Dec 17, 2012

HIPAA & Mobile Devices

As healthcare providers expand their use of Mobile Devices such as smart phones, tablets, and laptops, the risk of unauthorized disclosures also expands. As a result, the Department of Health and Human Services (HHS) has generated additional information and some tools to help providers protect their patient's protected health information.

These tips include: Installing and enabling your firewall, installing and enabling encryption, and researching mobile applications before download.  These any many more tips, along with helpful application instructions will be included in the 2013 Online HIPAA training provided by Compliance PhD.

If you have questions about the safety of your mobile devices, or have any other HIPAA related questions, please feel free to contact us.

Start the year off right by signing up for a membership with the #1 Website Practice Managers use to train their staff online. One Membership gives your office access to all of our online training courses. Save yourself time and money and Join Today.

Oct 16, 2012

Discounted Online Compliance Training

Special Offer to the Readers of Compliance Phd's blog:

Get $50.00 of your Practice Membership with Discount Code: TWITTER

Get your OSHA - HIPAA Privacy - HIPAA Security - Fraud, Waste and Abuse - Sexual Harassment and More... all in one easy to use location. (Visit our Course Outlines page for a complete list of trainings.)

We are the #1 Website Practice Managers use to train their staff.

To get started:

1. Visit
2. Click on the "Join Now" tab
3. Select your Membership Level and enter your practice information

It's that easy! Don't forget to use the Discount Code TWITTER to save $50.00

Have questions?
Contact us by phone at: 720-475-0134
or by email at:

Sep 18, 2012

HIPAA Disclosure Question

Recently, we have received many HIPAA questions surrounding appropriate disclosures. The following Q and A should assist those with similar situations.

Q: Can we disclose patient information to a collection agency so we can receive overdue payments?

A: Yes. HIPAA allows a covered entity to disclose patient information to a collection agency, without prior patient authorization, for Payment Purposes. Remember to disclose only the minimum information necessary to accomplish the task.

Q: If an individual calls in and wants to know how a family member is doing, what kind of things can we, or should we disclose?

A: This is a good question that requires an expanded answer. In order to appropriately answer this question, you will need to obtain some additional information.

1) What is the relationship of the caller to the patient?
2) Is the caller the living with the patient and responsible for the patient's care?
3) What are the patient's wishes surrounding disclosure of information to family members?

First, if the patient is a minor and the individual calling is a parent, or the patient's designated representative, then you may disclose the patient's information. However, if the patient has requested that you without information, then it is left up to the best judgement of the covered entity to decide whether such a disclosure could place the patient at risk.

Second, HIPAA allows covered entities to release information that is directly related to the patient's care, to the individual who is directly responsible for the patient's care.

Example: "The patient will require plenty of rest. Covered entities should ONLY disclose information directly related to the patient's care.

Acceptable: The patient should drink plenty of liquid as they take their medication.
Not Acceptable: The patient has a history of back pain, which may or may not be related to their current condition.

Finally, if the patient has requested that information be withheld from family and friends, then you may not disclose the information. Additionally, in your best judgement you may determine that disclosing information would simply be inappropriate, then you may withhold the information.

If you have additional disclosure questions, or other general HIPAA questions, please feel free to contact us at:

Compliance PhD provides its members with up-to-date Online Compliance Training. Our members enjoy that all of the HIPAA, OSHA, and other Compliance related trainings can be found in one place. Join Compliance PhD today!

Sep 12, 2012

Exposure Incident

Q: HELP! We recently had an incident in the office where one of our nurses was stuck with a needle that had previously been used to administer a vaccine to a patient. What do we do now?


If an employee is involved in an exposure incident, they should immediately report the incident to the OSHA Compliance Officer who will document in detail on the Bloodborne Exposure Incident Report Form and, if appropriate to the situation the Sharps Injury Report and Sharps Injury Log.

·         Patients involved with the employee exposure incident should have the situation explained to them, and, if possible, obtain authorization to draw and test their blood. A Consent to Draw and Test Blood form should be completed.

·         The exposed employee should assist in completing the Bloodborne Exposure Incident Report, and Sharps Injury Report.  Management should evaluate the information to determine the cause of the incident and how to take appropriate steps to ensure it cannot happen again.

