaels. "Whistle-blower laws protect not only workers, but also the public at large and now workers will have an additional avenue available to file a complaint with OSHA."

Workers can make complaints to OSHA by filing a written complaint or by calling the agency's 1-800-321-OSHA (6742) number or an OSHA regional or area office. Workers are also able to electronically submit a whistle-blower complaint to OSHA by visiting

The online form prompts the worker to include basic whistle-blower complaint information so they can be easily contacted for follow-up. Complaints are automatically routed to the appropriate regional whistle-blower investigators. In addition, the complaint form can also be downloaded and submitted to the agency in hard-copy format by fax, mail or hand-delivery. The paper version is identical to the electronic version and requests the same information necessary to initiate a whistle-blower investigation.

OSHA enforces the whistle-blower provisions of 22 statutes protecting employees who report violations of various securities laws, trucking, airline, nuclear power, pipeline, environmental, rail, public transportation, workplace safety and health, and consumer protection laws. Detailed information on employee whistle-blower rights, including fact sheets and instructions on how to submit the form in hard-copy format, is available online at

Under the Occupational Safety and Health Act of 1970, employers are responsible for providing safe and healthful workplaces for their employees. OSHA's role is to ensure these conditions for America's working men and women by setting and enforcing standards, and providing training, education and assistance. For more information, visit

Thursday, July 2, 2015

Is Your Documentation Ready for a HIPAA Audit?

HIPAA Audits Need Documentation

Keeping risk assessment documentation and other compliance evidence in a centralized repository is a good way to prepare for any HIPAA audit or investigation.

Office for Civil Rights (OCR) officials have said a permanent HIPAA security audit program will include business associates as well as covered entities. Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance.

Of the 115 covered entities audited in the pilot program, two-thirds had non-existent or inaccurate risk assessments, OCR officials have said.

In addition to random HIPAA audits, OCR often also evaluates the status of organizations' HIPAA compliance as part of the office's data breach investigations.

It is recommended to create a centralized documentation repository that builds a book of evidence based on what other organizations have been asked for in HIPAA security audits and other OCR investigations. You should document all your risk management decisions and make that part of your document repository.

Documentation related to an organization’s risk analysis is important considering that the initial round of HIPAA compliance audits conducted in the pilot program showed that many covered entities do a poor job conducting thorough and timely risk assessments. 

Contact HCSI to discuss documenting your risk assessment in your Compliance Plans Manual, and your audit readiness. 

Wednesday, July 1, 2015

Cell Phone Policy in Health Care

Cell Phones in the Workplace

Q: Does HIPAA have any regulations on the use of cell phones in the workplace?

A: Currently, HIPAA has NO Regulations regarding the use of cell phones by employees or patients. However, with the advances in technology, it would seem inevitable that HIPAA will eventually hand down regulations to ensure the security and privacy of Protected Health Information.

If your practice allows the use of cell phones, you may wish to use the examples below to establish a “Cell Phone in the Workplace” policy to ensure cell phones do not become a distraction, or pose a risk for unauthorized disclosure of Protected Health Information.

1. Cell phone settings should always be set on silent.
A ringing cell phone is a distraction. Employees with cell phones should ensure that while at work, all phones are set on vibrate or silent settings.

2. Cell phones should only be used while on-break.
Employees should only review messages and return calls while on-break and away from their workstation.

3. Text-Messaging should only be done while on-break.
Employees should only review and send text-messages while on-break and away from their workstation.

4. Refrain from taking photographs with your cell phone.
Taking photographs with your cell phone can present a risk for unauthorized disclosure of Protected Health Information.

5. Cell phones should never be brought to a meeting.
Bringing a cell phone into a meeting is a sign that you are not completely committed to the topics at hand. Even if your phone is set on silent, you may be tempted to check your messages, etc.

6. Never use a cell phone in the bathroom. 
This policy is self-explanatory. The sounds overheard in the bathroom could be seen as invasion of privacy.