COVID-19

Dental Whistleblower Rights
Fines, OSHA

Brushing Up on Whistleblower Rights – No Fillings Required!

August 11, 2023 Comments Off on Brushing Up on Whistleblower Rights – No Fillings Required!

August 11, 2023 Navigating the world of workplace safety can sometimes feel like scheduling a dental appointment – necessary but often anxiety-inducing. But just as we prefer our dental check-ups to be cavity-free, our workplace environments should be risk-free. A recent court judgment highlighted that when it comes to voicing concerns, it’s not just about flossing daily but standing up for safety! In Peoria, Dr. Monzer K. Al-Dadah probably thought he was pulling a fast one (and we’re not talking about teeth) when he terminated a dental assistant for raising concerns about coronavirus infection risks. This wasn’t just any dental assistant, mind you, but one with more than two decades of service – perhaps old enough to remember the pre-electric toothbrush days! When Dr. Al-Dadah learned of an anonymous safety complaint to OSHA in March 2020, he tried to ‘drill’ down to identify the whistleblower. Unsuccessful in his detective efforts, he chose to let go of the dental assistant. The assistant filed a complaint with OSHA, showing the resilience of a tooth that refuses to get extracted. Fast forward a bit, and OSHA, acting like the dental hygienist who discovers you’ve been skipping your nightly brush, wasn’t too pleased. They determined a clear breach of whistleblower protections. This led to Dr. Al-Dadah being ordered to cough up $20,000 in back wages – that’s a lot of dental floss! Denise Keller, the OSHA Assistant Regional Administrator in Chicago, summed it up with a reminder that workers should feel as confident voicing concerns about safety as they do showing off those pearly whites after a cleaning, “Employees must be able to exercise their legal rights regarding workplace safety freely and without fear of retaliation.” All in all, just as we’re advised not to be lax with our oral hygiene, it’s clear we shouldn’t be lax about workplace safety either. For those curious about whistleblower protections, OSHA’s Whistleblower Protection Programs webpage is as enlightening as that little mirror your dentist uses. Here at Abyde, while we can’t help with plaque, we’re all in for promoting workplace safety and transparency with a dose of humor! Remember, when it comes to safety, always brush and floss (or voice concerns) daily! 

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends
Best Practices, HIPAA, Legislation

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

August 10, 2023 Comments Off on OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

August 10, 2023 OCR is Turning Up the Heat as their Telehealth Enforcement Discretion is Sizzling Out! Ah, the sweet heat of summer! That particular time when our ice creams seem to have a faster meltdown than our resolutions of getting that “beach body” (for the third year in a row). Speaking of melting, there’s a hot update simmering in the healthcare compliance oven: the OCR’s telehealth enforcement discretion transition period is officially sunsetting. But before you start sweating more than after a midday August jog, let’s fan ourselves with the facts. What’s Cooking? During the pandemic’s peak, the OCR graciously set our minds (and compliance teams) at ease with a relaxed telehealth enforcement period. Because of the implications of the Public Health Emergency, the government loosened the restrictions on telehealth applications to ensure that patients were still receiving the necessary care needed in a practical manner. Unfortunately, like most summer love stories, the enforcement discretion had to come to an end.  How Can You Protect From Getting Burned? The sun might be blazing outside, but you don’t have to get scorched. Here’s a simple telehealth-protection formula:

OCR HIPAA Telehealth COVID-19 Transition
HIPAA, Legislation

OCR Announces Transition Period for Compliance with HIPAA Rules for Telehealth

April 12, 2023 Comments Off on OCR Announces Transition Period for Compliance with HIPAA Rules for Telehealth