·         Employees have the right to decline Medical Evaluation and future follow-up evaluations. If the employee declines medical evaluations, have the employee complete and sign the Informed Refusal of Medical Evaluation form. This form should be maintained in the employee’s confidential medical records. Never encourage an employee to refuse receiving medical evaluations. Once the employee has signed the refusal form, however, no other action is necessary. 

·         If the injury is classified as a Sharps Injury, record the information on the Sharps Injury Log. This injury log contains no identifiable information, but can be used to evaluate patterns and areas of possible risk. OSHA Compliance Officers and other Management can use this information to determine whether to change equipment or office procedures to minimize future risk.


After an exposure incident has occurred:
  1. If consent is given, obtain a blood sample and test for HIV, HBV, and HCV. If the individual refuses to have blood drawn and tested, the original contaminate sample must be maintained for 90 days in case the individual later decides to have testing occur.
  2. The individual involved in the exposure incident must be informed of their rights to medical testing AND evaluation.
  3. The individual involved in the exposure incident must be informed of their right to counseling.
  4. The individual involved in the exposure incident must be instructed to report all illness, or fever for the following 12 week period. They should be instructed to receive medical care for any instance.
  5. If test results return negative for HIV, the test must again be offered at 6 weeks, 12 weeks, and 6 months after the exposure incident occurred.
All of the Forms outlined in Red are available and easy to download for all Compliance PhD members. 

If you have additional OSHA Questions, or need help with OSHA Compliance, contact Compliance PhD today. 

Aug 27, 2012

Sheets

Sign-in Sheets are commonplace in most healthcare practices, but frequently are a HIPAA Violation as unauthorized information is requested.

Q: What information can be listed on an office Sign-in Sheet?

A: Only the Following Information can be listed on a practice Sign-in Sheet:

1. Date
2. Patient Name
3. Appointment Time
4. Current Time
5. Physician Name

Members of Compliance PhD can login to the system to download a Sign-in Sheet Template.

If you have additional questions about HIPAA Compliance or OSHA Compliance for the Healthcare Industry, contact Compliance PhD at

Phone: #720-475-0134

Aug 20, 2012

Eyewash Station

Q: "I have an internal Medicine Practice.
                    Am I really required to have an Eyewash Station?"

A: This is a common question we receive.
     The answer is: “YES,” however, additional explanation is required.

OSHA requires all healthcare practices to provide their employees with an eyewash station. The eyewash station must be capable of flushing both eyes simultaneously with tepid water for 15 minutes. Eyewash stations must be clearly marked, and employees must be instructed on its use.

However, if a built-in, or custom eyewash station is not available or practical for the office, a lab or office sink with constant running water may be an appropriate alternative.

To download a Eyewash Station Sign to post over your Eyewash Station, click HERE.

If you have additional questions about OSHA Compliance for your Healthcare Practice, contact Compliance PhD at:
 #720-475-0134 or email us at

Jul 26, 2012

10 HIPAA Questions Every Staff Member Should be Able to Answer

Thank you to all of our readers! Even though HIPAA has been around since 1996, we still see costly mistakes being made involving the most basic HIPAA policies. The maximum HIPAA fines are now 1.5 million, which does not include any civil lawsuits.  Your staff should be able to easily answer the following HIPAA Questions.

10 HIPAA Questions

1. Q: Is it a HIPAA Violation to call out a patient’s FULL name into the waiting room?
    A: While it is recommended to only call out a patient’s first name, it is NOT a violation to call out a patient’s FULL name into the waiting room.

2. Q: Do ALL emails and faxes sent from our practice need to contain a Privacy Warning?
    A: YES! All emails and faxes must contain a Privacy Warning. Example:

Privileged and Confidential: This document and the information contained herein are confidential and protected from disclosure pursuant to Federal Law. This message is intended only for the use of the Addressee(s). If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of this information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.

3. Q: Does HIPAA allow our practice to disclose a deceased person’s information to a funeral home?
    A: HIPAA protects an individual’s protected health information (PHI) whether they are alive or deceased. If the funeral home requests PHI needed to perform services, then it is permissible to disclose. However, if the funeral home is requesting information such as a SSN or other personal information, it is appropriate to have the funeral home contact the deceased individual’s designated representative. This individual can then provide the necessary information.

4. Q: Can I leave the following message on a patient’s answering machine? Our records indicate that you have a $200 account balance that is 60 days past due. Failure to provide payment by the end of the month will result in your account going to collections.
    A: NO! No financial information may be left on a patient’s answering machine. You may only leave a message with the following information: Practice Name, Practice Phone Number, and a request for a return call.

5. Q: Does HIPAA allow us to charge a patient when making a copy of requested Medical Records?
    A: YES. HIPAA allows for a “reasonable” fee to cover your costs associated with the copying of a patient’s medical record. You may not charge a fee to retrieve the record.  

6.  Q: What are HIPAA’s regulations when using an interpreter?
      A: When the use of an interpreter is required, first clarify with the patient that they approve of any PHI disclosure made through the interpreting services. Interpreters may be used in person, or over the phone.

7. Q: Can a patient change their Medical Record?
    A: Patients have the right to request an amendment to their medical record, but they DO NOT have the right to change their medical record. Patients may submit a written request for an amendment. The practice should carefully consider the amendment, but does not have to accept it.

8. Q: Can we display patient photographs in our waiting room?
    A: HIPAA allows for a practice to take a photograph to maintain in the patient’s file. All photographs of a patient must first have the written authorization from the patient prior to public display

9. Q: If a couple is divorced, and a child has been living with their mother, is the father allowed to view the child’s medical record?
    A: Unless otherwise ordered by a court, the father has the right to view their child’s medical record.

10. Q: Can I disclose a patient’s Health Information to law enforcement?
       A: HIPAA allows covered entities to disclose PHI without the prior authorization of a patient in order to comply with a court order, a warrant, a subpoena, a grand jury subpoena, or a summons by a judicial officer. PHI may also be disclosed to law enforcement to maintain public safety, to identify a missing person, or in cases of abuse or neglect.

We have created a quiz, which we recommend giving at your next staff meeting to help evaluate the level of understanding of your staff.  This quiz is NOT designed to replace your mandatory annual HIPAA training and should be used for evaluation purposes only.

Comprehensive HIPAA training should be conducted at least every 12 months.

To download a copy of this quiz, click HERE.

If it’s been a while since you’ve conducted HIPAA or any other compliance related training (OSHA, FWA, etc.), or if you need help getting started, please contact us.

Phone: 720-475-0134
Twitter: @CompliancePhD

Jul 12, 2012

Working Environment free of Sexual Harassment

It is estimated that the average cost for a practice to defend against a Sexual Harassment claim is $100,000. Because of the high costs, many choose to settle out of court at an average cost of $40,000.

The best way to save your practice money, and to protect all of your staff is to create a working environment free of Sexual Harassment. It is estimated that only 67% of businesses have a Sexual Harassment Policy.

Members of Compliance PhD now have access to not only a "Sexual Harassment for Employees" training, but also recently added, a "Sexual Harassment for Managers" training. Together these trainings will ensure your entire staff is aware of the policies and procedures needed for a Sexual Harassment free working environment.

As part of the Compliance PhD management training, we recommend all Managers login to the system and download a sign we have created to post around the practice. This sign re-enforces the practice's policy on Sexual Harassment.

Compliance PhD is pleased to offer this sign, FREE of charge to the readers of our blog.

To download the sign, click HERE.

If you have additional questions about Sexual Harassment Training for your office, or to see how Compliance PhD can help; visit or call us at 720-475-0134.