April 12, 2023 As of May 12, 2023, a 90-calendar day transition period will be in effect to provide covered healthcare providers with time to come into compliance with the HIPAA Rules in relation to their provision of telehealth. The transition period will expire on August 9, 2023, at 11:59 p.m. During this period, the OCR will continue to exercise its enforcement discretion. It will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules that occur in connection with the good faith provision of telehealth. The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency is available at: https://public-inspection.federalregister.gov/2023-07824.pdf – PDF. This notice marks the end of the enforcement discretion period that was put in place by the OCR to support the healthcare sector and the public in responding to the COVID-19 public health emergency. OCR Director Melanie Fontes Rainer has emphasized that the OCR is committed to supporting the use of telehealth by ensuring that healthcare providers can make the necessary changes to their operations privately and securely in compliance with HIPAA Rules. In addition to announcing the transition period, it’s worth noting that the OCR had previously issued four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Rules would be applied to certain violations during the COVID-19 nationwide public health emergency. These notifications and their effective beginning and end dates are: It’s important to note that these notifications will also expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency. The OCR will no longer exercise enforcement discretion for violations that occur after this date, which is why the transition period has been put in place to allow covered healthcare providers to make any necessary changes to their operations to ensure they comply with HIPAA Rules when providing telehealth services. Questions regarding HIPAA and OSHA Compliance, please email Abyde at info@abyde.com or call (800) 594-0883  

HIPAA Telehealth and Public Health Emergency Expiration
HIPAA, Legislation

HHS’s Recent HIPAA Guidance on Telehealth and Public Health Emergency Expiration

July 11, 2022 Comments Off on HHS’s Recent HIPAA Guidance on Telehealth and Public Health Emergency Expiration

July 11, 2022 Think you finally got the hang of telehealth? Don’t get too comfy just yet! The OCR recently released guidelines on how covered health care providers and health plans should utilize their remote communication technology to deliver audio-only telehealth services while also complying with HIPAA requirements. Why is Telehealth important? Let’s start at the beginning. Telehealth contributes to increasing a practice’s value and security by expanding access to health care across the nation and providing certain users who have difficulty using audio and video telehealth technologies. When systems are not properly secured, they pose risks to patient safety, health, and data. Cyberattacks and ransomware are extremely common in Telehealth and may quickly create issues that disclose medical information and other sensitive information. As a practice, it is critical and worthwhile to maintain excellent Telehealth especially now a days with the increased funding and resources the OCR has available. OCR Director, Lisa J. Pino, states, “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.” With the OCR’s Telehealth Notification system possibly being taken down as early as July 15th, 2022, we recommend that practices stay alert and take every precaution by using your friendly, easy to use HIPAA-compliant software (hint Abyde) to assure full compliance today. The first step in remaining alert is to follow the guidance issued by the OCR in response to the recent news that the Telehealth Notification system may be shut down. The guidance below specifies the conditions under which telehealth may be utilized.  The HHS is authorizing HIPAA-covered businesses to conduct telehealth and audio-only services using remote communication technology. However, these services must be provided in a private environment to the best of the entity’s abilities, and the individual’s identification must be verified. Even though HIPAA does not apply to audio-only telehealth services delivered through electronic communication methods, when offering telehealth services through mobile devices or applications, practices may face HIPAA compliance issues. Therefore, practices should identify all potential risks and vulnerabilities to PHI confidentiality as part of the risk analysis process prior to the completion of the PHE. Abyde will do anything possible to make sure you’re on top of your compliance game because the OCR may show up at any time! Allow us to guide you through these future changes – from our incredibly simple software to our readily available education, we will be your buddy in ensuring that you are prepared for any obstacles that show up at your door.