Jun 22, 2012

June is Posttraumatic Stress Disorder Awareness Month

The U.S Department of Health and Human Services (HHS) announces June as Posttraumatic Stress Disorder Awareness Month.
According to HHS, it is believed that Posttraumatic Stress Disorder (PTSD) affects 1 in every 29 Americans. Those at highest risk for PTSD include our country’s service men and women, abused children and survivors of rape, domestic violence and natural disasters.  HHS is hoping to bring attention to the disorder as well as “recognize the millions of Americans who experience this challenging and debilitating condition.”
PTSD is an anxiety disorder often caused after an individual sees or experiences a threatening or harmful even.  HHS has stated, “PTSD may result in sleep problems, irritability, anger, recurrent dreams about the trauma, intense reactions to reminders of the trauma, disturbances in relationships, and isolation. Some people may recover a few months after the event, but for others it may take years.  For some, PTSD may begin long after the events occur.”
HHS hopes the awareness of June’s PTSD focus will be to inform individuals that PTSD can be treated. Effective treatments are available, such as exposure therapy, cognitive behavioral therapy, and approved medications.  As a reminder, there is help out there for individuals suffering from PTSD. Those individuals working in the Healthcare Industry should be mindful of the signs of PTSD and direct those who are suffering to services where they can receive the proper care.
The Department of Health and Human Services (HHS), is partnering with the Departments of Veterans Affairs (VA) and Defense (DOD), to develop new research in hopes of revealing the underlying causes of PTSD and related conditions. It is believed that with better tools those who are at highest risk of developing the disorder will have access to new and better treatments and preventive interventions.
The following sites can provide additional information, as well as services available to those with PTSD: (Mental Health Service Locator) (Bullying and Traumatic Experiences)

Jun 8, 2012

Time Off/Vacation Request Form

Have you ever had a disagreement with a staff member about Vacation Days or Sick Leave? You are not alone. The key to ending disagreements about Paid Time Off (PTO) is to ensure your office has a clear PTO policy. This policy should be clearly written so all employees can understand it.

While most offices have a PTO policy, they often struggle to "keep track" of employees' vacation days, or shifts missed due to illness. This lack of documentation can lead to arguments, and additional PTO days for employees already at their limit. Compliance PhD is pleased to offer a new tool that will help to track employees' Paid Time Off.

This new form will allow for employees to request time off, as well as allow for management to better track days or shifts missed, the reason behind it, and number of PTO days remaining.

Compliance PhD members can log in to the Forms Section of the site and download the Time Off/Vacation Request Form under the new PRACTICE MANAGEMENT category. This new PRACTICE MANAGEMENT category is filled with additional tools to free up time for Office Managers.

Compliance PhD is pleased to offer this new Time Off/Vacation Request Form for FREE. To download this new tool, click HERE. If you have questions about PRACTICE MANAGEMENT tools, or would like to learn more about Compliance PhD and the services they provide to their members, visit or call us at 720-475-0143.

May 25, 2012

Drug Rep Policy Sign

In our continued effort to provide members of Compliance PhD with updated training and policy materials, we have created a Drug Representative Policy Sign. This new sign will serve as a reminder to all Drug Reps that they must first check in at the front desk prior to entering exam and lab rooms.

Compliance PhD members can access this new Sign under the Forms and Posters Section of the website.  We are also pleased to offer this form FREE of charge to all followers of Compliance PhD.

To download this free form, click HERE. If you have additional questions about Healthcare Compliance, or what resources are available to Compliance PhD members, visit or call us at 720-475-0134.

May 17, 2012

Privacy Reminder Sign

Compliance PhD is pleased to offer a "Privacy Reminder Sign" to be posted on all exam and patient room doors. This sign will serve as a reminder to all Health care Staff to check with the patient prior to discussing any health care related information in front of the patient's guests or visitors.

To download a FREE copy of this sign, click HERE.

For additional tips on Patient Privacy, or for full HIPAA training courses, visit, or call us at 720-475-0143,

Apr 26, 2012

HIPAA for Business Associates

New Training Now Available = HIPAA for Business Associates

HIPAA requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. In short, the a business associate must comply with the HIPAA standards.

A covered entity must obtain in writing, a business associate agreement between the covered entity and the business associate.

So what is a Business Associate?

Health and Human Services (HHS) defines a business associate as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

Examples of common Business Associates: 3rd Party Billing, IT Services, Waste Removal, Transcriptionist, Storage Facility, Accountant, Lawyer, etc.

Remember, a workforce member of a covered entity is not a business associate.

What does this mean for Covered Entities?

To ensure the safety of your patients' protected health information, you must verify that your business associate is complying with the HIPAA standards by training their staff in HIPAA Policies and Procedures. You must obtain this assurance by having completing a Business Associate Agreement with all of your Business Associates.

Members of Compliance PhD have access to a Business Associate Agreement template; located in the Forms section of the site.

NEW TRAINING NOW AVAILABLE! Compliance PhD has announced a new Training available to its members. HIPAA for Business Associates is now included with all Compliance PhD Memberships.

What does this mean for Business Associates?

Business Associates who fail to comply with the HIPAA standards may face the same fines and penalties levied against non-compliant covered entities. Business Associates must now share the responsibilities to safeguard protected health information.

If you are a Business Associate and are unsure how to train your staff in HIPAA standards, visit to learn how.

Apr 2, 2012

Practice Information Sheet

Practice Managers are often burdened with questions where the answer could be found with minimal effort by the employee. Yet, simply asking the Manager seems to be "easier." In an effort to assist Practice Managers, Compliance PhD has created a helpful document to alleviate the burden of commonly asked questions.

A Practice Information Sheet contains all of the contact information for services the practice most commonly uses.

"What is the phone number for our Sharps Removal Company?"
"Who do I call for IT Support?"
"I think we need a plumber. Who should I call?"
"We need new gloves. How do I order more?"

A Practice Information Sheet posted in all Workstations can empower the employee with the information necessary to answer these questions on their own.

Compliance PhD members can download this Information Sheet in the "Forms" section of the site; however, Compliance PhD is pleased to offer this Sheet to all visitors to our Blog.

To download this Information Sheet, simply click HERE. If you have additional questions about Compliance, or want to know how to alleviate the burdens on Practice Managers, visit:

Mar 23, 2012

New Office Handout

Most Healthcare Professionals do very little advertizing because they are able to increase their client base through referrals. The Compliance PhD training library includes a course on how to Generate Referrals. The course covers tips such as, "Exceed Expectations, Ask for Referrals, and Create a Handout.

To better assist Compliance PhD members with the "Create a Handout" step, we have created a Handout Template where members can easily fill in critical practice information such as: Hours of Operation, Services Provided, Insurance and Payment Options Accepted, and Location.

Members of Compliance PhD can login to the site, and download the form: "Generating Referrals." 

If you have questions about generating referrals for your practice, contact Compliance PhD today.,,  or call 720-475-0134.

Mar 16, 2012

Terminating a Patient?

A recent conversation I had with a healthcare provider went something like this:

Physician: I know I can terminate a patient who is giving me problems, but I also know that I have to be careful how I go about it. Can you help?

Me: Physicians do have the right to terminate a patient; however, these situations should be reserved for the most extreme circumstances, and must be done carefully. Failure to correctly terminate a patient may result in lawsuits and patients feeling abandoned.

Physician: This particular patient continues to make abusive comments to my staff. I have spoken with him about it, but there does not appear to be any change from him. Many members of my staff are uncomfortable in his presence. 

Me: The Compliance PhD training: Firing a Patient should provide you and your staff with the appropriate steps to resolve this situation. The training covers 10 basic steps to ensure your office is protected should this patient disagree with your assessment.

The training covers basic topics such as: Striving to Establish a Relationship, Identifying Inappropriate Behavior, Preparing to Notify the Patient, Notifying the Patient using Certified Mail, Provide Feedback, and Documenting each step along the way.

Physicians do have the right to terminate the physician/patient relationship when a patient is being abusive. In many situations, however, it is important to remember that people are not always on their best behavior when they are sick.

For additional information, visit to view the course outline of the Compliance PhD training course: How to Fire a Patient.

Have a question: Email us at or call us at 720-475-0134.

Mar 9, 2012

Self-Audit Questionaire

We receive a lot of questions surrounding the topic of prepardness. "Have I done enough?" "If and auditor came and inspected our practice, would we be safe?" While becoming and maintaining a compliant practice really requires a complex answer to some simple questions, you can perform a basic self-audit by asking yourself the following 10 questions.