Vaccination Status & HIPAA
Best Practices, HIPAA

Vaccination Status & HIPAA

May 28, 2021 Comments Off on Vaccination Status & HIPAA

May 28, 2021 News reports centered around patient privacy and COVID-19 seem to break on the daily – bringing newfound fame to HIPAA law and even more speculation on what is – and isn’t – covered within its requirements. Most recently, the conversation of vaccinations has been a trending headline with the question of ‘HIPAA violation’ commonly featured. So while there’s still plenty of uncertainty where COVID-19 is concerned, hopefully, we can at least shed some light on where HIPAA truly comes into play. When it comes to the commonly asked question of whether HIPAA protects against employers and other businesses requesting vaccination records, the short answer is no. HIPAA law only applies to covered entities which therefore means that private businesses and citizens are not obligated under the stringent data protection laws and CAN ask about vaccination status. However, patients do have the right to not disclose their own health information and can choose to decline to answer, but based on state-specific laws and company requirements there may be repercussions as a result. In a quote from Kayte Spector-Bagday, a lawyer and bioethicist at the University of Michigan, she highlights the popular misconception in saying, “People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer.”  So where does HIPAA come in?  As we just mentioned, healthcare organizations and their business associates are liable under the federal law meaning that your practice can NOT disclose vaccination information (or any protected health information for that matter) unless direct patient authorization is granted. So, say a patient’s employer calls your office to ask about their employee’s vaccination status. Well, because of the standards outlined in the HIPAA Privacy Rule, you cannot disclose any sensitive health information without patient consent, and doing so would result in a HIPAA violation. While vaccination status and test results are the trending topics at the moment, it’s important to note that these stipulations go for any and all types of patients’ health information, not just what’s related to COVID-19. And while the current state of the public health emergency still leaves a lot of unanswered questions – when it comes to your practice’s ability to disclose protected health information (PHI), HIPAA law still applies.

COVID-19 Public Health Emergency Extended
HIPAA, Legislation

Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 Comments Off on Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021. While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better. When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear: PHI Disclosures Business Associates  Telehealth  2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!

Dental OSHA Whistleblower Violation Fine
Fines, OSHA

North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

January 7, 2021 Comments Off on North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

March 3, 2023 Blow the whistle… No, not like the 2006 Too Short song but OSHA’s Whistleblower Protection Program. Whistleblower protection laws are in place to prevent retaliation against employees who report safety violations, discrimination, or other illegal activities in the workplace. Under the Occupational Safety and Health Administration (OSHA) Whistleblower Protection Program, employees who report such violations are protected from retaliation by their employers. This protection includes not only termination but also other forms of retaliation such as demotion, reduction in pay, or denial of overtime or promotions. Why would a practice retaliate for a complaint received instead of mitigating the risk and working toward a culture of compliance?  That is a $15,706 question and unfortunately, Roger and David Bohannan of Roger H. Bohannan DDS Inc. have to answer. While on furlough in early 2020, a dental hygienist and dental assistant at the practice asked what coronavirus safety measures would be in place once patients and employees returned. When the practice did reopen, those two employees were not reinstated simply because they expressed their concerns and cited guidance from the Centers for Disease Control (CDC) and OSHA. Further investigation found that Bohannan Dentristry discriminated against employees for exercising their rights under section 11(c) of the OSH Act which prohibits retaliation by employers against workers who “blow the whistle” by exposing health and safety hazards. In a statement made by an OSHA Regional Administrator in Dallas, Eric S. Harbin, “Like all workers, these two people had every right to speak up without the fear of losing their jobs. We want workers to know that OSHA is here to protect their rights, and we won’t hesitate to exercise our authority when they are violated.” OSHA administers more than 20 whistleblower statutes, with varying time limits for filing. The time frame for filing a complaint begins when the adverse action occurs and is communicated to the employee. There are varying reporting deadlines from 30-180 days specific to each statute.  It is important for employees to know that they have rights under the law to report safety violations and other illegal activities without fear of retaliation. Employers have a responsibility to provide a safe and healthy workplace, and OSHA’s Whistleblower Protection Program helps to ensure that employees can speak up when they see something that is not right.

COVID-19 Public Health Emergency Extension
Best Practices, HIPAA

HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 Comments Off on HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19.  As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.

Returning to Office Remote Healthcare Workers
HIPAA

We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Comments Off on We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Is working in your living room with your pets/kids/significant other driving you crazy yet? Us too – but here’s why a measured approach is important to returning back to the office 2020 has been anything but predictable and it’s hard to speculate exactly how life after COVID-19 is going to be – or how soon we’ll get to the point we can call ‘after’. Some healthcare practices along with other businesses have started reopening their doors but with how much has changed over the course of the past few months, it’s easy to find yourself wondering which way is up when it comes to easing back into life outside of the bubble we’ve been living in.  As many organizations transition back from working at the kitchen table in pajamas, the question of “is it safe to bring employees back into the office” is not taken lightly. Practicing social distancing, wearing protective face masks, and self-isolating, if you have any potential symptoms, are all preventative measures that we should anticipate continuing for the foreseeable future. If your practice is considering bringing employees back into an office environment to continue offering medical services, here’s are a few things to consider: 1. Limit Employee Risk in Returning to Work Healthcare personnel, whether they have been on the front lines during the pandemic or not, have been and will continue to be at risk for contracting or spreading the virus. The CDC issued several strategies on how healthcare providers can determine whether their staff members can safely return to work or not based on monitoring for symptoms over the recommended course of time along with COVID-19 tests.  Some businesses have discussed screening employees for the virus prior to returning to work to ultimately ensure a safer work environment, yet this concept must still take into consideration HIPAA privacy laws regarding testing results being released to businesses. In fact, the HIPAA Privacy Rule does allow for healthcare providers to disclose patient information to employers only if the patient gives written consent authorizing the release or if the testing falls under HIPAA’s workplace medical surveillance exception. If the employer pays for the testing they are eligible to receive information regarding when the testing occurred but, importantly, not the results of the test. Whether you decide to engage in testing or not, make sure that any PHI generated as a result of testing still follows HIPAA guidelines for privacy and security. 2. Prepare for Limited Waivers to Expire HIPAA has been a headlining topic throughout the pandemic as the CDC has been constantly updating regulations and enforcement discretions to best mitigate health risks to the public. Good faith provisions for disclosing PHI as well as limited waivers for telehealth usage were among the top changes to HIPAA, but as highly emphasized in each waiver, these discretions only remain in place for the duration of the public health emergency. It’s important for healthcare providers to continue to keep HIPAA compliance a priority especially as waivers begin to lift and to be fully prepared to return to normal enforcement. If your practice has been using telehealth to continue seeing patients, for example, and you might continue to use telehealth even after a return to ‘normal’ operations, it’s essential that you utilize a vendor who offers HIPAA compliant video communication services to do so, and that you get a proper Business Associate Agreement signed with your vendor.  3. Ensure Remote Data Collection is HIPAA-Compliant You are probably already aware that PHI cannot be sent simply in an email. As many practices have sought new ways to manage remote operations and limit physical interaction, the same encryption and security standards must be applied as your practice would use to send PHI even before COVID-19.  If your practice is considering collecting more patient information or insurance information electronically instead of a physical form or insurance card, make sure you are utilizing a secure system like a patient portal or encrypted email server to transfer any sensitive data.  4. Consider Reviewing Passwords and Security Processes Over the course of the pandemic, cyber-attacks have been a looming threat, especially to healthcare practices. While working from home played a large role in enabling hackers to access protected information through less-secure networks, it’s important to not lose sight of these concerns even when you go back to your office. Continuing to look out for common scams and knowing how to identify and respond to a potential threat will always be important to ensuring the security of your practice. Consider changing passwords or login information after returning to the office that may have been compromised during remote work, and update your security software to the best possible protection. Review the devices used for remote work to determine if any further action is needed to ensure proper security if still working in part remotely.    With everything that 2020 has thrown our way – being confident and prepared in your ability to get your practice back up and running in a safe and HIPAA compliant manner will make all of the difference in the transition – and help make the rest of the year a little less stressful than the start.

Patient Privacy During COVID-19
HIPAA

When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 Comments Off on When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave. In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media.  Some basic rules of thumb to know when facing a situation that might involve the media and patient information are:  In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan. Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change.  A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X