  1. Does my practice have a current training plan?
  2. Has my staff been trained in this plan?
  3. Have I verified my staffs' understanding?
  4. Do I have documentation to demonstrate my staffs' understanding?
  5. Have I completed my annual HIPAA Risk Analysis?
  6. Have I completed my annual OSHA Hazard Risk Assessment?
  7. Do I have documentation to support my ongoing understanding of regulations?
  8. Do I properly respond and document all security incidents?
  9. Do I properly respond and document all safety incidents?
  10. Are my Business Associate Agreements up-to-date with HITECH regulations?
While there are many more questions that need answering to fully ensure your practice is compliant, the previous 10 questions will allow you to generally gauge where your practice stands.

If you answered "NO" to any of the questions above, your practice may be at risk. If you need assistance in ensuring your practice is safe, visit We can help.

Mar 2, 2012

3 Scenarios where OSHA is sure to visit

OSHA Compliance Training is required at least annually. Most providers are aware that an injury or a compliant may result in an audit or fine. What providers may not be aware of is there are 3 scenarios where you are guaranteed to receive a visit AND a fine from OSHA.

They are:

1. If someone is killed
2. If someone loses a limb
3. If someone sustains an injury that requires them to be in the hospital for 24 hours or more

It is essential to ensure your staff have been properly trained and are aware of the policies and procedures in your practice. However, it doesn't matter if your staff knows the policies but chose not to follow them. Should OSHA visit your practice for any reason, they will certainly want to examine your training material, and evidence training has taken place. Not sure if your office training is current, or comprehensive enough to keep your staff safe?

Visit to learn how we can help.  

Feb 24, 2012

Who pays for an Interpreter?

Recently we have received several questions surrounding the need for Interpreting Services when the patient does not speak English. Who is responsible to provide the Interpreter? Is the practice responsible to pay for the Interpreter? What if a family member is willing to translate?
Should a patient require an interpreter, the practice is required to provide, and pay for interpreting services. Patients who are Deaf or Hard of Hearing are covered under the Americans with Disabilities Act and interpreting services must be provided.
If a patient agrees to communicate through family members, writing, or other means, then an interpreter may not be necessary.  It is essential to verify that the patient agrees to use their representative for interpreting services.  Should the patient representative not wish to provide interpreting services, the practice is responsible to acquire and pay for interpreting services.
It is recommended to have a list of Companies in your area that can accommodate your practice interpreting needs.

Feb 17, 2012

Frequently Asked Questions

Q: Our office manager keeps using the acronym NPP. What does NPP stand for?
A: NPP stands for Notice of Privacy Practices. This document outlines how the practice will safeguard the patient's Protected Health Information.

Other common HIPAA acronyms:
TPO- Treatment, Payment, & Healthcare Operations
PHI- Protected Health Information
HHS- Health and Human Services
ePHI- Electronic Protected Health Information
CE- Covered Entity
BA- Business Associate

Q: What would be considered a Incidental Disclosure?
A: Incidental or non-intentional disclosures that occur as a by-product of allowable disclosures are allowed as long as safeguards are applied, and the minimum necessary standard is followed. For example, PHI that is overheard from a nursing station or lab by patients walking past is considered incidental, and does not need to be accounted for.

Q: Can we use a debt collection agency to recoup unpaid services?
A: Yes. Debt collection is recognized under the HIPAA Privacy Rule as an activity within the TPO definition of "payment."

Q: Can we release a child's immunization record to a school for student registration purposes?
A: No. Immunization records contain Protected Health Information. Authorization must be given prior to releasing records to a school.  

To see a list of other frequently asked questions, click HERE or visit

Have a Question? Email your question to

Feb 10, 2012

Patient Survey

Many providers often get so caught up in the busy day-to-day activities that they fail to see areas where they could improve the care they are providing to their patients.

Conducting surveys with the help of your patients can provide detailed descriptions of areas you may be doing well, and also areas that could use some improvement.

Questions may include: Ease of Scheduling an Appointment, Friendlyness of Staff, Overall Neatness of the Practice, Waiting Room, etc.

Click HERE to download a Sample Patient Survey. Email for this patient survey in a Word format where you can add your Practice Information or tailor some of the questions to fit your needs. As always, should you have any questions you can contact Compliance PhD staff by phone or by email.

Phone: 720-475-0134